Volume I
Network Architecture and
Technical Response
Enterprise Infrastructure
Solutions (EIS)
The original document was submitted as Harris Corporation, prior to
becoming L3Harris Technologies. The following pages are as submitted.
Government Communications Systems
Solicitation No.: QTA0015THA3003
04 November 2016
Volume 1—Attachment 1
Risk Management Framework Plan
Final Proposal Revisions
Enterprise Infrastructure Solutions
(EIS)
For:
General Services Administration/FAS/ITS
Office of Acquisition Ops
1800 F Street, NW
Washington, DC 20405
Attention:
Timothy Horan
Contractor Bid or Proposal information - See FAR 3.104. This proposal or quotation includes data that shall not be
disclosed outside the Government (or in the case of a proposal submitted to a Prime contractor, outside the Prime or
the Government) and shall not be duplicated, used or disclosed- in whole or in part- for any purpose other than to
evaluate this proposal or quotation. If, however, a contract is awarded to this offeror or quoter as a result of- or in
connection with- the submission of this data, the Government shall have the right to duplicate, use or disclose the data
to the extent provided in the resulting contract. This restriction does not limit the Government’s right to use information
contained in this data if it is obtained from another source without restriction. The data subject to this restriction are
contained in sheets or displayed on screens as marked. This document or electronic file contains Harris Corporation
proprietary information, which is exempt from disclosure under the Freedom of Information Act (5 USC 552). See FAR
24.202. Copyright 2016, Harris Corporation.
Enterprise Infrastructure Solutions (EIS)
Final Proposal Revisions Volume 1 – Attachment 1 EIS Services Risk Management Framework Plan
Contractor Bid or Proposal Information – See FAR
3.104. Use or disclosure of data contained on this
sheet or displayed on this screen is subject to the restriction on the title
page or opening view screen
of this Proposal document or electronic file. This document or electronic file contains contractor trade
secrets and commercial or financial information obtained from a person in a privileged or confidential
position, and is exempt from disclosure under FOIA (5 USC 552). See FAR 24.202.
1-1-
ii
TABLE OF CONTENTS
Paragraph Title Page
1.0 INTRODUCTION ................................................................................. 1-1-1
1.1 Purpose ............................................................................................... 1-1-2
2.0 RISK MANAGEMENT FRAMEWORK PROCESS...............................1-1-2
3.0 STEP 1 CATEGORIZE INFORMATION SYSTEM........................... 1-1-3
3.1 Information System Description ........................................................... 1-1-3
3.1.1 Mandatory EIS Services ...................................................................... 1-1-3
3.1.2 OPTIONAL EIS SERVICES................................................................. 1-1-4
3.1.3 Name and Contact Information for the Information System Owner...... 1-1-5
3.1.4 Location of the Information System ..................................................... 1-1-6
3.2 Status of the Information System......................................................... 1-1-6
3.3 System Boundaries..............................................................................1-1-6
3.4 System Security Plan...........................................................................1-1-7
3.5 Information System Registration.......................................................... 1-1-8
4.0 ......................................1-1-8
4.1 Security Control Selection.................................................................. 1-1-10
4.2 Common Security Controls ................................................................ 1-1-14
4.3 Hybrid Security Controls .................................................................... 1-1-16
4.4 System Specific Security Controls ..................................................... 1-1-17
4.5 Monitoring Strategy............................................................................1-1-19
4.6 Security Plan Approval....................................................................... 1-1-19
Enterprise Infrastructure Solutions (EIS)
Final Proposal Revisions Volume 1 – Attachment 1 EIS Services Risk Management Framework Plan
Contractor Bid or Proposal Information – See FAR
3.104. Use or disclosure of data contained on this
sheet or displayed on this screen is subject to the restriction on the title
page or opening view screen
of this Proposal document or electronic file. This document or electronic file contains contractor trade
secrets and commercial or financial information obtained from a person in a privileged or confidential
position, and is exempt from disclosure under FOIA (5 USC 552). See FAR 24.202.
1-1-
iii
TABLE OF CONTENTS (continued)
Paragraph Title Page
5.0 .............................1-1-19
5.1 Security Control Implementation........................................................ 1-1-20
5.2 Security Control Documentation ........................................................ 1-1-20
6.0 .................................... 1-1-22
6.1 Assessment Preparation....................................................................1-1-23
6.2 Scanning and Penetration Testing.....................................................1-1-23
6.3 Security Control Assessment............................................................. 1-1-24
6.4 Security Assessment Report.............................................................. 1-1-25
6.5 Remedial Actions............................................................................... 1-1-26
7.0 ............................1-1-27
7.1 Security Authorization Package ......................................................... 1-1-27
7.2 Plan of Action and Milestones............................................................ 1-1-28
7.3 Risk Determination and Acceptance.................................................. 1-1-29
8.0
SECURITY CONTROLS....................................................................1-1-30
9.0 ACTIVITY SCHEDULE ...................................................................... 1-1-30
Enterprise Infrastructure Solutions (EIS)
Final Proposal Revisions Volume 1 – Attachment 1 EIS Services Risk Management Framework Plan
Contractor Bid or Proposal Information – See FAR
3.104. Use or disclosure of data contained on this
sheet or displayed on this screen is subject to the restriction on the title
page or opening view screen
of this Proposal document or electronic file. This document or electronic file contains contractor trade
secrets and commercial or financial information obtained from a person in a privileged or confidential
position, and is exempt from disclosure under FOIA (5 USC 552). See FAR 24.202.
