VA Enterprise Cloud Operational Tools and Support …



Technical RequirementsCloud Management Platform (CMP)The CMP solution shall provide the capability to dynamically provision and monitor system usage and incorporate processes that allow for the full resiliency of the VA enterprise-level hybrid cloud solution that includes both private and public/government cloud environments. The solution shall be secure and scalable on an enterprise level to multiple geographically diverse data centers, and may consist of one or more tools/components. Gartner defines Cloud Management Platforms as “… integrated products that provide for the management of public, private and hybrid cloud environments. The minimum requirements to be included in this category are products that incorporate self-service interfaces, provision system images, enable metering and billing, and provide for some degree of workload optimization through established policies. More-advanced offerings may also integrate with external enterprise management systems, include service catalogs, support the configuration of storage and network resources, allow for enhanced resource management via service governors and provide advanced monitoring for improved ‘guest’ performance and availability.” The proposed CMP solution shall satisfy all mandatory requirements listed in Table 1 below. Additional VA desired CMP requirements can be found in Appendix A.1. Table SEQ Table \* ARABIC 1: Mandatory CMP RequirementsRequirement ID – Requirement DetailService Request Management. Service Request Management includes the self-service interface used by VA EC users and administrators to configure and consume cloud services. Self Service PortalThe CMP shall have self service capability that covers all CMP functions (orchestration, capacity management, and lifecycle management)The CMP shall perform all self-provisioning functions from a web-based UI, fully compatible with specific operating system and web browsers utilized within VA (for list of VA-authorized systems, please see the VA Technical Reference Model, )All CMP self-service and administrative capabilities shall be available via a GUI and though an APIThe CMP shall perform automated request fulfillment with or without requiring intervention of VA administratorsThe CMP shall require an approval/rejection decision based on RBAC for non-standard object offering (e.g., a VM with additional memory, CPU or storage)The CMP shall provide the ability to schedule automated request fulfillment proceduresThe CMP shall allow the cloud consumer to request the customized provisioning of any object (for example, virtual storage volumes, VMs and VSs) defined inside the CMP service catalog and exposed by the CMP self-service portal through appropriate permissionsThe CMP shall allow customizing selected objects, after provisioning, by changing their virtual hardware configuration or by extending their capabilities through additional catalog objectsThe CMP shall provide real-time or e-mailed reporting on provisioning status (for example, approved, canceled, queued, waiting for approval and in progress) and including request data and historyThe CMP shall provide real-time or e-mailed reporting on change request statusThe CMP shall provide the ability to create and edit local user accounts at each CSPService CatalogThe CMP shall support, via a web-based administrative interface, a Service Catalog for ordering services across all CSPs that are part of the VA ECE The CMP-based service catalog shall include object cost, a pricing model, and currency definitionThe CMP service catalog must update the CMP CMDB to reflect any change (for example, addition/removal and modification) occurring inside the software libraryThe CMP-based service catalog shall allow the tenant’s administrators to define and modify access permissions for catalog objects based on LDAP (Microsoft active Directory groups membership and user role)The CMP-based service catalog shall include links to SLA definitions by each individual CSP in the VA EC environmentThe CMP-based service catalog shall include the ability to search/query by provider, user or regionProvisioning, Orchestration, and Automation. Provisioning, Orchestration, and Automation includes orchestrating and automating of the cloud services and resources in accordance with defined policies for all VA Enterprise Cloud components. ProvisioningThe CMP shall include the ability to provision core services (compute, block storage, and networking) under the following CSPs/VM standards: Amazon Web Services (AWS), Microsoft Azure, OpenStack, and VMWareThe CMP shall be capable of provisioning across CSPs in a hybrid cloud environmentCore Services Updates: The CMP shall include the ability to be updated to support latest release of services from underlying CSPs that are part of the VA ECE environmentThe CMP shall include the ability to be extended to support additional CSPsThe CSP API and SDK shall be periodically updated so that users can consume newly released cloud services through the GUI or programmatically and so that the product can integrate with a wide variety of new products and services in the cloud ecosystemAutomated ProvisioningThe CMP shall include capabilities for using pre-de?ned provisioning procedures/routines that are carried out without requiring further human intervention for:Computing resourcesStorage ResourcesNetwork capabilities (including VLANs, VPNs, Load Balancers, and adding firewalls between VMs)Multiple Virtual Local Area Networks (VLAN) per CSP environmentOther Cloud Native Services (Not Compute, Network, or Storage)The CMP shall support auto hybrid cloud provisioning, extending the Automated Provisioning functions noted above across more than one cloud environment deployment (for example, private and public)The CMP shall be able to configure requirements for subnets and firewallsThe CMP shall include the ability to automate actions based on custom, user-defined policiesThe CMP shall include the ability to change or require workflow actions Service Templates/OrchestrationThe CMP shall provide a web-based administrative interface for management of service templates supporting the automated arrangement, coordination, and management of computer systems and services (orchestration)The CMP shall provide an internal service template capability (blue prints)The CMP shall include support for software provisioning, configuration management, and application deployment script languages, including:Support for ChefSupport for PuppetSupport for AnsibleThe CMP shall provide for auto-scaling and load balancing configurations in service templatesInfrastructure Monitoring and Metered Usage. Infrastructure Monitoring and Metered Usage includes monitoring the use of the VA EC resources at levels below the application. MonitoringThe CMP shall monitor and report on location, status, security, and performance for all provisioned objects, showing infrastructure-level performance indicators (e.g. CPU usage and network and storage input/output [I/O], network traffic)The CMP shall monitor performance of an instance or serviceThe CMP shall maintain a log of platform status, security, and performanceReporting and AlertingThe CMP shall feature a web-based dashboard showing both near-real-time and historic performance for any given catalog object and cloud infrastructure componentThe CMP shall display reports on virtual environment status, performance, and security including infrastructure-level and application-level performance metrics, where availableThe CMP shall be able to raise informational, warning or critical alerts when monitored metrics surpass assigned static or dynamic thresholds for both predefined and custom metricsThe CMP shall be able to deliver performance warnings through multiple media, including console alerts and emailsThe CMP shall allow external reporting vendors access to its back-end database to collect custom reports via an API, or allow exporting all or selected data in delimited parameters formats (e.g. CSV, XML, JSON, etc.)The CMP shall include the ability to report network performance and latencyThe CMP shall include the ability to generate a report of performance, forecast, spend and policy requirementsThe CMP shall include the ability to detect an un-authorized change to a serviceThe CMP shall include the ability to create a policy to restart images based on a custom, user-defined alertThe CMP shall include the ability to create alerts for planned or unplanned provider downtimeGovernance, Policy, and API Management. Governance, Policy, and API Management includes policy enforcement and governance and the management of automation policies that allow automatic responses to conditions in the VA EC. Governance & PoliciesThe CMP shall provide the ability to apply policy and governance over orchestrationThe CMP shall provide for the automated discovery of services provisioned in managed CSPs outside of the CMPThe CMP shall allow user-configurability of defined policiesThe CMP shall provide for governance and policy application at the hybrid cloud levelProgrammable InterfaceThe CMP shall allow for the automation of management tasks through scripting, supporting languages to include one or more of the following: REST, SOAP, XML, JSON, Java script and/or PowerShellThe CMP shall support management, orchestration and automation of the public and private cloud providers thru their published API interfaces (e.g. REST API, API Gateway)The CMP shall support vendor-specific APIs such as Amazon EC2 Web Services API, VMware’s vCloud API, Oracle Cloud API (based on the Sun Cloud API), Red Hat’s Deltacloud API, and Rackspace Cloud APIMulti Cloud/Multi-Tenant ApplicabilityThe CMP shall support multi-tenants under a hybrid cloud deployment infrastructureThe CMP shall support deployment models including single tenant, peer tenant and multi/sub tenants with flexible sharing capabilities between each tenant for maximum effectivenessGovernance and Quota ManagementThe CMP shall provide a mechanism to enforce user-defined usage limits The CMP shall provide a mechanism to enforce governance across both public and private cloud providers used as part of the VA ECThe CMP shall include the ability to create or terminate instances across multiple CSP providersThe CMP shall include the ability to create policies based on reported security vulnerabilitiesPortabilityThe CMP shall include the ability to orchestrate workloads across cloud service providersInteroperability & ConnectorsThe CMP shall have a web-based administrative interfaceThe CMP shall support container-based technology (e.g., Docker)The CMP shall support external cloud service discoveryIntegration With 3rd Party Tools/ExtensibilityThe CMP shall have an existing, defined, documented APIThe CMP shall include a connector Software Development Kit (SDK)The CMP shall support integration with the following current VA tools:Ticket Management & Help Desk System - CA SoftwareSecurity Tools - Nessus & SplunkIdentity & Access - Active DirectorySSL Certificate Management – VA SSL Certificate ManagerConfiguration and Change Management – Microsoft System Configuration Manager (SCCM). Intrusion Detection - McAfeeWindows & Linux Patching - Big FixScanning/Security Tools - OS & Applications Level - NessusWeb Application Firewall (WAF) – Imperva X6510Intrusion Protection System (IPS) – Cisco SourceFire 3D8350File Malware Protection System (MPS) – FireEye NX 10450Visibility to Server (V2S) Toolset - IBM Endpoint Manager Digital forensics investigation support - EnCaseBMC Atrium Discovery and Dependency Mapping (ADDM)Network monitoring/analysis - CA SpectrumCapacity and Resource Planning. Capacity and Resource Planning includes functions that monitor cloud resource use and inform VA management capacity optimization and planning functions. The CMP capacity management module must enforce tenant-level resource limits independently of the cloud resource pools assigned to a cloud tenantThe CMP shall include capabilities for cross-CSP capacity notification for all aspects of the virtual environment (compute, storage, network) with user-defined trigger valuesThe CMP shall provide for the definition and enforcement of tenant-level resource limitsThe CMP shall allow administrators to define cloud resource poolsSecurity and Identity Management. Security and Identity Management includes several functions related to cloud computing security and access. SecurityThe CMP, when deployed at a vendor location (for example, as SaaS), shall be FedRAMP certified and include recommended controls for a high sensitivity system as described in NIST SP800-53The CMP shall include the ability to provide support for vulnerability remediation to support FedRAMP-level continuous monitoring and compliance based upon the latest edition of FedRAMP Cloud Computing Security Requirements Baseline and FedRAMP Continuous Monitoring Requirements. See for further details. The CMP shall include built-in Platform Security, supporting a cross-cloud centralized security architectureThe CMP shall include support for Security Assertion Markup Language (SAML) version 2.0Data In Transit under control of the CMP shall be encrypted in accordance with FIPS 140-2Data At Rest under control of the CMP shall be encrypted in accordance with FIPS 140-2The CMP shall integrate with VA directory services (e.g. Microsoft Active Directory)The CMP provisioning portal must ensure cloud consumers connect through a Secure Socket Layer SSL channelCMP administrators must be able to enforce SSL connection as the standard connection channel to access the CMP provisioning portalThe CMP shall include security logging and auditing of administrative actionsIdentity and Access ManagementThe