22 May 2017

SSP application systems security assessment and vulnerability mitigation

Type of document: Contract Notice
Country: United States

SSP application systems security assessment and vulnerability mitigation

Department of the Navy

Official Address:
Strategic Systems Programs
1250 10th Street , SE, Suite 3600
Washington, DC DC 20374-5127

Zip Code:

Lucas M. Medlock, Contract Specialist, Phone 2024338403, Email lucas.medlock@ssp.navy.mil – Bina Russell, Contract Specialist, Phone 2024338404, Email bina.russell@ssp.navy.mil


Date Posted:


Contract Description:

“MARKET RESEARCH” N00030-18-Q-0003

This is a SOURCES SOUGHT notice. This notice is NOT a Request for Proposal (RFP). No solicitation exists at this time. The Strategic Systems Programs (SSP) seeks a Firm-Fixed-Price (FFP-LOE) type contract with a Certified Women Owned Small Business (WOSB) for subject matter expertise regarding the SSP application systems security assessment and vulnerability mitigation. The applicable NAICS code for this requirement is 541511- Custom Computer Programming Services.
The assigned NAICS code is one in which the Small Business Administration (SBA) has determined that WOSB concerns are substantially underrepresented in Federal procurement, as specified on the SBA’s Web site at and as further defined in FAR Subpart 19.15 – Women-Owned Small Business Program. Therefore, SSP is hereby requesting only qualifying WOSBs (including Economically Disadvantaged Women-Owned Small Business (EDWOSB) concerns) respond to the following market research tool for the collection and analyses of information to determine WOSB/EDWOSB’s capability to provide the Security Assessment and Vulnerability Mitigation Service Requirement based on the description of the requirement provided below.

PURPOSE OF NOTICE: The Sources Sought is being used as a Market Research tool to determine potential sources prior to determining the method of acquisition and issuance of a possible RFP. The Government is not obligated and will not pay for any information received from potential sources as a result of this notice. We are only requesting capability statements from potential contractors at this time.

Responders should indicate which portions of their response are proprietary and should mark them accordingly. Failure to provide a response does not preclude participation in any possible future competitive RFP for which a business is eligible to participate in, if any is issued. It is the responsibility of the interested businesses to monitor the FEDBIZOPS website for additional information pertaining to any potential acquisition and provide security clearances, if necessary, to perform the statement of work (SOW).

REQUIREMENT: The Strategic Systems Programs (SSP) Chief Information Officer (SPCIO) is seeking responsible, single, integrated vendor sources to support all actions associated with maintaining mission assurance and providing security vulnerability mitigation for five SSP Application systems. Potential sources must possess an understanding of the architecture and have experience with the technologies used for the five SSP specific application systems listed below:

1) SSP Enterprise Archives Service (SEAS) application – SEAS is SSP’s web based records management system utilizing networked document scanners. It allows the SPHQ and PMO offices to archive both paper and electronic financial records and official correspondence. SEAS was developed using Java, Apache Struts/Tiles framework, JSP technology and Oracle Database.
2) Contract Action Tracking System Web (CATS Web) application -CATS Web is the Contract Branch Action Tracking System. This system allows SSP’s contracting branch to document and track their action routing process and validate required contract artifacts for each procurement. The new CATS Web architecture includes Java, STRUTS and J2EE components as well as Oracle database.
3) HEAT trouble ticketing system – HEAT Software is a COTS product and is used for the management of SSP’s IT helpdesk tickets. HEAT was customized to work with SSP’s business processes. It uses Microsoft SQL Server and Heat’s administration suite of tools. This application is used by the SPHQ Helpdesk as well as the SSP Program Management Offices.
4) SSP Logistics Planning System – The Logistics Planning application is primarily used to gather raw data for the production and publication of SSP’s annual budget/planning document. This application is used by SSP to plan for their current and future program resource allocations. The application was converted from a standalone PowerBuilder system to a web based application currently operational on the Navy’s classified network. SSP’s web based Logistics Planning System was developed using Java Framework and Oracle database.
5) Quality and Reliability Information Management System (QRIMS) – QRIMS is a report processing application hosted at SSP and sponsored by the SSP Navigation branch for use by external contractors to track trouble and failure reports, corrective action reports as well as trouble failure repair and return reports and preventative maintenance action reports. QRIMS was developed using Struts 2 MVC framework and Oracle database.