1-1-
iv
LIST OF ILLUSTRATIONS
Figure Title Page
1.0 The NIST RMF Lifecycle, per NIST SP 800-37....................................1-1-1
2.0 Alignment of the SDLC phases with the RMF Phases......................... 1-1-2
3.3 Interconnection Boundaries of EIS Services........................................ 1-1-6
4.0 The Relationship Between Common, Hybrid, and System
Specific controls and the Authorization Decision ................................. 1-1-9
6.0 Security Control Assessment Process............................................... 1-1-22
8.0 Continuous Monitoring Activities........................................................ 1-1-30
9.0 Task Schedule to Obtain Authorization and Approval –
EIS Services ...................................................................................... 1-1-32
LIST OF TABLES
Table Title Page
3.1.1 Harris Mandatory EIS Service Offerings................................................. 1-1-4
3.1.2 Harris Optional EIS Service Offerings .................................................... 1-1-5
4.1 800-53 R4 Moderate Control Baseline ................................................. 1-1-10
4.2 Candidate Controls for Common Control Status .................................. 1-1-14
4.3 Candidate Controls for Hybrid Control Status....................................... 1-1-16
4.4 Candidate Controls for System Specific Control Status........................ 1-1-17
7.2 Required Data Elements of the POA&M............................................... 1-1-28
Enterprise Infrastructure Solutions (EIS)
Final Proposal Revisions Volume 1 – Attachment 1 EIS Services Risk Management Framework Plan
Contractor Bid or Proposal Information – See FAR
3.104. Use or disclosure of data contained on this
sheet or displayed on this screen is subject to the restriction on the title
page or opening view screen
of this Proposal document or electronic file. This document or electronic file contains contractor trade
secrets and commercial or financial information obtained from a person in a privileged or confidential
position, and is exempt from disclosure under FOIA (5 USC 552). See FAR 24.202.
1-1-
v
TABLE OF ACRONYMS
A&A Assessment and Authorization
AC Access Control
AO Authorizing Official
ATO Authorization to Operate
AU Audit and Accountability
BNOC Backup Network Operations Center
BSS Business Support System
C&A Certification and Accreditation
CP Contingency Planning
FCCI Federal Cloud Computing Initiative
FISMA Federal Information Security Management Act
GFP Government Furnished Property
HTEN Harris Trusted Enterprise Network
IPVS IP Voice Services
IR Incident Response
ISSM Information System Security Manager
KPI Key Performance Indicator
LAN Local Area Network
MA Maintenance
MAN Metro Area Network
MNS Managed Network Service
MPLS Multiprotocol Label Switching
NIST National Institute of Standards and Technology
OSAISO Office of the Senior Agency Information Security Officer
PE Physical and Environmental
POA&M Plan of Action and Milestones
POP Point of Presence
PS Personnel
PSTN Public Switched Telephone Network
Enterprise Infrastructure Solutions (EIS)
Final Proposal Revisions Volume 1 – Attachment 1 EIS Services Risk Management Framework Plan
Contractor Bid or Proposal Information – See FAR
3.104. Use or disclosure of data contained on this
sheet or displayed on this screen is subject to the restriction on the title
page or opening view screen
of this Proposal document or electronic file. This document or electronic file contains contractor trade
secrets and commercial or financial information obtained from a person in a privileged or confidential
position, and is exempt from disclosure under FOIA (5 USC 552). See FAR 24.202.
1-1-
vi
TABLE OF ACRONYMS (continued)
RA Risk Assessment
RFP Request for Proposal
RMF Risk Management Framework
SATCOM Satellite Communications
SCAP Secure Content Automation Protocol
SDLC System Development Life Cycle
SDP Service Delivery Point
SRE Service Related Equipment
SRL Service Related Labor
SSP System Security Plan
VoIP Voice Over Internet Protocol
VPN Virtual Private Network
WAN Wide Area Network
Enterprise Infrastructure Solutions (EIS)
Final Proposal Revisions Volume 1 – Attachment 1 EIS Services Risk Management Framework Plan
Contractor Bid or Proposal Information – See FAR
3.104. Use or disclosure of data contained on this
sheet or displayed on this screen is subject to the restriction on the title pag
e or opening view screen
of this Proposal document or electronic file. This document or electronic file contains contractor trade
secrets and commercial or financial information obtained from a person in a privileged or confidential
position, and is exempt from disclosure under FOIA (5 USC 552). See FAR 24.202.
1-1-
1
1.0 INTRODUCTION
This Risk Management Framework (RMF) Plan explains how the EIS Services
implement the RMF life cycle as defined in NIST Special Publication 800-37, “Guide for
Applying the Risk Management Framework to Federal Information Systems: A Security
Life Cycle Approach”. The EIS Services provide various infrastructure functions to the
client agencies such as network connectivity, cloud services, managed network and
managed security services.
The Risk Management Framework, illustrated in Figure 1.0, integrates the security life
cycle with the risk life cycle of the system development process.
Figure 1.0. The NIST RMF Lifecycle, per NIST SP 800-37
The Federal Information Security Management Act (FISMA) of 2002 states that any
IT system that stores, transports or processes Federal Government data requires a formal
approval process known as security Assessment and Authorization (A&A) (formerly
Certification and Accreditation (C&A)) process. GSA IT Security Procedural Guide 06-30,
“Managing Enterprise Risk” describes the GSA implementation of the RMF lifecycle.
Enterprise Infrastructure Solutions (EIS)
Final Proposal Revisions Volume 1 – Attachment 1 EIS Services Risk Management Framework Plan
Contractor Bid or Proposal Information – See FAR
3.104. Use or disclosure of data contained on this
sheet or displayed on this screen is subject to the restriction on the title pag
e or opening view screen
of this Proposal document or electronic file. This document or electronic file contains contractor trade
secrets and commercial or financial information obtained from a person in a privileged or confidential
position, and is exempt from disclosure under FOIA (5 USC 552). See FAR 24.202.
1-1-
3
process, all assessment documentation and reports will be completed and submitted to
the approval authority prior to authorization of the information system.
The remainder of this document discusses the RMF process on a step by step basis.
3.0 STEP 1 CATEGORIZE INFORMATION SYSTEM
The first step in the RMF process is to determine the security categorization level of
the information system. In accordance with FIPS 199, “Standards for Security
Categorization of Federal Information and Information Systems,” the GSA has
categorized the EIS Services at a minimum impact level of Moderate per the RFP, Section
C.1.8.7.2 and Section G.5.6.2. The Moderate impact level is the baseline level for all
security controls associated with EIS services, with the exception of SATCOM Services
(categorized at a Low impact level) and Managed Network Services (High Impact level
for Authorization controls) or if an alternate impact level is specified by a task order. The
security categorization process determines the NIST SP 800-53 rev 4 security control
baseline (Low-, Moderate-, or High-impact) for the information system.
3.1 Information System Description
The scope of this RMF Plan is the service offering of the Harris EIS Solution. The
solution is divided into mandatory and optional EIS Services.
3.1.1 Mandatory EIS Services
The Harris
Enterprise Infrastructure Solutions (EIS)
Final Proposal Revisions Volume 1 – Attachment 1 EIS Services Risk Management Framework Plan
Contractor Bid or Proposal Information – See FAR
3.104. Use or disclosure of data contained on this
sheet or displayed on this screen is subject to the restriction on the title pag
e or opening view screen
of this Proposal document or electronic file. This document or electronic file contains contractor trade
secrets and commercial or financial information obtained from a person in a privileged or confidential
position, and is exempt from disclosure under FOIA (5 USC 552). See FAR 24.202.
1-1-
7
3.4 System Security Plan
Harris will develop an EIS Services SSP that describes the information system
(including system boundary) based on guidance from NIST SP 800-18 R1, “Guide for
Developing Security Plans for Federal Information Systems.” The GSA SSP template is
defined in GSA Information Technology (IT) Security Policy, CIO P 2100.1(J). The EIS
Services SSP will provide an overview of the EIS Services security requirements and will
describe the security controls in place or planned to address those requirements.
Descriptive information about the information system is documented in Sections 1-5 of
the SSP, following the GSA SSP template. The EIS Services SSP will include the
following sections based on the GSA SSP template:
System Identification
Information System Categorization
EIS Services Roles and Responsibilities
EIS Services Operational Status
Information System Type
General System Description/Purpose
System Interconnections and Interfaces
Laws, Regulations, Policies and Guides Affecting the Federal Use of the EIS Services
Cloud Controls (if applicable)
Management Controls
Security Assessment and Authorization (CA)
Planning (PL)
Risk Assessment (RA)
Enterprise Infrastructure Solutions (EIS)
Final Proposal Revisions Volume 1 – Attachment 1 EIS Services Risk Management Framework Plan
Contractor Bid or Proposal Information – See FAR
3.104. Use or disclosure of data contained on this
sheet or displayed on this screen is subject to the restriction on the title pag
e or opening view screen
of this Proposal document or electronic file. This document or electronic file contains contractor trade
secrets and commercial or financial information obtained from a person in a privileged or confidential
position, and is exempt from disclosure under FOIA (5 USC 552). See FAR 24.202.