CMP shall use multifactor authentication for access (e.g. via VA Personal Identity Verification (PIV) cards)The CMP shall support Level or Role Based Access Control (RBAC), based on external directory service (e.g. VA Active Directory), and enable the configuration and management of each CSPs RBAC modelThe CMP shall support external cloud access managementThe CMP shall provide access auditing reporting, and must be able to log and audit all administrative changes performed across CMP modules and make collected logs available for review through the CMP logging and reporting facilityThe CMP shall include the ability to notify/alert based on IAM events (such login attempts and user/group creation)Service Level Management. Service Level Management is the ability to manage the object life cycle and automated actions (workflows) based on triggering events in the VA EC hybrid cloud environment. Lifecycle Management:The CMP shall provide, via a web-based administrative interface, life cycle management functions for all objects manually or automatedly provisioned for all components of the hybrid cloud environmentThe CMP shall provide script managementThe CMP shall provide object management (transfer/delegate ownership, tag, Start/stop/suspend/resume, clone), including import, reconfiguration, and decommissioning/reclamationThe CMP shall include the ability to version and track configuration scriptsWorkflow ManagementThe CMP shall allow administrators to define workflowsThe CMP shall allow administrators to combine and sequence workflowsThe CMP shall allow administrators to predefine automation policiesThe CMP shall include a workflow libraryThe CMP shall provide workflow monitoring and debugging capabilitiesThe CMP shall support the development of predefined automation workflowsThe CMP shall support workflow versioning and managementCost Transparency and Optimization. Cost Transparency and Optimization is the ability to provide tracking, budgeting and optimization of the cloud expenses for all VA ECE components. Mandatory requirements in this category include:The CMP shall, via a web-based administrative interface, provide dynamic, graphical usage, consumption and cost reports across all instances over all CSPs in the VA ESE to include:Chargeback reportingCost reporting, including planned vs. actualBudget quota reportingPricing modelsCost and consumption trends per tenant over user-defined time intervalsForecasts/predictions of pending charges by user-defined time intervalsMinimum, maximum and average consumption across all instancesAllocated vs. used capacityPricing adjustments with timeframe granularityFilter by bill/payment status, component (networking, storage and compute), application, user, group, line of business, region, project, time frame (daily, monthly and quarterly), provider or serviceThe CMP shall support automated chargeback and show-back using custom object tagging based on user-specified metadata such as application, user, group, line of business, region, or projectThe CMP shall include the ability to determine, estimate, and review/view spend amounts based on custom, user-specified metadata tags such as application, user, group, line of business, region, project, time frame, provider or serviceThe CMP shall include the ability to search/query bills by custom, user-defined metadata tags such as application, user, group, line of business, region, project, time frame, provider or serviceThe CMP administrators leveraging per-object pricing shall be able to predefine a base price and a price increase for any additional resource unit (e.g. vCPU count, gigabytes of vRAM, number of cloud tenant networks) requested during the provisioning request customization phase and view as an itemized listThe CMP shall allow external billing system providers to pull chargeback/show-back of each object via export of financial data via APIThe CMP shall support a variety of cost/time allocation methods (per project, service contract, request)Configuration and Change Management. Configuration and Change Management is the ability to handle and control changes to cloud configuration information for all VA ECE components. Mandatory requirements in this category include:The CMP shall provide a web-based administrative interface for object and software configuration and change management functions, including:Defining and assigning compliance rulesAuditing configuration changesManaging maintenance windowsApproving change requestsReviewing real-time analytics and reportingManaging OS, application and VM deliveryManaging OS and application configurationsManaging storage performance configurationsManaging network bandwidth configurationsManaging IP address management and DNS settings across all supported providersManaging requirements for storage associated with applications - shared vs. local, capacity and HDD types (such as SSDs)The CMP shall provide infrastructure and application topology and configuration discovery services, reporting as a topology mapThe CMP shall include CM compliance rule definition and assignment based on VA policies standards, and government mandates (e.g. PHI, PII, PCI)The CMP shall include configuration compliance verification functions specifically when importing pre-exiting assetsThe CMP shall include configuration change auditing (tracking and reporting) on any configuration change across components (network, storage and CPU) occurring at any level of the cloud infrastructureThe CMP shall provide asset, change, compliance and software distribution reportingThe CMP shall provide for configuration versioningThe CMP shall provide deployment orchestration (moving code from development, to test, to pre-prod, to production) functionsNon-Functional Requirements (NFRs). Other mandatory requirements for a CMP for all VA ECE components include: Robustness: The CMP (including all monitoring and governance functions), when deployed at a vendor location (for example, as SaaS), shall be robust, allowing for continuous High Availability (HA) operationThe CMP, when deployed at a vendor location (for example, as SaaS), shall include built in support for Disaster Recovery (DR) of the CMP configuration, scripts, and all predefined proceduresPlatform: The CMP shall support for multiple cloud service providers (CSPs), both private and public, operating in a hybrid cloud environmentThe CMP shall support integration with the VA private cloud management systemThe CMP shall support provisioning for current (and N–1) versions of: Microsoft Windows ServerRed Hat Linux operating systemsVMware Cloud infrastructureThe CMP shall support management of and reporting from the following Hypervisors:vSphere (VMWare)Hyper-V (Microsoft)KVM or RHEV (OpenStack)Xen (Citrix)PowerVM (IBM)The CMP shall include a configuration management database (CMDB)The CMP shall support both IPV4 and IPV6 addresses on any defined VLANsThe CMP shall provide for regular patch management to keep up with changes to the underlying CSP APIs and other CSP changesPerformance:The CMP shall be capable of scalable deploymentThe CMP shall support for a minimum of 10,000 managed objectsThe CMP shall support for a minimum of 25 concurrent administratorsThe CMP shall support for a minimum of 500 concurrent workflowsLicensing: The CMP shall support license normalization (enterprise licenses) 508 Compliance: The CMP shall comply with Section 508 of the Rehabilitation Act of 1973Deployment: The contractor shall implement the CMP in accordance with the requirements specified in Sections 5.6-5.8 belowCloud Access Security Broker (CASB)The CASB solution shall provide the capability to act as a control point to support continuous visibility, compliance, security and protection for cloud services. The solution will provide visibility into Shadow Information Technology (IT) services being accessed, enable security controls for sanctioned cloud services, and help satisfy Governance, Risk, and Compliance (GRC) requirements. The solution shall be secure and scalable on an enterprise level and provide extensions of traditional network security and secure web gateway security technologies, and may consist of one or more tools/components. Gartner defines Cloud Access Security Brokers as “…on-premises, or cloud-based security policy enforcement points, placed between cloud service consumers and cloud service providers to combine and interject enterprise security policies as the cloud-based resources are accessed. CASBs consolidate multiple types of security policy enforcement. Example security policies include authentication, single sign-on, authorization, credential mapping, device profiling, encryption, tokenization, logging, alerting, malware detection/prevention and so on.” The proposed CASB solution shall satisfy all mandatory requirements listed in Table 2 below. Additional VA desired CASB requirements can be found in Appendix A.2. Table SEQ Table \* ARABIC 2: CASB Mandatory RequirementsRequirements ID – Requirements DetailVendor ProfileCASB solution shall provide coverage for “Four Pillars of CASB” as defined by Gartner:VISIBILITY: CASB solution shall be able to uncover Shadow IT usage, by providing complete view of all Cloud Applications in use within the enterprise.THREAT PROTECTION: CASB solution shall be able to detect and prevent data exfiltration, insider threats, privileged user threats and compromised PLIANCE: CASB solution shall be enable organization to achieve compliance with both internal policies and industry regulations, as well as enforce data loss prevention policies for data at rest and in motion.DATA SECURITY: CASB solution shall be capable of protecting data with encryption to prevent unauthorized access stemming from a security breach or inadvertent disclosureCASB solution shall be comprised of a single product and not rely on integration of multiple product to make up a CASB capability.CASB vendor shall ensure FedRAMP level certifications for all SaaS products it owns to support VA enterprise FISMA low, moderate and high cloud solution categorizations.High Level CASB Solution RequirementsCASB solution shall leverage organization’s internal security stack (proxies, firewalls, DLP, SIEM)CASB solution shall store no organization attributable data across its cloud services such as SaaS that support the VA enterprise cloud solution.CASB solution shall integrate with Active Directory to leverage organization’s existing role-base defined user accounts and Organizational Units (OUs).CASB solution shall be capable of interfacing with firewalls and web proxies enabling automation of policy enforcement changes for cybersecurity remediation.CASB solution shall support near real-time DLP policy scans for data stored inside cloud provider.CASB solution shall be capable of identifying with quarantine features for match highlighting of data in the cloud service, including the ability to review DLP violations without having to open/examine offending file.CASB solution shall be capable of supporting bulk quarantined file management of data in the cloud service.CASB solution shall support rollback of DLP violations of data in the cloud service.CASB solution shall be capable of threat correlation inside cloud services, for example detect and remediate high-risk user behavior indicative of insider threat.CASB solution shall be capable of providing User and Entity Behavior Analytics (UEBA) to identify anomalies and potential threats.CASB solution shall be capable of identifying and supporting commonly used cloud services and applets adopted by the organization.The contractor shall implement the CASB solution in accordance with the requirements specified in Sections 5.6-5.8 belowVisibilityCloud Registry: CASB solution shall maintain a robust cloud registry / cloud service application coverage with more than 20,000 cloud services using a 50-point risk score, consisting of at least 250 separate and individual attributes) covering at a minimum SaaS, PaaS and IaaS.CASB solution shall maintain at least 250 individual cloud service risk assessment attributes for each cloud service.CASB solution cloud registry shall be updated at least once a week add new cloud services.CASB solution shall provide the ‘Last Verified’ date for each cloud service in the registry, so organization can factor it into assessments of new cloud services.Cloud Discovery: CASB solution shall have the ability to discover and report on commercial cloud use originating from within organization’s networks through data collection and analysis of enterprise security logs, including, but not limited to, firewalls, NGFWs, web proxies, and SIEMs.CASB solution shall offer capability to run on-demand or scheduled reports to include: Discovery?& Service UsageBreaches & VulnerabilitiesRisk AssessmentUser ActivityServices by Denied PercentageServices by Access CountServices by Allowed PercentageServices by Inbound Data TrafficServices with Breaches in the Last YearNew ServicesCSP Data Between DatesServices by Risk ScoreData ExfiltrationServices by Total Traffic VolumeServices by Outbound Data TrafficServices by Number of UsersTop Users by Access CountServices by Upload DataCASB solution shall have the capability to monitor and enforce policies by group and Organizational Unity (OU) for Active Directory, Azure Directory, and commonly used LDAP identity repository platforms.CASB solution shall provide visibility into enterprise usage of SaaS, IaaS, and PaaS applications hosted on AWS, Azure, Google Cloud, and other CSPs.CASB solution shall have the ability to discover custom cloud applications on IaaS services (AWS, Azure, Google Cloud, etc.) to track unapproved and rogue custom application development.CASB solution shall support continuous (24/7) ingest and analysis of enterprise firewall, web proxy, and SIEM log data to enable continuous, up-to-date visibility and monitoring of cloud services being accessed within organization.CASB solution shall provide a way to obfuscate agency firewall log file fields for analysis in such a way that lets agency view the de-obfuscated data when results are returned to agency (e.g., data tokenization).CASB solution shall not require an agent or PAC file be installed on devices used to access commercial cloud services. CASB solution shall support ingesting logs from multiple and commonly used firewalls, web proxies and security based appliance sources.CASB solution shall support checksum routines to minimize unmatched uploads to cloud-based file sharing services and SFTPs.Risk and Vendor Assessment: CASB solution shall allow the customer to see the scores for individual attributes (encryption, certification, breaches, etc.) that go into calculating the risk score for a cloud service.CASB solution shall issue an alert If the risk score of a cloud service used by an organization changes.Cloud Machine-Based Policy Enforcement: CASB solution shall have the ability to automatically assign cloud services to service groups and enforce acceptable use policies such as blocking risky services.CASB solution shall interface with existing firewalls, proxies and security based appliances to enable enforcement mode features in supporting machine-based policy enforcement for individual cloud services and service groups.CASB solution shall identify and support remediation features of inconsistencies in organization’s existing policy enforcement configurations for firewalls, proxies and security based plianceData Loss Prevention (DLP) PoliciesCASB solution shall be capable of supporting enforcement DLP policies on cloud data based on: - Data Identifiers- Keywords- User groups- Regular expressionsCASB solution shall support DLP fingerprinting of structured data (aka exact data matching).CASB solution shall support DLP fingerprinting of an unstructured data element such as contract or source code and detect if this data is leaving the organization.CASB solution shall offer pre-built templates to identify selected personally identifiable information (driver’s license, credit cards, SSN) and personal health information.CASB solution shall be capable of enforcing DLP policies in the following modes: - Data uploaded to the cloud- Data shared from cloud services- Data downloaded from the cloudCASB solution shall support enforcing DLP policies based on keywords or tags present in the following: - Document content- Document metadata- Email content/body- Email headerCASB solution shall have the capability for administrator to define roles that allow only selected users to perform the following actions:- Define and activate data loss prevention or compliance policies- Access and remediate policy violations- Manage (access/restore/delete) the quarantine filesCASB solution shall utilize a natively built DLP engine.CASB solution shall be capable of integrating with existing on-premises DLP solution(s) to extend policies and remediation workflows to the cloud.CASB solution shall support DLP policy enforcement via the following modes:- Proxy- Cloud service APIsCASB solution shall be capable of scanning content already available in the cloud service (data at rest) based on selected DLP policies to detect violations such as upload of sensitive PII/PHI data.CASB solution shall be capable of enforcing policies on user groups discovered from directory services and cloud services.DLP Policy Violations: CASB solution shall offer a single interface to view and take action on policy violations.CASB solution administrator shall have the ability to rollback an automatic remediation action to restore a file and its permissions.CASB solution shall allow for tiered response to a violation based on its severity, such as alerting on low severity, but blocking on high severity.When enforcing DLP policies via API, CASB solution shall be capable of detecting and flagging policy violations in under 2 minutes as guaranteed SLA.CASB solution shall be capable of enforcing policies on collaboration actions for users and groups.CASB solution shall provide a collaboration summary which includes sharing with business partners, personal emails, and internal users.Threat ProtectionActivity Monitoring of Cloud Service UsageCASB solution shall provide an audit trail of all user and administrator activities within the cloud application.CASB solution shall be capable of exposing activity metadata and user agent, which can be used to perform advanced investigative workflows.CASB solution shall be capable of filtering user activity by:- Cloud service- Date range- Activity name- Activity category- User name- IP TrustCASB solution shall be capable of feeding activity logs to a device such as SIEM for integration and visualization via automated syslog feed.CASB solution shall tokenize sensitive information such as user names, IP addresses, etc. in sanctioned CSP activity logs before storing in the cloud.CASB solution shall offer monitoring and identification of activities across different device types such as mobile devices, personal computers, etc.CASB solution shall detect collaboration with external vendors using cloud-based file sharing services.CASB solution shall automatically ingest and categorize new activity types received from the cloud service providers.Anomalies and ThreatsCASB solution shall be able to detect anomalies within cloud services and raise alerts based on:- User behavior (insider threats)- Location based information- Privileged user activity- Data exfiltration- Compromised accounts - Malware - IP TrustCASB solution shall detect compromised credentials based on information such as multiple login attempts, impossible cross-region access, and untrusted location access.CASB solution shall detect privileged user threats arising from excessive user permissions, zombie administrator accounts, inappropriate access to data and unwarranted escalation of privileges and user provisioning.CASB solution shall detect data uploads to unmatched malicious domains / IP addresses.CASB solution shall have the ability to identify stolen credentials from breached cloud services that are sold on the Darknet.Incident WorkflowCASB solution shall be capable of interfacing its incident workflow with commonly used enterprise IT ticketing platforms supporting corporate wide problem and incident management processes.Malware ControlsN/AData SecurityContextual Access ControlCASB solution shall be capable of enforcing policies based on the following contextual parameters:- User groups- Activity- Geography- File Type and/or Data IdentifiersCASB solution shall be capable of enforcing contextual controls on both mobile and desktop access.CASB solution shall be capable of enforcing controls to restrict activities such as upload, download, and sharing.CASB solution shall be capable of restricting cloud service access to include only corporate approved devices.CASB solution shall be capable of enforcing granular device-based controls such as restricting read-only access to unmanaged or personal devices.EncryptionCASB solution shall support encryption of cloud data using customer owned keys.CASB solution shall allow encryption of selected cloud data meeting specific criteria.CASB solution shall integrate with an existing Key Management Solution to support rotation of encryption keys.CASB solution shall encrypt existing data in the cloud as well as data uploaded on an ongoing basis.CASB solution shall support unstructured data encryption while preserving search capabilities.Rights ManagementCASB solution shall be capable of applying Enterprise Digital Rights Management (EDRM) at file level.IaaS and Custom Apps SecurityIaaS SecurityCASB solution shall discover usage across IaaS platforms such as AWS, Azure, Google Cloud and across hybrid cloud environments.CASB solution shall identify inactive IaaS user accounts so they can be deleted to reduce risk.CASB solution shall be capable of analyzing IaaS activities to identify threats associated with insiders, compromised accounts, and privileged users.CASB solution shall be capable of capturing an audit trail of all user and administrator activities on IaaS services.CASB solution shall be capable of applying solution’s capabilities across more than one AWS (or IaaS) account.Custom Apps SecurityCASB solution shall discover all custom apps built on IaaS platforms such as AWS and Azure, and Google Cloud.CASB solution shall be capable of detecting and mapping granular user activities such as sharing, deletion in addition to standard activities like upload and download.CASB solution shall detect and map activities pertaining to object views, edits, and additions within a custom app.CASB solution shall enforce access controls on custom apps based on contextual parameters such as device, location, user, activity.Platform and Integration ReportingIn support of enterprise agency incident response, CASB solution shall provide breach reports that include information on employee usage.CASB solution shall allow users to schedule reports to be periodically sent by email in selected formats (PDF, CSV, XLS).CASB solution shall provide reports detailing activities of high risk services and users that are showing suspicious behavior.IntegrationCASB solution shall integrate with Identity Management solutions to authenticate access to sanctioned cloud services.CASB solution shall be capable of ingesting logs from the following firewall vendors: - Palo Alto Networks- Juniper- Cisco- Barracuda Networks- Check Point- FortinetCASB solution shall be capable of ingesting logs from the following web proxies:- Blue Coat- ForcePoint / Websense- Zscaler- McAfeeCASB solution shall provide closed loop remediation capabilities with the following proxies, that allow automatic push of cloud service information to the proxies, so that the necessary controls can be enforced:- Blue Coat- Websense- McAfeeCASB solution shall provide log analysis capabilities for the following SIEMs:- ArcSight- Splunk- LogRhythm- Qradar- Dell SecureworksCASB solution shall integrate with Enterprise Mobility Management (EMM) or Mobile Device Management (MDM) solutions to enforce device based access controls, including:- VMware AirWatch- MobileIronUser ExperienceCASB solution shall provide different levels of access (Role Based Access Control [RBAC]) to the data and product capabilities based on the role assigned to the user by the admin:- Administrator- Executive- Governance/risk manager- Policy manager- Incident responderCASB solution shall interface with the identity management and privileged account management solutions for single sign-on access to user and administrator consoles.Application Program Interface (API) GatewayThe API Gateway solution shall provide a crucial layer of runtime API mediation and traffic monitoring. The solution shall be scalable on an enterprise level to multiple geographically diverse data centers, and may consist of one or more tools/components. It will provide security from authentication & authorization to threat protection (e.g. DOS, code injection, etc) The proposed API Gateway solution shall satisfy all mandatory requirements listed in Table 3 below. Additional VA desired API Gateway requirements can be found in Appendix A.3. Table SEQ Table \* ARABIC 3: API Gateway Mandatory RequirementsRequirements ID – Requirements DetailArchitectureThe solution shall be capable of supporting on-premises and/or cloud based installation: The solution shall be capable of supporting FedRAMP compliant Software as a Service or be hosted with a FedRAMP certified provider. The solution shall be capable of supporting on premise deployments operating in VMWare virtualized environments.The API Gateway solution shall support multi-CSP/region, multi-datacenter deployment.The solution shall be capable of supporting built in capabilities for Disaster Recovery (DRThe solution shall be capable of supporting multi-tenancy to allow different business units control of their API.The API solution shall be capable of supporting web based user/administrator interface that is compatible to current versions of Internet Explorer, Firefox, and Chrome web browsers.The solution shall be capable of interfacing with the following 3rd party tools used by VA: Ticket Management & Help Desk System - CA SoftwareSecurity Tools - Nessus & SplunkIdentity & Access - Active DirectorySSL Certificate Management – VA SSL Certificate ManagerConfiguration and Change Management – Microsoft System Configuration Manager (SCCM). Intrusion Detection - McAfeeWindows & Linux Patching - Big FixScanning/Security Tools - OS & Applications Level - NessusWeb Application Firewall (WAF) – Imperva X6510Intrusion Protection System (IPS) – Cisco SourceFire 3D8350File Malware Protection System (MPS) – FireEye NX 10450Visibility to Server (V2S) Toolset - IBM Endpoint Manager Digital forensics investigation support - EnCaseBMC Atrium Discovery and Dependency Mapping (ADDM)Network monitoring/analysis - CA SpectrumSecurity information and event management (SIEM) - IBM QRadar XX28Performance Monitoring - CA UIMSNMP network monitoring - SolarWindsMcAfee ePolicy Orchestrator (ePO) - (Windows Only)McAfee Antivirus (AV) HIPS - (Windows Only)Basic Gateway FunctionsThe solution shall be capable of streaming connections.The solution shall be capable of supporting external DevOps Toolchains / integrationThe solution shall be capable of supporting versioning of APIs.The solution shall be capable of supporting rate limiting, quotas, and other tools to prevent Denial of Service attacks.The solution shall be capable of supporting tagging and querying of data.The solution shall be capable of supporting OpenAPI, Rest, and SOAP based backend services.The solution shall be capable of supporting credential mapping.The solution shall be capable of supporting data format and message protocol translationXML to JSONJSON to XMLSOAP to RESTREST to SOAPThe solution shall be capable of supporting data masking, filtering, and blocking.AnalyticsThe solution shall be capable of supporting customizable alert-based thresholds on any selected metric for groups of APIs.The solution alerts shall be capable of sending to external systems using standard interface protocols including SNMP.The solution alerts shall be capable of sending to designated users via Email or text messages.The solution shall be capable of supporting the following reporting and alerting capabilities:Can Display Reports on Platform StatusCan Display Reports on Platform PerformanceCan Display Reports on Platform SecurityAbility to Configure Alerting on Service ConditionsSecurity The solution shall be capable of being configured to meet controls for a high sensitivity system categorization as described in NIST SP800-53.The solution shall be capable supporting vulnerability remediation to support FedRAMP-level continuous monitoring and compliance.The solution shall be capable of supporting Level or Role Based Access Control (RBAC).The solution shall be capable of supporting Security Assertion Markup Language (SAML) version 2.0.The solution shall be capable of supporting Open Authorization (OAuth) version 2.0.The solution shall be capable of interfacing with LDAP and Active Directory.The solution shall be capable of encrypting Data-In-Transit in accordance with FIPS 140-2The solution shall be capable of encrypting Data-at-Rest in accordance with FIPS 140-2.The solution shall be capable of interfacing with VA Command Center’s monitoring dashboards.??The solution shall be capable of supporting Secure Socket Layer (SSL) connections.The solution shall be capable of supporting security logging and auditing of administrative actions.The solution shall be capable of supporting access auditing reporting.The solution shall be capable of supporting multifactor authentication.Non-Functional Requirements (NFRs). Other requirements for an API Gateway for all VA Enterprise Cloud components include: 508 Compliance: The solution shall be capable of complying with Section 508 of the Rehabilitation Act of 1973Implementation: The contractor shall be capable of implementing the solution in accordance with the requirements specified in Section 5.6-5.8 below. Continuous Integration/Continuous Deployment (CI/CD) & DevOpsContinuous Integration (CI) involves integration testing every code change, and Continuous Delivery(CD) includes the ability to automatically deploy every change that passes the integration tests. CI/CD also includes the capability of automating the process of adding code to a repository through deploying it as production code—supporting the DevOps goals of coordinating software development and IT operations. This section describes requirements for tools to support these goals. The proposed CI/CD & DevOps solution shall satisfy all mandatory requirements listed in Table 4 below. Additional VA desired CI/CD & DevOps requirements can be found in Appendix A.4. Table SEQ Table \* ARABIC 4: CI/CD & DevOps Mandatory RequirementsRequirements ID – Requirements DetailFunctional RequirementsTools sets shall be capable of including a code repositoryTool sets shall be capable of automating build capabilities with workflow to kick off automated testing.Tool sets shall be capable of integrating and automating AWS, Azure, Google Cloud, and VMWare resources.Tool sets shall be capable of scripting the entire cloud environment from the networking layer to the application settings.Tool sets shall be capable of supporting version control for all code and scripts.Tools set shall be capable of supporting development and automation of:Multiple OS environments including last 2 major versions of:Windows ServerRed Hat LinuxCentOSWeb applicationMobile applicationiOS native codeNative Android codeHTML5 codeJava codeDatabase developmentOracleMySQLMicrosoft SQLTool sets shall be capable of providing Issue and project tracking of:Allowing for the creation of multiple projectsIntegrating with the build automation so that errors during the build automatically generate issues that are assigned to a group.Allowing for the management of Kanban/Scrum boardsSecurityTool sets should be capable of supporting and interfacing with single-sign on capabilities.Tool sets shall be capable of interfacing with LDAP and Active Directory.Tool sets shall be capable of supporting security logging and auditing of administrative actions.Tool sets shall be capable of supporting role based access control (RBAC).Tool sets should be capable of supporting and interfacing with privileged account management tools.Non-Functional Requirements (NFRs)508 Compliance: The solution shall be capable of complying with Section 508 of the Rehabilitation Act of 1973Implementation: The contractor shall be capable of implementing the CI/CD and DevOps tools in accordance with the requirements specified in Section 5.6-5.8 belowVA Enterprise Cloud Operations Tools ImplementationThe Contractor will be responsible for design and provisioning of required infrastructure for hosting for all tools described in 5.2 through 5.5 to include:Develop CONOPSThe Contractor shall prepare, working with VA ECE governance, VA IT, and Business Divisions as required, planning documents that support the VAEC Operational Tools requirements specified in Section 5.2 through 5.5. Tasks include:Develop, document and communicate an IT Tool Responsibility Model (RACI) for the in-scope cloud management tools as part of the CONOPSDevelop and document tools architecture overlay for enterprise cloud environments. Includes integration with other IT and Cloud management toolsMinimum qualifications and experience for key resources required to implement and operate the tool set include product and vendor tool-set certificationsIntegration with enterprise VA tools including log and SIEM management, IdAM, etc.Deliverables: VA Enterprise Cloud Operational Tools Concept of Operations (CONOPS) for each tool defined in 5.2-5.5 aboveInstall, Deploy and Configure ToolThe Contractor will be responsible for design and provisioning of required infrastructure for hosting for all tools described in 5.2 through 5.5 to include:Use best practices based on:VA-specific use casesIndustry and vendor recommended use cases and best practices based on VA requirementsEstablish and document baseline configurations. Includes alignment with government and industry best practice configuration standards Develop tool installation architecture and design (server numbers, sizing, DR, HA, etc.) working with OIT/IO representatives—needs to be approved by OIT/IODocument installation procedures (as part of an Installation Guide) to develop a Tools SOP for DR and on-going administration guides “Run Books”Stand up required tools infrastructure based on defined architecture and design--The tool software and the necessary licenses for deploying the solutions will be procured by the VA, while any additional licenses pertaining to DBMSs, SharePoint and operating systems will be procured by the ContractorDeploy and configure identified and vendor recommended customizations\Develop transition plan from existing VA tool if appropriateDevelop and execute test plans to ensure functionality and configuration of tools meet VA requirements, uses cases and policies aligned with best practice configurationIncludes performance testingIncludes cybersecurity testingIncludes functional and workflow testingIncludes alert triggers and thresholdsIncludes ticket generation testing for defined high fidelity alertsEnsure all tools are added to the VA Technical Reference Model (TRM), (one set for each of the tools defined in 5.2-5.5 above): Tool Installation Design/Process Administration GuideUser’s Guide Transition Plan [Optional]Test Plan/ReportIntegrate with Other Operational ToolsThe Contractor shall be required to integrate the VAEC Operational Tools described in 5.2-5.5 with 3rd party management tools via API and CLI. Specific integration targets (3rd party tools used by VA) include:Ticket Management & Help Desk System - CA SoftwareSecurity Tools - Nessus & SplunkIdentity & Access - Active DirectorySSL Certificate Management - VA SSL Certificate ManagerConfiguration and Change Management - Microsoft System Configuration Manager (SCCM). Intrusion Detection - McAfeeWindows & Linux Patching - Big FixScanning/Security Tools - OS & Applications Level - NessusWeb Application Firewall (WAF) - Imperva X6510Intrusion Protection System (IPS) - Cisco SourceFire 3D8350File Malware Protection System (MPS) - FireEye NX 10450Visibility to Server (V2S) Toolset - IBM Endpoint Manager Digital forensics investigation support - EnCaseBMC Atrium Discovery and Dependency Mapping (ADDM)Network monitoring/analysis - CA SpectrumSecurity information and event management (SIEM) - IBM QRadar XX28Performance Monitoring - CA UIMSNMP network monitoring - SolarWindsMcAfee ePolicy Orchestrator (ePO) - (Windows Only)McAfee Antivirus (AV) HIPS - (Windows Only)Deliverables: Integration Plan (Contractor format) for each of the tools defined in 5.2-5.5 aboveAssessment & AccreditationThe Contractor shall successfully achieve and maintain full Assessment and Accreditation (A&A) certification for each of the VAEC Operation Tools specified in sections 5.2-5.5. This certification shall be in accordance with the guidance provided in VA Handbook 6500.6, Contract Security, Section 3, and VA Handbook 6500.3, Certification and Accreditation of VA Information Systems. VA follows National Institute of Standards and Technology (NIST) and Office of Management and Budget (OMB) policies and procedures concerning information system Assessment and Accreditation (A&A).Prior to receiving any production VA data for use in the new solution, VA will request documentation through the Contracting Officer Representative (COR) to verify the security accreditation status of the vendor’s solution. Documentation requested will include a system security plan (SSP), authority to operate (ATO) determination letter, or third party security accreditation (i.e. SSAE-16, DIACAP). VA is willing to accept 3rd party security accreditation if the standards used are consistent with VA Handbook 6500 (e.g. from DIACAP). VA is also willing to accept ATO’s granted by other federally appointed Designated Accrediting Authority (DAA) as long as the ATO was issued consistent with the VA Handbook 6500 standards. Either case would typically warrant the creation of a Memorandum of Understanding (MOU) that articulates the expectations of each DAA to support reciprocity.VA personnel will review applicable documentation consistent with VA’s ATO Requirements Document to ensure the vendor meets VA’s information security policies and standards before the system is authorized for use by VA employees and other associated entities. The VA COR will be informed of the A&A review results. Successfully meeting the A&A requirements will enable the system to be used in production. If security remediation action is required, this will be communicated to the Contractor through the VA COR, Contractor will be required to resolve all outstanding issues related to receipt of an ATO.The Contractor must have an approved ATO no later than 6 months from the date of award. Failure to achieve ATO could result in contract termination. [Include link to ATO process information.]Specifically, the Contractor shall:Not comingle VA-owned data with non-VA dataDevelop and maintain a system A&A package. The Contractor shall be responsible for security control testing, as specified in VA’s ATO Requirements Document, by an independent third party test organization as defined by NIST SP 800-37, Revision. 1, in conjunction with the security controls in the High and Moderate impact baseline as defined NIST SP 800-53, Rev. 4.Provide all system documentation required for certification as specified in VA Authority to Operate Requirements, and work with VA personnel to facilitate the successful completion of the A&A process and obtain an ATO. The Certification Package shall consist of the following documents:System Security Plan (Guidance is found in NIST SP 800-18)Risk Assessment (Guidance is found in NIST SP 800-30 and by using the VA Risk Assessment Review Checklist)Signatory Authority (Guidance is found in NIST SP 800-18, the Signatory Authority Template available on the CDCO Security Website). All package submissions must include this document signed and dated by the appropriate parties.Contingency Plan (Guidance is found in NIST SP 800-34 and VA Handbook 6500.8, Information System Contingency Planning)Incident Response Plan (Guidance is found in NIST SP 800-61, Computer Security Incident Handling Guide and VA Handbook 6500). The Network Security Operations Center (NSOC) is responsible for National level tasks associated with incident response. Each site is responsible for developing local level procedures incorporating NSOC areas of responsibility. See the AITC Handbook 6500.02, following all items for which Enterprise Operations is responsibleConfiguration Management Plan (Guidance is found in NIST SP 800-70, Checklists Program for IT Products – Guidance for Checklists Users and Developers, and VA Handbook 6500)Security Configuration Checklists (Guidance is found in NIST SP 800-70, Checklists Program for IT Products – Guidance for Checklists Users and Developers)System Interconnection Agreements (Guidance is found in NIST SP 800-47, Security Guide for Interconnecting Information Technology Systems, and VA Handbook 6500)Deliverables: A.Assessment and Authorization Package per tool defined in 5.2-5.5 aboveValidate Environment and DocumentationThe Contractor shall provide an Environment Validation Report to document that all technical, functional, operational, and security requirements of Section 5.2 through 5.5 have been met. The following elements shall be included in the Environment Validation Report:Technical: Network configurations of both DC and DR sitesFunctional: Validation of the Functional RequirementsOperational:Validation of the resource capacityVerify Help Desk SOP is complete and provided to CORVerify Disaster Recovery Plan is complete and provided to CORVerify IT Contingency Plan is complete and provided to CORVerify Backup and Retention Plan is complete and provided to CORVerify 3rd-Party Management Tool Integration Plan is complete and provided to CORSecurity:Verify Event Escalation Plan is complete and provided to CORVerify Security CONOPS is complete and provided to CORVerify Certification Package is complete and provided to CORVerify all draft Architecture, Configuration and System artifacts associated with A&A activities are complete and provided to VADevelop a Plan of Action and Milestones identifying security findings and vulnerabilities identified during Assessment and Accreditation activities listed in 5.6.3Authorities to Operate:Verify receipt of Authority to Operate for the environment at both the Primary and Secondary sitesDeliverables: Environment Validation Report (Contractor Format) for each tool defined in 5.2-5.5 aboveOperational AcceptanceOperational Acceptance shall commence once the ATO submission has occurred, for a period of maximum 30 days.Operational Acceptance will only be provided after tool resources as defined in sections 5.2 through 5.5 have been provisioned and switchover testing (as applicable) has been completed. Switch over testing would include:Switch over of tools from DC to DR as per defined RTO and RPOSwitch over tools from DR to DC as per predefined RTO and RPOComplete Data Replication and Reverse Data Replication as per RPOFully functional tool operation while DR site is operational, taking into consideration the end user experience.The Contractor must facilitate the Operational Acceptance Tests. Operational acceptance tests will be performed by the VA; however, Contractor will have to facilitate Operational Acceptance during commissioning of the system (or subsystem(s)), to ascertain whether the system (or major component of Subsystem(s)) conforms to the scope of work. The Contractor must facilitate the testing of tools from VA users during the Operational Acceptance. Necessary support shall be provided by the tool vendor.After the Operational Acceptance test has completed, the Contractor may give a notice to the VA; requesting the issue of an Operational Acceptance Certificate. The VA will:Issue an Operational Acceptance Certificate; orNotify the Contractor of any deficiencies or other reason for the failure of the Operational Acceptance TestsOnce deficiencies have been addressed, the Contractor shall again notify the VA, and the VA, with the full cooperation of the Contractor, shall use all reasonable endeavors to promptly carry out retesting of the System or Subsystem. Upon the successful conclusion of the Operational Acceptance Tests, the Contractor shall notify the VA of its request for Operational Acceptance, the VA shall then issue to the service provider the Operational Acceptance, or shall notify Contractor of further deficiencies, or other reasons for the failure of the Operational Acceptance Test.If the System or Subsystem fails to pass the Operational Acceptance Test(s) after 3 unsuccessful attempts, the VA may consider terminating the Contract and if the Contract is terminated any guarantees will be forfeited.VA Enterprise Cloud Operations Tools Operations and MaintenanceThe VA’s objective is to leverage managed services to deliver improved services at or above defined service levels and using a sustainable costs model. Therefore, the VA intends to procure a managed-service solution or solutions for managing the general functions required for all tools/tool suites described in 5.2 through 5.5. Specifically, the Contractor shall provide services in accordance with all applicable laws, regulations, government mandates and agency specific mandates and policies to include supporting privacy and security best practice standards. This applies across all managed services tool scope of services. Tool Operational SupportFollowing operational acceptance by VA, the Contractor shall be responsible for providing 24 X 7 X 365 support for the tools defined in Sections 5.2 through 5.5. The maintenance and support will include the following activities:The Contractor shall provide operational support of all Contractor provided networking, storage, and hardware in the environment.The Contractor shall provide all levels of support in support of the tools environment. This support consists of reporting maintenance, upgrades, patching, creation, and allocation of virtual compute, storage and networking used for the tools. The vendor shall also configure initial user rights for privileged tools users. The Contractor shall assist with troubleshooting virtual network and guest instances as they relate to the tool infrastructure. Ensuring Uptime and utilization of the tools defined in sections 5.2 through 5.5 as per SLA’s defined in this PWS.In the event of a disaster at DC site, activation of services from the DR site is the responsibility of the Contractor. The Contractor shall develop appropriate policy, checklists in line with ISO 27001 & ISO 20000 framework for failover and fall back to the appropriate DR site. DR drills need to be performed by the Contractor half yearly to check disaster preparedness.Establish a daily tool validation check-out process and report on status for operational purposesRoutinely Backup of tool log data and configurationsSupport Virtual Disaster Recovery (VDR) testing in accordance with the guidance in VA Handbook 6500.8, “Information System Contingency Planning”, as requestedPrepare and deliver a Disaster Recovery After Action Report after VDR testing is complete, providing lessons learned and highlighting any gaps in the current DR PlanRespond to monitoring alertsAssist with incident response, eDiscovery and FOIA requests as it relates to discovery and collection of identified evidence through in scope toolsEstablish continuous diagnostic and mitigation services along with procedures to ensure tool bug fixes and vulnerabilities are identified and patched in accordance with VA mandates and policiesMaintain tool health to ensure optimum availability and performanceMaintain tool configuration management and version control tool configuration changesDevelop and test roll-back plans for tool configuration changesMaintain documentation and ensure timely updatesTool implementation and administration guides, including any configuration parameters usedHealth checks and daily checkoutsReporting requirementsChanges logsMaintain tool customizations related to interface code and configuration management scriptsWork to resolve open operational gaps with toolsIncludes working with VA IT and Business Divisions as requiredIn accordance with all applicable laws, regulations, government mandates and agency specific mandates and policies to include supporting privacy and security best practice standards.This applies across all managed services tool scope of servicesImplement industry and vendor recommended best practices for tools in managed services scopeChange and Configuration Management (CM)The Contractor shall be responsible for maintaining current hardware and software documentation for their infrastructure supporting the tools in scope. The scope of Change and Configuration Management (CM) includes:Infrastructure configuration management - tracking tools configuration changes to baseline definitions of provisioned resources and network component associated with all the environments associated with the tools in scopeKey event scheduling - scheduling, reviewing, publishing, and tracking infrastructure eventsInfrastructure release management - managing the release of new and existing infrastructure service versions and patchesHardware release management - managing the capacity planning, build, and release of new hardware and upgrades to existing hardwareSpecifically, the Contractor shall:Support CM on the tool components for which Contractor has responsibilityNotify designated VA Points of Contact (POC) for all supported projects/initiatives of any scheduled/unscheduled service interruptions (outages) according to the relevant SLA. Outage notifications should include:Periodic (hourly) outage updates with estimated time to resolution, for unscheduled service interruptionsFinal resolutionRoot cause analysis including any corrective/preventive steps taken to avoid future outagesStatement of credit related to any outage for loss of service to be applied to VA account due to the outage if anyfor virtual network changes received from VA designeesDeliverables:Scheduled/unscheduled Service Interruption Notifications (contents above, contractor format), as requiredSecurity OperationsThe Contractor shall ensure security of the tools through the implementation of Intrusion Detection and Prevention Systems (IDS/IPS) and Physical and Operational Security controls. The Contractor shall be responsible for monitoring and reacting to all security events for the network infrastructure, virtual environment and backbone network infrastructure. The VA will be responsible for all monitoring for the Operating System, Application Layer, and network traffic. Security events include network intrusions, scans, denial of service, attacks, worms and unauthorized access devices managed/hosted by the Contractor on behalf of VA. The Contractor shall support the VA to connect Government Furnished Equipment (GFE) to the Contractor's infrastructure to support a sufficient level of monitoring as determined by the VA. The Contractor will take an active role in security threat detection, prevention, and reporting. The Contractor shall perform in the following topics:Security CONOPS. Specifically, the Contractor shall:Provide a Security Concept of Operations (CONOPS) to outline its strategies and tactics, procedures, schedule, and method/type of data/log capture to:Monitor Intrusion Detection Systems (IDS) and actively responding to events via an Intrusion Prevention System (IPS)Meet the information security and regulatory compliance requirementsDevelop an Event Escalation Plan containing notification dissemination instructions based on the severity and impact levels found in the Support Response Time SLA.Provide an information security representative starting at the project Kick Off meeting to participate in meetings regarding the security posture of the computing environment upon request.Make resources or applications residing within the tool systems and subsystems accessible to all authorized users based on need to know and access levels granted from designated Account Admins.Not allow the release of any VA information and/or data by the Contractor or any associated Subcontractors without written approval from the Contracting ply with the security and regulatory compliance requirements and attachments, and referenced information security and regulatory compliance documentsComply with FIPS 199 Assessment and Accreditation (A&A) guidelines for systems with a FISMA information system impact level of HighMeet the SLAs related to information security and other regulatory compliance requirements.Provide risk mitigation strategies. In the event that a certain control is not currently implemented, a mitigation plan must be included to address: non-compliance remediation; timing of control implementation; and, identification of compensating factors or controls that are currently in place which limit the impact of riskDevelop/contribute to guidelines/plans/policies, analyses and reviews that require Information Assurance (IA) expertise in the areas of assessments, monitoring, maintaining, reviewing and processing, accreditation/certification, Program Protection Plan (PPP) evaluation, and other cyber security related activities and mandatesProvide monthly updates to the Security CONOPS and supporting tools to capture new security alerts and security incidents, configuration changes to support security concerns, and applicable reports to allow for trending related to security events. Security events include network intrusions, scans, denial of service, attacks, worms and unauthorized access devices managed/hosted by the Contractor on behalf of VAMonitor and address any security violations identified by VA or the Contractor within the time in accordance with SLAPerform forensics and log aggregation and auditing of all retained security log files for the tool infrastructure. Implement Security Information and Event Monitoring (collecting, analyzing, and signaling security event occurrences)Perform Vulnerability Management in order to identify, classify, remediate, and mitigate tool security weaknesses. Reporting on vulnerability assessment results is also critical to ensuring the health of the tools and their infrastructure and includes the following:Support security compliance for VA data, software and services within each toolPerform audit reviews and analysis on Contractor-provided software, as requiredProvide VA the ability to perform security scans on any tool systems Support required security research and analysis for each VA project, as requiredConduct security reviews of Configuration Change Requests (CCR) for each VA project environmentGenerate and track help desk tickets in support of mitigation/remediation of system identified vulnerabilitiesMaintain logical data and access segregation between toolsProvide situational awareness and trending analysis on security-related metricsProvide access for VA to conduct on network, infrastructure scanning as desired.Contractor will be responsible to remediate according to the methods and timelines described in VA 6500.Provide Security Auditors access to security logs.Intrusion Detection and Prevention Systems. The Contractor shall:Maintain IDS/IPS and Prevention Services on a 24x7 basis from two (2) geographically diverse locations Detect, identify, react to and report security breaches on all Contractor Infrastructure that supports VA environments. The Contractor shall be responsible for reporting incidents within five (5) minutes of event detection to VA NSOC or other VA-designated organization in accordance with the SLA in Appendix C. Provide access to VA and VA-designated third party organizations (Security Auditors) to any Contractor-provided IDS/IPS software toolsManage incident response and mitigationReport any security incidents to the United States Computer Emergency Readiness Team (US-CERT)Actively investigate any attempted or successful intrusion and take steps to halt the attack and isolate the effected systems. Efforts should be taken to preserve evidence to facilitate forensics analysisConduct a post-incident briefing with VA to assess the response to the incident and provide a written Incident Report within three (3) business days of the occurrence (in accordance with SLA) outlining the details of the attack , the data accessed, the steps exercised for resolution, and mitigation against future attacksMake appropriate adjustments to Contractor IDS/IPS policies, procedures, and thresholds as identified during the post-incident briefing. All changes must be accounted for in the configuration management tools/repository/library and approved by the change control governance body prior to implementation. In an emergency, waiver of documentation and approval requirements will be evaluated by the Government on a case-by-case basisProvide a Security Operations Center (SOC) representative to participate in meetings regarding the security posture of the computing environment upon requestDeliverables:Plan of Action and Milestones (POA&Ms) (Contractor format)Event Escalation Plan (Contractor format)Security CONOPS (Contractor format)Updates to the Security CONOPS, due by the 20th day of each monthIncident Report (Contractor format), within three (3) business days of each occurrenceEvent Escalation Plan (Contractor format)Continuous MonitoringThe Contractor shall monitor all resources through automated tools to ensure availability and to assure that all systems are operating within the expected parameters as defined by the SLA. Specifically, the Contractor shall: Provide both real-time performance and real-time alert condition in a form that VA can integrate into an overall alert system and visual display:Per OMB M-12-20, the Contractor must ensure continuous data feeds to the VA Security Information and Event Management (SIEM) from IT Security tools compatible with those currently used by VA.The contractor shall also feed vulnerability assessment data to VA in order to provide up-to- date vulnerability information in the Government Security Center. Data feeds must enable remote IT Security appliance or device feeds into the Government Security consoles, and be compatible with VA's existing enterprise visibility tools (e.g., IBM Tivoli EndPoint Manager, Agiliance Open Risk Vision Governance Risk Compliance tool).Operate and maintain the Dashboards per the SLA If an event occurs that negatively impacts the availability of the environment, the Contractor shall:Notify VA in accordance with SLA. Such notification shall be disseminated according to the severity and impact documented in the Event Escalation Plan.Provide Simple Network Management Protocol (SNMP) traps for any infrastructure-related metrics that deviate from normal and require corrective action as specified in SLA. For application performance metrics, if applicable, SNMP traps shall be provided for alert/abnormal conditions and a web service interface provided to query all application performance metrics in real timeProvide an Event Update Report as specified in SLA to VA, including the VA Office of Information Security (OIS)Provide an After Action Report (AAR) at the conclusion of the event with a detailed summary of the identified problem, chronology of events, impact analysis, remediation actions, and lessons learned as specified in SLA. The downtime and the impact to the SLA shall be included in the reportProvide an initial Root Cause Analysis (RCA) report in accordance with the timeframes specified in SLA, to which the Government may request clarification or additional detail. A final version shall be supplied as specified in SLA of government solicitation of questions or clarificationsIf the event affects any of the A&A Artifacts (see the Assessment & Accreditation section), provide an update to the required artifact(s)Deliverables:Automated Alerts reporting (contents above)Event Update Report (Contractor format), per SLAAfter Action Report (Contractor format), per SLARoot Cause Analysis Report (Contractor format), per SLACooperate with VA Office of the Inspector GeneralThe Contractor shall cooperate with the VA Office of the Inspector General (OIG) in the areas of facilities access, audits, security incident notification, and hosting location. Specifically, the Contractor (and any Subcontractors) shall:Provide the Contracting Officer (CO), designated representative of the Contracting Officer, and representatives of the agency's Office of Inspector General, full and free access to the Contractor's (and Subcontractors') facilities, installations, operations documentation, databases, and personnel used for contract hosting services. This access shall be provided to the extent required to carry out audits, inspections, investigations, or other reviews to ensure compliance with contractual requirements for IT and information security, and to safeguard against threats and hazards to the integrity, availability, and confidentiality of agency information in the possession or under the control of the Contractor (or Subcontractor)Fully cooperate with all audits, inspections, investigations, or other reviews conducted by or on behalf of the Contracting Officer or the agency Office of Inspector General as described in subparagraph (a). Full cooperation includes, but is not limited to, prompt disclosure (per agency policy) to authorized requests of data, information, and records requested in connection with any audit, inspection, investigation, or review, making employees of the Contractor available for interview by auditors, inspectors, and investigators upon request, and providing prompt access (per agency policy) to Contractor facilities, systems, data and personnel to the extent the auditors, inspectors, and investigators reasonably believe necessary to complete the audit, inspection, investigation, or other review. The Contractor's (and any Subcontractors') cooperation with audits, inspections, investigations, and reviews conducted under this clause will be provided at no additional cost to the GovernmentPreserve such data, records, logs and other evidence which are reasonably necessary to conduct a thorough investigation of any computer security incident. A computer security incident (as defined in NIST SP 800-61, Computer Security Incident Handling Guide), including but not limited to those constituting an actual or potential threat or hazard to the integrity, availability, or confidentiality of agency information in the possession or under the control of the Contractor (or Subcontractor), or to the function of information systems operated by the Contractor (or Subcontractor) in the performance of this contractPromptly notify the designated agency representative in the event of any computer security incident as described in paragraph (c) above. This notification requirement is in addition to any other notification requirements which may be required by law or this contract. Established Federal agency timeframes for reporting security incidents to the United States Computer Emergency Readiness Team (US-CERT), although not exhaustive, serve as a useful guideline for determining whether reports under this paragraph are made promptly. (See NIST SP 800-61, Computer Security Incident Handling Guide, Appendix J)Provide to the requestor (Contracting Officer, a representative of the Contracting Officer, or the agency Office of Inspector General) Government data, information, or records under the control of or in the possession of the Contractor pursuant to this contract, which the Agency, including the Office of Inspector General, may request in furtherance of other audits, inspections, investigations, reviews or litigation in which the Agency or the Office of Inspector General is involved. Requests for production under this paragraph shall specify a deadline not less than 10 days for compliance which will determine whether response to the request has been made in a timely manner. Unless expressly provided otherwise elsewhere in this contract, the production of data, information, or records under this paragraph will be at no additional cost to the GovernmentInclude the substance of this clause, including this paragraph (6) in any subcontract which would require or otherwise result in Subcontractor employees having access to agency information in the possession or under the control of the Contractor (or Subcontractor), or access to information systems operated by the Contractor (or Subcontractor) in the performance of this contractEnsure that all hosting services pertaining to this contract are performed within the United States of America, including the storage of agency data, information, and records under the control of or in the possession of the Contractor pursuant to this contract.Help Desk SupportThe Contractor shall provide Tier 3 Help Desk support meeting the requirements listed below. Tier 3 support is defined as expert level troubleshooting and analysis methods. This support includes assistance in direct response to incidents and issues for the tools defined in Section 5.2 through 5.5. It shall also perform research and development for solutions to new or unknown issues related to VA's use of the tools. During performance of this effort, VA anticipates an average of less than 10 calls/tickets per week.Specifically, the Contractor shall:Serve as single point of contact for all tool related issues per Section 5.2 through 5.5 requirementsProvide help to authorized users on the usage of said tools and associated consoles and dashboardsAuthenticate a tool user before giving access; providing information; or making changes to Contractor infrastructure.The Contractor's ticket tracking system shall include an automated capability to survey customer satisfaction of each ticket to provide customer satisfaction metrics. At a minimum, the ratings shall provide the following scale: 1-very unsatisfied, 2-unsatisfied, 3-minimally meets expectation, 4-satisfied, 5-very satisfied.Manage and track all environment outages.Manage Help Desk request fulfillment, access management, and planned and preventive maintenance.Provide input and technical support to VA help/service desks on all DC and DR layers until resolution.Provide problem management tracking for three severity (SEV) levels of problem requests and timely resolutions for infrastructure problems in accordance with the SLA.A SEV 1 Incident shall be defined as system down or capacity diminished by greater that 10%. The definition of system down or capacity diminished by greater that 10% shall be defined by VA.A SEV 2 Incident shall be defined as system down or capacity diminished by less than 10% or change order not requiring additional resources. The definition of system down or capacity diminished by less than 10% shall be defined by VA.A SEV 3 Incident shall be defined as routine maintenance or schedulable activity.Notify the VA COR of scheduled maintenance windows per the SLA. At a minimum, the notification shall include a description of the planned maintenance and potential risks.Provide a Monthly Help Desk Usage Report and Customer Satisfaction Report detailing all Help Desk services provided during the Reporting Period.Deliverables:Monthly Help Desk Usage reports (Contractor format)Monthly Customer Satisfaction Reports (Contractor format)Help Desk SOP updates (Contractor format)Ticketing, incident and outage reporting (Contractor format)VA Enterprise Cloud Operations Tools Optional TasksConnect Additional CSPs [Optional Task]If exercised, the Contractor shall update the tool configurations for all solutions defined in 5.2-5.5 above to accommodate additional CSPs (for example, Google Cloud, or Oracle Government Cloud) added to the VA Enterprise Cloud hybrid environment. Deliverables (one set for each of the tools defined in 5.2-5.5 above): Tool Installation Design/Process Updates, as neededAdministration Guide Updates, as neededUser’s Guide Updates, as neededTransition Plan Updated [Optional]Test Plan/ReportTool Training [Optional Task]If exercised, the Contractor shall:Develop tools training materials from implementation, user, and administration guides developed during the Install, Deploy, and Configure sub-taskIdentify important operational lessons learnedInclude check-out proceduresInclude daily tool health checkInclude report generationInclude knowledge transferDeliver trainingRecommend tool and industry specific training courses and certificationsIncludes supporting script and programing languages to maintain tool customizationsDeliverables:Tools Training Materials (Contractor Format) for each tool defined in 5.2-5.5 aboveTransition Operations to VA-Designated Organization [Optional Task]If exercised, the Contractor shall:Develop transition planInclude roles with required skill setsInclude RACI for tools supportInclude timeline with tool prioritization stagingInclude any tools training materials generated during the Provide Tools Training taskValidate compliance of tools in accordance with in accordance with all applicable laws, regulations, government mandates and agency specific mandates and policies to include supporting privacy and security best practice standards.Validate disaster recovery, back-up and restore procedures developed during managed services support.Establish back-line escalation support for specified period in providing support for escalated tool incidentsDeliverables:Transition Plan (Contractor format, see contents above) for each tool defined in 5.2-5.5 aboveSupport Phase-Out [Optional Task]All or any part of the virtual resources utilized under this Agreement may require migration to a future service provider (FSP), (Government or SA) due to expiration or termination of this Agreement or for any other reason at the sole discretion of VA. Accordingly, the contractor shall develop a Phase-Out Plan, to allow a successful migration to the FSP, addressing the process for any required Phase-Out request, which addresses the following:The contractor shall provide an overall plan describing the specifics for projects being phased out. All migration actions shall be completed prior to the expiration or termination date. The Phase-Out Migration Plan shall address the following areas:An inventory and migration of historical data (generally, tool configurations and databases) relating to the specific tool requirements defined in Sections 5.2 through 5.5Techniques for ensuring that all retrieved data supplied is provided in the original or other VA agreed-upon formatPlan for ensuring that, prior to termination or completion of this effort, the contractor/sub-Contractor does not destroy any information in any form received from VA, or gathered/created by contractor in the course of performing this effort without prior written approval by VA. Any data destruction done on behalf of VA by the Contractor must be done in accordance with National Archives and Records Administration (NARA) requirements as outlined in VA Directive 6300, Records and Information Management and its Handbook 6300.1 Records Management Procedures, applicable VA Records Control Schedules, and VA Handbook 6500.1, Electronic Media Sanitization.Provide an orientation phase to introduce the successor (FSP) personnel, programs, and users to the incoming team, explaining tools, methodologies, and business processesProvide the contractor's strategy and planned approach for personnel staffing and training during the transition period to a new provider shall begin as soon as migration notification is conveyedProvide a Migration Checklist (Contractor format)Provide signed turnover agreements in the designated formatDeliverables:Phase-In Migration PlanPhase-Out Migration PlanMigration Checklist (Contractor Format)Desired RequirementsThe following subsections detail additional functional requirements (organized by tool suite) considered desirable by VA. Cloud Management Platform (CMP)Table SEQ Table \* ARABIC 5: Desired CMP RequirementsRequirement ID – Requirement DetailService Request Management. Service Request Management includes the self-service interface used by VA EC users and administrators to configure and consume cloud services. Mandatory requirements in this category include: Self Service PortalThe CMP should perform all self-provisioning functions from a web-based UI, fully compatible with mobile browsers, such as Apple Mobile Safari, Android's default browser and Microsoft Internet Explorer MobileThe CMP should provide for CMP administrators to preapprove provisioning of specific catalog objectsThe CMP should perform preapproved (by CMP administrators) automated provisioningService CatalogThe CMP-based service catalog should allow tenant administrators and operators to store VM images, CD/DVD images (that is, ISOs), software setup programs, supporting files (for example, Microsoft Sysprep deployment packages) and automation scripts necessary for provisioningThe CMP service catalog should allow the definition of which objects are preapproved for provisioning, which users and groups warrant preapproval, and the quota for each preapproved objectProvisioning, Orchestration, and Automation. Provisioning, Orchestration, and Automation includes orchestrating and automating of the cloud services and resources in accordance with defined policies for all VA Enterprise Cloud components. Mandatory requirements in this area include:ProvisioningThe CMP should include the ability to integrate services into datasets regardless of location (on-premises, colocation or external CSP)Automated ProvisioningThe CMP should include capabilities for using pre-de?ned provisioning procedures/routines that are carried out without requiring further human intervention for: PaaS capabilities/configurationsSaaS capabilities/configurationsDBaaS capabilities/configurations (for example, MongoDB, MSSQL, Oracle, DynamoDB, RDS, and MS SQLServer)The CMP should be able to create cloud-agnostic application profiles and provide price and performance benchmarks for all approved CSPs and application templatesService Templates/OrchestrationThe CMP should support other orchestration languages (e.g., Business Process Execution Language (BPEL))Infrastructure Monitoring and Metered Usage. Infrastructure Monitoring and Metered Usage includes monitoring the use of the VA EC resources at levels below the application. Mandatory requirements in this area include: MonitoringThe CMP should be able to monitor CSP performance against service level agreements (SLAs), as defined, across all instances of all VA ECE cloud environmentsCMP monitoring results should be viewable on heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, desktops)The CMP should include the ability to monitor events and services across different network implementations (e.g., VPN, and MPLS)The CMP should include the ability to assist in the diagnosis of network bottleneck issues—for example, separating out virtual network issues from applications performance problemsThe CMP should include the ability to provide end-point monitoring and alerting for infrastructure, Software as a Service (SaaS), Platform as a Service (PaaS), and DNS end-pointsReporting and AlertingThe CMP should be customizable, allowing for user-generated changes and customization of all reportsCMP administrators should be able to define the sending frequency (e.g. aggregate all alerts within a three-minute time range in a single email) and the recipient of email warningsAll CMP-generated reports should be consumable by heterogeneous thin or thick client platforms (e.g., mobile phones, tablets, desktops)All CMP-generated reports should be exportable via CSV/XML files based on user-defined taggingAll CMP account management data should be exportable via CSV/XML files and HTMLThe CMP should include the ability to generate and export reports based on eventsThe CMP should include the ability to inventory and track application licensesThe CMP should include the ability to view all orders and all instancesThe CMP should include the ability to view reports by user, region or instanceThe CMP should include the ability to view service ticket creation based on actionsThe CMP should include the ability to create compliance policies by deployment instanceThe CMP should include the ability to monitor SSL certificates and provide alerting prior to expirationThe CMP should include the ability to report on any services with identified security vulnerabilitiesGovernance, Policy, and API Management. Governance, Policy, and API Management includes policy enforcement and governance and the management of automation policies that allow automatic responses to conditions in the VA EC. Mandatory requirements in this area include: Governance & PoliciesN/AProgrammable InterfaceThe CMP should include a graphical user interface to create automated workflow (blue prints)The CMP interface should be customizable, allowing for user-generated changes to the User Interface (UI) (for example, by adding logos) and user- or administrator-generated selection of available functionsMulti Cloud/Multi-Tenant ApplicabilityN/AGovernance and Quota ManagementThe CMP should include the ability to automate cloud provider selection through policyThe CMP should include the ability to create policies based on all actionable events.The CMP should include the ability to create policies based on application patch statusThe CMP should include the ability to create policies based on performance of a public cloud servicePortabilityThe CMP should include the ability to migrate workloads across CSPsThe CMP should provide Application Migration Support, including tools to facilitate migration of applications and data between CSPs and from traditional/virtual environments operated by the VA to a CSPThe CMP should provide for virtual machine format conversionThe CMP should include the ability to export VM and images into OVF formatInteroperability & ConnectorsThe CMP should include the ability to convert instance formats among common standards (VMDK, VHD and AMI)The CMP should support external DevOps toolchainsThe CMP should support secure network tunnelingIntegration With 3rd Party Tools/ExtensibilityThe CMP should also support integration with the following current VA tools:Performance Monitoring - CA UIMSecurity information and event management (SIEM) – IBM QRadar XX28SolarWinds – SNMP network monitoringMcAfee ePolicy Orchestrator (ePO) - (Windows Only)McAfee Antivirus (AV) HIPS - (Windows Only)Capacity and Resource Planning. Capacity and Resource Planning includes functions that monitor cloud resource use and inform VA management capacity optimization and planning functions. Mandatory requirements in this area include:The CMP should allow external capacity management vendors access to its back-end database via API to collect custom reports, or allow exporting all or selected data in delimited parameters formats (e.g. CSV, XML, JSON, etc.)Security and Identity Management. Security and Identity Management includes several functions related to cloud computing security and access. SecurityThe CMP should include a mechanism for the enforcement of CSP-level security controlsThe CMP should include software library protection, automatically scanning all files uploaded on the CMP service catalog's software library against malwareThe CMP should include prevention mechanisms against internal denial of service (DoS) attacks attempted by a malicious cloud tenantIdentity and Access ManagementN/AService Level Management. Service Level Management is the ability to manage the object life cycle and automated actions (workflows) based on triggering events in the VA EC hybrid cloud environment. Lifecycle Management:The CMP should provide for object backup and restoreThe CMP should provide snapshot (that is, memory state to disk capture) managementThe CMP should provide object migration across cloud resourcesThe CMP should provide user-customizable cloud management workflowsThe CMP should provide cloud management approval workflowsThe CMP should include lifecycle analytics and reporting that tracks the following: average time to approve provisioning request, number of catalog objects, average lease time, and time to expireThe CMP should include the ability to version and track templates (blueprints)The CMP should include the ability to change/configure storage performance configurationsWorkflow ManagementN/A Cost Transparency and Optimization. Cost Transparency and Optimization is the ability to provide tracking, budgeting and optimization of the cloud expenses for all VA ECE components. The CMP should be able to charge cloud infrastructure usage via an allocation- based model The CMP administrators should be able to assign independent charging models (for example, CMP capacity management module allocation-based, CMP self-service portal consumption-based) and pricing to different cloud tenantsThe CMP chargeback model should be able to charge for the allocation of catalog objects (for example, virtual storage volume, VM and VS)Configuration and Change Management. Configuration and Change Management is the ability to handle and control changes to cloud configuration information for all VA ECE components. The CMP should provide a web-based administrative interface covering external requirements for authentication (VPN), public vs. private IP addressesThe CMP configuration and change management module should translate compliance rules into automation workflows that will be stored in the CMP orchestratorThe CMP should include predefined CM compliance rule base to comply with government regulations and vendor security best practices (e.g. OS and applications hardening guides)The CMP should provide maintenance window management and scheduling functionsNon-Functional Requirements (NFRs)Robustness: N/APlatform: The CMP should include support for management of mainstream databases, for example, MongoDB, MSSQL, Oracle, DynamoDB, RDS, and/or MS SQLServerThe CMP should support location independence of provided resources/objectsPerformance:N/ALicensing: The CMP should include per-number-of-provisioned-catalog-objects licensingNIST Roadmap: The solution should comply with the NIST Cloud Computing Standards Roadmap (Special Publication 500-291), which describes standards for interoperability, portability, and security). The solution shall also comply with Guidelines on Security and Privacy in Public Cloud Computing (Special Publication 800-144) and VA Handbook 6500 – VA Handbook 6500 - US Department of Veterans Affairs. For a list of all required documents, see Appendix C.Cloud Access Security Broker (CASB)Table SEQ Table \* ARABIC 6: Desired CASB RequirementsRequirements ID – Requirements DetailVendor ProfileCASB product vendor should ensure for all products owned and supported in the VA enterprise cloud solution, meet ISO 27001 and ISO 27018 certification.CASB product vendor should ensure for all products owned and supported in the VA enterprise cloud solution, meet FIPS 140-2 certification.High Level CASB Solution RequirementsCASB solution should be capable of efficient use of network bandwidth (upload only essential data, avoiding uploading full logs).CASB solution should be capable of structured data encryption in the cloud (e.g., Salesforce and ServiceNow forms) using format-preserving ciphers.CASB solution should be capable of Interfacing with enterprise-level DLP vendors.CASB solution should be capable of supporting agentless device control (cloud BYOD support).CASB solution should be capable of enforcing geofencing for sanctioned IT.CASB solution shall be capable of providing User and Entity Behavior Analytics (UEBA) to identify anomalies and potential threats.CASB solution should be capable of utilizing customer-owned encryption keys.CASB solution should be capable of performing malware scans / analysis for data in the cloud service. CASB solution should be capable of supporting custom applications written in supported development languages hosted on AWS, Azure, and Google Cloud.VisibilityCloud Registry: CASB solution should be capable of allowing solution administrators to customize weights for cloud service risk scoresCASB solution should be capable of allowing solution administrators to add custom cloud service attributes to the cloud registry.CASB solution should be capable of utilizing crowd-sourcing approach to cloud registry updates.CASB solution should be capable of supporting at least 30 category labels to summarize cloud usage reports by categories such as CRM, file-sharing, marketing, collaboration, social media, etc.CASB solution should be capable of tracking compliance certifications for cloud services within the registry including, but not limited to, PCI, ISO, CSA, HIPAA, and other industry requirements.CASB solution should be capable of auditing exposure of cloud services to vulnerabilities such as Cloudbleed, Heartbleed, Poodle, Freak, etc.Cloud Discovery: CASB solution should be capble of supporting arbitrary log formats from multiple firewall and proxy vendors (intelligent log parsing capability).CASB solution should be capable of supporting drill down from an aggregate chart to provide visibility into a single user’s action (upload/download) to support forensic investigation.CASB solution should be capable of removing information not relevant to CASB analysis from the logs before uploading them to the CASB cloud. This should equate to stripping out roughly 98% of the logs since it is typically non-related to cloud traffic.Risk and Vendor Assessment: CASB solution should be capable of supporting the customer to assess the risk of any new cloud service by providing a consolidated risk score representing its enterprise-readiness.CASB solution should be capable of supporting customer level modifications of cloud service risk scoring based on assignable weights aligned with enterprise level agency policies.CASB solution should be capable of adding custom attributes for services and incorporate these into the calculation of the risk score.CASB solution administrator should be capable of restricting only selected users to edit the risk score of an active service.CASB solution should be capable of creating a watch list to monitor selected users who are showing suspicious behaviors.Cloud Machine-Based Policy Enforcement: CASB solution should be capable of supporting features that support automated messages to further shape risky behaviors of users that consume commonly used unsanctioned and sanctioned cloud services and applets that may be categorized as high plianceData Loss Prevention (DLP) PoliciesCASB solution should be capable of including smart data identifiers for SSN and credit cards that do not use simple regex. For example, solution should be able to distinguish SSN’s in the pre-2010 and post-2010 standard, and for credit card number doing the LUHN check.CASB solution should be capable of supporting proximity check for multiple data identifiers – e.g., Patient ID and RX ID within 10 words.CASB solution should support the following remediation actions if a DLP policy is violated: - Alert administrator- Block- Quarantine- Encrypt- TombstoneCASB solution should be capable of interfacing with data classification and tagging solutions such as Titus, Boldon James and other natively available in cloud services such as Box and Office365.DLP Policy Violations: CASB solution should be capable of showing an excerpt with the content that triggered the DLP violation so the administrator does not have to search the entire file for sensitive content (e.g., match / hit highlighting).CASB solution should be capable of supporting bulk update and remediation of policy violations to save time for IT teams when dealing with hundreds of violations.CASB solution should be capable of enforcing collaboration policies that are content aware (e.g. sensitive data is not shared externally)CASB solution should remediate violations in sharing policies by:- Removing sharing permissions- Modify sharing permissions- Quarantining the file(s)Threat ProtectionActivity Monitoring of Cloud Service UsageN/AAnomalies and ThreatsCASB solution should be capable of detecting threats arising from malicious or negligent users based on a behavioral model (e.g., User and Entity Behavioral Analytics [UEBA]).CASB solution should be capable of baselining thresholds based on behavioral models with different thresholds for each user based on time of day, week, month, quarter; user role, department, behavior of other users in the department.CASB solution should be capable of building context around geography-based anomalies by indicating a user’s trusted locations such as home, office etc.CASB solution should be capable of correlating anomalies across multiple sanctioned and shadow cloud services as well as custom apps on IaaS platforms to highlight threats.CASB solution should be capable of supporting commonly used threat models with indicators of compromise (IoC) to identify and categorize potential anomalous activity as likely threats.CASB solution should be capable of tuning thresholds based on your organization’s threat detection requirements.CASB solution should be capable of invoking escalation authentication as the CASB platform detects high risk behaviors from a device and identity perspective when accessing and downloading sensitive data.Incident WorkflowCASB solution should be capable of providing a dashboard to provide threat information and manage incident workflows.CASB solution should be capable of natively recording an incident workflow action (Resolve, False Positive).CASB solution should be capable of taking input on false positives or negatives and use the information to tune the threat protection engine.Malware ControlsCASB solution should be capable of detecting malware hosted in cloud services.CASB solution should be capable of scanning existing data stores for new signatures / variants of malware.CASB solution should be capable of ingesting third-party intelligence feeds.Data SecurityContextual Access ControlCASB solution should be capable of NOT requiring additional endpoint agents to enforce contextual or device-based access controls.EncryptionCASB solution should be capable of encrypting selected fields within cloud providers such as Salesforce and ServiceNow.Rights ManagementCASB solution should be capable of applying EDRM policies at reverse proxy.CASB solution should be capable of supporting at least a single EDRM provider (e.g., Ionic).IaaS and Custom Apps SecurityIaaS SecurityCASB solution should be capable of auditing service configurations for IaaS services against best practices and known misconfiguration issues.CASB solution should be capable of automatically identifying security configuration incidents and flag them as ‘Resolved’ when IT or Operations teams have fixed them.CASB solution should be capable of automatically categorize IaaS activities across commonly understood categories.CASB solution should be capable of providing incident response workflow to triage and remediate violations.Custom Apps SecurityCASB solution should be capable of enforcing DLP policies on data in custom apps built on IaaS platforms such as AWS, Azure and Google Cloud. DLP policies should have the ability to be applied on files as well as form fills, XML, and data entered within individual fields.CASB solution should be capable of supporting pre-built templates for IT teams to enforce policies required for compliance with PCI DSS, HIPAA, HITECH, GLBA, SOX, CIPA, FISMA, and FERPA.CASB solution should be capable of identifying and automatically map user activity (without any manual code writing) and provide an audit trail of activities performed within custom apps on IaaS platforms.CASB solution should be capable of analyzing activities in custom apps to detect threats associated with insiders, compromised accounts, and privileged users.CASB solution should be capable of supporting encryption of data within custom apps while using customer-owned encryption keys.Platform and IntegrationReportingCASB solution should be capable of supporting users to customize views and reports based on the information they want to see.CASB solution should be capable of providing, at least, the following reports “out of the box”:- DLP policy violations for a specified CSP, user/group, severity- Top 10 threats- Top collaborations by team, files, domainIntegrationCASB solution should be capable of interfacing with Digital Rights Management (DRM) or Information Rights Management (IRM) solutions to apply DRM/IRM protections on cloud files.User ExperienceCASB solution should be capable of providing a streamlined and persona-based navigation for multiple roles.Application Program Interface (API) GatewayTable SEQ Table \* ARABIC 7: Desired API Gateway RequirementsRequirements ID – Requirements DetailArchitectureThe solution should be capable of supporting federated management of the distributed deployment. There by, allowing a single interface to manage all deployed API gateways.The solution should be capable of supporting auto scaling to meet traffic demands.The API Gateway solution should support 99.99% uptime with zero down time for patches and updates.Basic Gateway Functions The solution should capable of caching to minimize loads on back end systems.The solutions should be capable of supporting traffic prioritization and quality of service (QoS). AnalyticsThe solution should be capable of supporting out-of-the-box analytics reports.The solution reports should be capable of customizing and save features by user.The user interface should be capable of creating custom end-user reports without software development. This should be a drag and drop of wizard interface.The solution should be capable of tracking metrics for reporting purposes including but not limited to:Utilization of each APIResponse times of backend systems for each APIEnd-to-end visibility and performance statisticsSLA complianceSecurityThe solution should be capable of supporting single-sign on (SSO).The solution should be capable of supporting Internal denial-of-service prevention.The solution should be capable of supporting and interfacing with privileged account management tools. Non-Functional Requirements (NFRs). Other requirements for an API Gateway for all VA Enterprise Cloud components include: NIST Roadmap: The solution should be capable of complying with the NIST Cloud Computing Standards Roadmap (Special Publication 500-291), which describes standards for interoperability, portability, and security). The solution shall also comply with Guidelines on Security and Privacy in Public Cloud Computing (Special Publication 800-144) and VA Handbook 6500 – VA Handbook 6500 - US Department of Veterans Affairs. For a list of all required documents, see Appendix C.Continuous Integration/Continuous Deployment (CI/CD) & DevOpsTable 8: Desired CI/CD & DevOps RequirementsRequirements ID – Requirements DetailFunctional RequirementsN/ASecurityTool sets should be capable of supporting and interfacing with single-sign on capabilities.Tool sets should be capable of supporting and interfacing with privileged account management tools.Non-Functional Requirements (NFRs)NIST Roadmap: The solution should be capable of complying with the NIST Cloud Computing Standards Roadmap (Special Publication 500-291), which describes standards for interoperability, portability, and security). The solution shall also comply with Guidelines on Security and Privacy in Public Cloud Computing (Special Publication 800-144) and VA Handbook 6500 – VA Handbook 6500 - US Department of Veterans Affairs. For a list of all required documents, see Appendix C. ................
................

In order to avoid copyright disputes, this page is only a partial summary.

Google Online Preview   Download