The security management of these applications shall require detailed knowledge and a thorough understanding of the SSP information systems’ business, data, applications and technical architecture. The contactor must provide subject matter expertise for the above application systems in the following areas:

1. Transitioning of applications from the DIACAP Certification and Accreditation Process to the DoD Risk Management Framework (RMF)
2. Information Security assessments, mitigation and control monitoring
3. Application development framework
4. Library dependency End-of-Life management
5. Vulnerability monitoring and mitigation
6. Security Penetration testing and remediation
7. Structured security patch management
8. Application unit testing, integration testing, and automated code review testing
9. Re-factoring and patching of source code, unit tests and integration tests
10. Database schema design and configuration changes
11. Application release and deployment management
12. System audit logs analysis
13. Port and Protocol management
14. Maintaining application configuration management data in accordance with the Software Configuration Management Plan for SSP Enterprise Applications

The above application security management actions require detailed knowledge and experience using specific technologies, interfaces, development and scripting languages, Software Development Life-Cycle (SDLC) processes and tools. The contractor shall have experience and maintain skills proficiency in the key subject areas required to perform the security management actions, which include:

1) OpenText Livelink application Programming Interface (API)
2) Hewlett Packard Digital Sender workflow programming
3) HEAT trouble ticketing system database configuration and administration
4) Business Process definition and analysis using BPMN 2.0
5) Fusion Charts reports (using XML, HTML5 and JavaScript)
6) DoD Records Management application design standards
7) Development languages & interfaces: Java, Apache Struts, Apache Tiles, PL/SQL, iText, XML, HTML5, JavaScript, CSS, SVG, UML, LDAP, SMTP
8) SDLC Tools: PortsWigger Burp Suite, Enterprise Architect UML, Eclipse IDE, JIRA Issue & Project Tracking, Subversion Revision Control, Unit Test, Code overage, automated Code Review
9) DoD Information Assurance Certification and Accreditation Processes (DIACAP) and DoD Risk Management Framework (RMF)
10) Public Key Infrastructure (PKI)
11) XML Digital Signature Programming
12) Common Access Card (CAC) authentication
13) Cryptography protocols and their usage
14) Security threat modeling and mitigation strategies
15) HTTPS Web session monitoring

Potential contractor must possess a complete understanding of SSP’s information systems environment and must have demonstrated knowledge and experience working with the Navy accreditation processes for the SPCIO’s application systems. Potential contractor’s proposed staff must be fully DOD 8570 compliant and have a complete understanding of DISA Security Technical Implementation Guidelines (STIG) and Security Requirements Guides (SRG) for hardware, software, and applications.

PERIOD OF PERFORMANCE: The current proposed period of performance is estimated to be one base year plus four (4) option years.

RESPONSE DEADLINE: Interested sources shall submit a capability package by COB February 6, 2017 (10 pages or less) containing: 1) company name and address, 2) company point of contact, 3) email address, 4) phone number, 5) specifics addressing the work listed above including a current list of related past performance within the past 5 years. Proposed contractor must have a Secret Facility clearance.

Electronic responses are acceptable if prepared in Microsoft 2007 compatible format. Email electronic responses to Lucas Medlock (email:lucas.medlock@ssp.navy.mil) and Bina Russell (email: bina.russell@ssp.navy.mil) with “Sources Sought” in the subject line of the email.

Primary Point of Contact: Contract Specialist
Lucas Medlock

Alternate Point of Contact: Contract Specialist
Bina Russell

Response Date:

Sol Number: