FLORIDA DEPARTMENT OF MANAGEMENT SERVICES (DMS)...2.1.1. Incident Response Focus InfoReliance provides onsite incident response services that include, but are not limited to: Incident

SUBMITTED BY:

InfoReliance Corporation 4050 Legato Road, Suite 700 Fairfax, VA 22033

Ms. Theresa Grouge Director of Contracts [email protected] (703) 246-9360, x1162 (phone) (703) 246-9331 (fax)

SUBMITTED TO:

Florida Department of Management Services (DMS) 4050 Esplanade Way Tallahassee, FL 32399-0950

Mr. Joel Atkinson Associate Category Manager (850) 488-1985 [email protected]

FLORIDA DEPARTMENT OF MANAGEMENT SERVICES (DMS) CYBER-SECURITY SERVICES

Request for Information (RFI) Submission Date - 03 September 2015

Offer Letter i

03 September 2015

Joel Atkinson, Associate Category Manager Florida Department of Management Services 4050 Esplanade Way Tallahassee, FL 32399-0950 Re: Request for Information (RFI) Mr. Atkinson:

InfoReliance is pleased to submit our proposal for Cyber-Security Services in response to the RFI dated 21 August 2015, with proposal submissions due 03 September 2015 by 12:00PM (Noon).

InfoReliance has an unparalleled track record for technical excellence and exceptional customer service in providing a full range of cyber-security services to the Florida Department of Management Services.

The primary Point of Contact is our Director of Contracts, Ms. Theresa Grouge:

InfoReliance Corporation 4050 Legato Road Suite 700 Fairfax, VA 22033

Ms. Theresa Grouge Director of Contracts [email protected] (703) 246.9360 ext. 1162 (tel) (703)246.9331 (fax)

InfoReliance thanks the Florida Department of Management Services once again for the opportunity to submit our proposal. If you have any questions about our response, please contact me at (703) 246.9360 (ext. 1162), or via e-mail at [email protected]. Sincerely,

Sincerely,

Theresa Grouge Director of Contracts

Florida Department of Management Services (DMS) Request for Information (RFI)

ii

This proposal includes data that shall not be disclosed outside the Government and shall not be duplicated, used or disclosed—in whole or in part—for any purpose other than to evaluate this proposal. If however, a task order is awarded to this offeror as a result of—or in connection with—the submission of this data, and the Government incorporates the quote as part of the award, the Government shall have the right to duplicate, use, or disclose the data. Also, this restriction does not limit the Government’s right to use information contained in this data if it is obtained from another source without restriction.

Table of Contents

1. Introduction ............................................................................................................................................................... 1

2. Background............................................................................................................................................................... 1

2.1. Capabilities ........................................................................................................................................................ 1

2.1.1. Incident Response Focus ........................................................................................................................... 2

2.1.2. Cloud Environment Monitoring ................................................................................................................... 3

3. Contact Information .................................................................................................................................................. 3

4. Service Requirements (RFI Section IV) .................................................................................................................... 4

4.1. Pre-Incident Services......................................................................................................................................... 4

4.1.1. Incident Response Agreements ................................................................................................................. 4

4.1.2. Assessments .............................................................................................................................................. 4

4.1.3. Preparation ................................................................................................................................................. 5

4.1.4. Developing Cyber-Security Incident Response Plans ................................................................................ 5

4.1.5. Training ...................................................................................................................................................... 5

4.2. Post-Incident Services ....................................................................................................................................... 6

4.2.1. Breach Services Toll-free Hotline ............................................................................................................... 6

4.2.2. Investigation/Clean-up ................................................................................................................................ 6

4.2.3. Incident response ....................................................................................................................................... 6

4.2.4. Mitigation Plans .......................................................................................................................................... 7

4.2.5. Identity Monitoring, Protection, and Restoration ......................................................................................... 7


1

Submission Date: 03 September 2015 Use or disclosure of data contained on this sheet is subject to the restriction on the table of contents page of this proposal.

1. Introduction InfoReliance is pleased to provide this summary of corporate capabilities, information, and feedback to the State of Florida, Department of Management Services (DMS) in response to the Request for Information for Cyber-Security Assessment, Remediation, and Identity Protection, Monitoring, and Restoration Services. InfoReliance has extensive expertise in all areas of cybersecurity, to include the functional areas identified, a proven management framework for 24/7 operations, marketspace partnership, and superior human capital management to ensure the DMS benefits from a highly innovative and effective cyber security operations support team. The fundamental element of InfoReliance’s success is our unique expertise in cybersecurity supporting some of the nation’s most critical infrastructure and programs through services that directly align with those sought by DMS. Our place as a recognized performer of such high value work greatly increases our ability to attract top talent and provide forward looking solutions that are responsive to our customers’ needs. The following sections highlight our corporate capabilities within relevant cybersecurity functional areas as identified in the RFI.

2. Background InfoReliance Corporation is an Information Technology (IT) firm focused on delivering high quality services to the Federal Government. Our expertise is aligned into four core competencies:

Software Engineering

Cloud Computing

Cyber Security

Enterprise IT

Our rich corporate history and outstanding past performance are a reflection of our internal investments, outstanding technical expertise spanning numerous vertical markets, and proven track record for delivering excellence. InfoReliance is focused on continuous improvement to provide the highest level of service and lowest level of risk to our clients.

2.1. Capabilities InfoReliance has an exceptional history across the Federal Government. We were recently awarded the prime contracts to develop the Dashboard solution for DHS’s Continuous Diagnostics and Mitigation (CDM) Program and to support DHS’s National Cyber Protection System (NCPS), also known as EINSTEIN. We are the trusted service provider for DHS charged

INFORELIANCE QUICK FACTS

► $800M+ in services delivered to 30+ Federal Agencies through large scale BPAs

► Top Secret Facility Clearance and over 13 years supporting TS/SCI major programs through DoD and Civilian markets

► CMMI Level 3 / ISO 20000 and 27000 certified

► Current Prime contractor for DHS EINSTEIN (TS/SCI) and Continuous Dashboard Monitoring (CDM) initiatives

► Member of Intel Security’s (formerly McAfee) Security Innovation Alliance and maker of CloudHASH Security – a suite of advanced host- based and AWS endpoint security solutions

WHY INFORELIANCE?

► Established first ever Security Operations Center (SOC) for the White House’s unclassified networks

► Assessment team for DHS’s Enhanced Cybersecurity Services (ECS) program, serving critical infrastructure partners under HSPD-7

► Conducted cybersecurity oversight reviews of the Nuclear Security Enterprise for five straight years


2


with addressing Congressional mandates and integrating data across program boundaries to enhance Federal agencies’ cyber security posture. In addition to this effort, InfoReliance was selected by the EOP OCIO to implement and operate the White House Security Operations Center. InfoReliance has proven its expertise defending highly-targeted environments such as the White House as well as the Nuclear Security Complex where we provide cybersecurity assessment services for all National Plants and Labs such as Sandia, Lawrence Livermore, PANTEX, Y-12, and Los Alamos.

InfoReliance is also a member of the McAfee Security Innovation Alliance (SIA) and as a value added reseller can provide both product and professional services for the implementation and optimization of McAfee tools and technologies. McAfee Solution Services provide comprehensive planning, design, and implementation services for all McAfee products. Together, our security experts implements the best practices vital to any successful security rollout.

► McAfee is the world’s largest company dedicated to security technologies ► We have direct past experience with the DHS at multiple levels and components (US-CERT,

DHS ICE, DHS HQ, DHS USCIS, DHS OIG, DHS USSS, DHS SOC, and CBP SOC) ► McAfee offers Incident Response support (Foundstone) global depth and presence ► InfoReliance is a McAfee Security Innovation Alliance member and is just 1 of 13 companies

worldwide with the McAfee SDK for ePO.

Through this partnership with McAfee, InfoReliance developed The CloudHASH Security Suite, which is an advanced suite of tools that are seamlessly integrated into McAfee® ePolicy Orchestrator® (ePO) and are designed to deliver simplified next generation threat detection capability to the cyber operator and analyst.

InfoReliance Business Profile Company Size: Large businessContract Vehicles: GSA IT Schedule 70: GS-35F-0273L

SEWP V GWAC: NNG15SC19B CIO-CS GWAC: HHSN316201500016W

DUNs: 143147762Company NAICS Codes:

61143033411, 511210, 518210, 541330, 541511, 54112, 54113, 54119, 541611, 541712

2.1.1. Incident Response Focus InfoReliance provides onsite incident response services that include, but are not limited to:

► Incident response ► Computer forensics ► Litigation support

► Electronic evidence discovery ► Expert witness support

For DHS, under the Specialized Security Services (SSS) contract, InfoReliance provides incident response analysts and support for the NCPS. This support includes coordination, information sharing, onsite assessments and containment activities and any needed remediation and after action reporting. Our consultants are capable of assisting at any point during an investigation, from the initial detection that an incident has occurred, to the final resolution of the incident. Our unique blend of capabilities allows us to better handle the high-technology cases and to be more thorough in our analysis.


3


2.1.2. Cloud Environment Monitoring InfoReliance has developed a commercial product, CloudHASH Security CloudMonitor (http://cloudhashsecurity.com/products/cloudmonitor), to specifically address the need for robust cloud environment monitoring within AWS. It is built for AWS, CloudHASH Security CloudMonitor provides the agentless ability to audit and protect all cloud services – storage & compute – from malware, insider threat, and data loss. Key features and capabilities of CloudMonitor include:

Insider Threat Sandboxing

Continuous Monitoring Intrusion Detection

Polymorphic Protection Cost & Usage Control

In Section 4 Service Requirements, we provide additional details on our capabilities that directly relate to pre-incident and post-incident services.

3. Contact Information For inquiries regarding this response, please contact Ms. Theresa Grouge, Director of Contracts:

Contact Information

Point of Contact Theresa Grouge

Company Name InfoReliance Corporation

Address 4050 Legato Road, Suite 700 Fairfax, VA 22033

Phone (703) 246-9360, x1162

Email [email protected]


4


4. Service Requirements (RFI Section IV) In the following section, we outline our specific capabilities as they align to the functional areas identified in the RFI.

4.1. Pre-Incident Services Our approach to incident response blends the proven, industry-leading process developed using our targeted experience conducting a wide range of programmatic and technical security assessments within the Federal Government and commercial sector. Our approach is highly tailorable, ensuring we will not only address all of DMS’ requirements, but also incorporate the unique operating constraints and high level strategic input without compromising the quality of service.

4.1.1. Incident Response Agreements As a managed service provider for both cybersecurity and cloud services for over five years, InfoReliance is well versed in establishing blanket agreements with customers to define scope, service level agreements, escalation procedures, and other terms of service. We offer three levels of pre-defined service: Silver, Gold, and Platinum, as well as the ability to tailor these offerings to meet your organization’s specific needs.

4.1.2. Assessments Our information security assessment methodology combines our unique security operations perspective with the intelligence gathered from our team’s position as an industry leader in incident detection and response. We merge this intelligence and perspective with industry standards (e.g., National Institute of Standards and Technology (NIST) Special Publication 800-53 and the SANS Top 20 Critical Security Controls) to deliver assessments that result in actionable security program improvements focused on reducing overall program risk. Figure 1 illustrates that our approach is comprehensive and accounts for all key aspects of security programs.

Figure 1: Comprehensive Information Security Assessment. InfoReliance’s methodology consists of our unique perspective and intelligence combined with industry standards resulting in actionable security improvements focused

on reducing overall program risk in key security areas.


5


For each key security program area, we identify any weaknesses in the customer’s security posture and provide recommendations for resolving those gaps in a cost effective manner.

4.1.3. Preparation InfoReliance can provide guidance and recommendations to improve DMS’s security posture and ability to avoid and respond to cybersecurity incidents. These recommendations draw upon our teams that support national security customers such as the National Nuclear Security Administration (NNSA) and Department of Homeland Security (DHS) and incorporate current Federal policy, operating rhythms, and cybersecurity initiatives. Additionally, we align these findings and guidance with proven industry best practices our teams use daily to support some of these same customers. The result is a concise, actionable set of recommendations that will greatly improve your security posture. This analysis is best delivered when tailored to an organization’s specific requirements, operating constraints, and current state. Therefore, we typically conduct a brief analysis to better understand a customer’s security posture and maturity, and then use this feedback to customize our recommendations to ensure maximum value. Most often, these findings and recommendations are delivered to customers in the form of an executive summary and briefing along with a more detailed report that outlines our approach, findings, and associated recommendations. In many cases, we have assisted customers by implementing many of the recommended changes and in some cases we have also helped facilitate information sharing relationships with other organizations.

4.1.4. Developing Cyber-Security Incident Response Plans Develop or assist in development of written State Agency plans for incident response in the event of a cyber-security incident.

As the cybersecurity service provider responsible for establishing the White House’s unclassified network Security Operations Center (SOC), InfoReliance is well versed in developing, maintaining, and implementing incident response plans. Our plans align directly with other analysis, findings, and recommendations delivered as part of a previously execute assessment or gap analysis. Typically, these plans incorporate the five step approach to incident response we follow:

► Prepare: Identify key stakeholders and resources required to establish a common understanding of scope, objectives, existing policy, and roles & responsibilities.

► Identify & Respond: Establish activities to coordinate incident response with external parties, implement communication plans, identify suspicious behavior, and validate the security incident.

► Containment: Define standard operating procedures for minimizing impact to business functions and data, and identify tools and techniques for ensure containment of the breach.

► Recovery: Identify responsibility and mechanisms for correcting system deficiencies such as remediating vulnerabilities, configuration errors, and necessary changes to operating procedures.

► Post-Incident Action: Define standard templates for gathering lessons learned and performing root cause analysis to brief stakeholders on key after-action details.

4.1.5. Training InfoReliance’s cybersecurity consultants regularly provide user awareness and security training to customers. We provide this training as requested and as necessary through a variety of delivery mechanisms to include:


6


► Written materials ► Instructor-led and recorded training sessions ► Self-service computer and web based training

This training can be tailored for annual compulsory training, advanced administrator training, and to align with specific new capabilities or initiatives as necessary.

4.2. Post-Incident Services As with the pre-incident services we offer, our post-incident services are tailorable, and directly align with industry best practices. They represent our preferred manner of implementing the very recommendations we provide following a standard security assessment.

4.2.1. Breach Services Toll-free Hotline InfoReliance operates an enterprise call center in support of all of services delivered to customers. This call center supports over a dozen custom line of business applications deployed for customers, and our complete managed services portfolio. We offer standard support desk capabilities including toll-free call center staffed with US citizens in Stafford, VA, ticketing system, and email response and tracking.

4.2.2. Investigation/Clean-up InfoReliance provides expert-level investigation and computer forensics services to quickly and effectively assess incidents, data loss, and impact to business functions. Our technical services focus on understanding the method of intrusion, scope, and systems compromised. In parallel, we work with stakeholders to establish and maintain clear, accurate lines of communication to ensure control of the situation. Once the breach is determined to be contained, we shift to remediation. During this phase, our focus is on restoring business functions and systems to a preincident state, that meet recovery time objectives and recovery point objects, in a manner common in business continuity planning. As appropriate, will work with State Agency and law enforcement officials to gather evidence and support a broader investigation.

4.2.3. Incident response Our approach draws upon the expertise our team has in responding to numerous major breaches from sophisticated attackers, including suspected nation-state threat actors, within private sector organizations and classified environments. In addition to the effective capability to assess, contain, and eradicate cyber adversaries, our team has reach-back to our partner network including Intel Security (formerly McAfee).

During incident response, we will assist in the coordination with stakeholders to support the investigation, from initial detection to the final resolution of the incident. Our incident responders will partner with internal and external POCs to provide remote and onsite expertise, ensure effective incident handling, and communicate regularly to keep stakeholders informed.

As described in Section 4.1.4, we follow a five step approach to incident response:

► Prepare: We coordinate with the key stakeholders to form an integrated team consisting of expert incident responders experienced with sophisticated threats and our incident response support resources. During this phase we assess the evidence provided, determine a recommended course of action for direct engagement, obtain approvals for travel and coordinate onsite support.

► Identify & Respond: We work quickly to confirm the initial method of intrusion and its timing, and determine the scope of the compromise. Key activities include dispelling suspicious surrounding the incident, provide daily briefings to stakeholders, and liaising


7


with law enforcement and external agencies. ► Containment: Next, we focus on minimizing damage and impact to the affected systems.

This may include malware analysis, identifying command and control mechanisms and unauthorized access, determining a possible motive behind the incident, and developing a comprehensive containment strategy.

► Recovery: Once an attack is contained, we shift to preventing future incidents and reducing information exposure. We assist system owners with remediating vulnerabilities, improving detection of known indicators of compromise, and recommend mitigations for observed gaps.

► Post-Incident Action: Following remediation, we focus on capturing all knowledge of the incident for future use in refining security requirements, reference architectures, and for use in additional investigations. We produce after-action reports and security incident briefs to communicate with stakeholders.

We recognize that in most cases, our team will be supporting State officials with the incident response, and therefore our consultants will adjust as appropriate to their specific direction.

4.2.4. Mitigation Plans Much like the assessments and associated recommendations delivered during pre-incident activities, InfoReliance will work with the State Agency to develop and update mitigation plans that incorporate the findings of the breach. These plans may address reorganization to clarify and simplify the chain of command, improve stakeholder communication and engagement, and roles and responsibilities. For needed changes, we will suggest sequence, prioritization, level of effort, and interdependencies. The sequence and prioritization are based on the impact of the associated gaps and the cost and level of effort required to resolve the gaps, as well as any interdependencies that would affect resolution of a particular issue.

4.2.5. Identity Monitoring, Protection, and Restoration InfoReliance does not offer these services directly, but will partner as needed. Recently, GSA awarded a new Federal Data Breach Recovery Services BPA to ID Experts. Should DMS require services, we recognize this may be the preferred method, but if desired, we can incorporate equivalent services into our solution.

Documents

FLORIDA DEPARTMENT OF MANAGEMENT SERVICES (DMS)...2.1.1. Incident Response Focus InfoReliance provides onsite incident response services that include, but are not limited to: Incident