1-1-
8
System and Services Acquisition (SA)
Operational Controls
Security Awareness and Training (AT)
Configuration Management (CM)
Contingency Planning (CP)
Incident Response (IR)
Maintenance (MA)
Media Protection (MP)
Physical and Environmental (PE)
Personnel (PS)
System and Information Integrity (SI)
Technical Controls
Access Control (AC)
Audit and Accountability (AU)
Identification and Authentication (IA)
System and Communications Protection (SC)
Appendices for supporting documentation
3.5 Information System Registration
4.0 STEP 2 SELECT SECURITY CONTROLS
Based on the FIPS 199 Impact Level of “Moderate” that was determined for the EIS
Services, GSA selected the baseline of security controls for the EIS Services as defined
in FIPS 200, “Minimum Security Requirements for Federal Information and Information
Systems” and the companion guide NIST 800-53 R4 “Minimum Security Controls for
Federal Information Systems.”
Enterprise Infrastructure Solutions (EIS)
Final Proposal Revisions Volume 1 – Attachment 1 EIS Services Risk Management Framework Plan
Contractor Bid or Proposal Information – See FAR
3.104. Use or disclosure of data contained on this
sheet or displayed on this screen is subject to the restriction on the title pag
e or opening view screen
of this Proposal document or electronic file. This document or electronic file contains contractor trade
secrets and commercial or financial information obtained from a person in a privileged or confidential
position, and is exempt from disclosure under FOIA (5 USC 552). See FAR 24.202.
1-1-
20
security configuration guidelines. The SSP will be updated to reflect the final
configurations and baseline security controls as implemented in the respective EIS
Services.
5.1 Security Control Implementation
Security Content Automation Protocol (SCAP) content will be used in conjunction with
existing guidelines and checklists to assist with continuous monitoring reporting
requirements and validate the configuration baselines.
5.2 Security Control Documentation
Harris will document the security control implementation in the EIS Services SSP. This
will provide a functional description of the control implementation (including planned
inputs, expected behavior, and expected outputs), using the GSA SSP template
described in Paragraph 3.4. Security controls are documented in Sections 3-5 of the SSP
and are presented per the requirements in NIST 800-18 R1. For each control the following
documentation template will be used:
Security control name and requirement text with GSA-defined settings
Control type (Enterprise Common, System Common, Hybrid, System Specific,
Inherited, N/A)
Implementation Status (In-Place, Partially In-Place, Planned, N/A)
Asset group applicability
Description of how the security control is implemented
The completed SSP will include the following supporting documentation in appendices:
Rules of Behavior (Appendix B)
EIS Services Hardware and Software Inventory (Appendix C)
Security Control Tailoring Workbook (Appendix D)
Enterprise Infrastructure Solutions (EIS)
Final Proposal Revisions Volume 1 – Attachment 1 EIS Services Risk Management Framework Plan
Contractor Bid or Proposal Information – See FAR
3.104. Use or disclosure of data contained on this
sheet or displayed on this screen is subject to the restriction on the title pag
e or opening view screen
of this Proposal document or electronic file. This document or electronic file contains contractor trade
secrets and commercial or financial information obtained from a person in a privileged or confidential
position, and is exempt from disclosure under FOIA (5 USC 552). See FAR 24.202.
1-1-
21
Continuous Monitoring Plan (Appendix E)
Privacy Impact Statement (Appendix F)
Security Assessment Boundary and Scope Document (Appendix G)
GSA Control Summary Table (Appendix H)
Configuration Management Plan (Appendix I)
Includes the EIS Services System Baseline Configuration Standard Document
Includes the System Configuration Settings documentation
Incident Response Plan (Appendix J)
Includes the Incident Response Test Report
Interconnection Security Agreements (ISA), MOAs and MOUs (Appendix K)
E-Authentication Documentation (Appendix L)
Contingency Plan (Appendix M)
Includes Contingency Plan Test Plan and Test Report
Includes Disaster Recovery Plan
Business Impact Assessment (Appendix N)
Security Awareness and Training Plan (Appendix O)
Additional supporting documentation to be provided with EIS Services SSP:
Policies and Procedures
Access Control
Security Awareness and Training
Audit and Accountability
Security Assessment and Authorization
Configuration Management
Contingency Planning
Identification and Authentication
Incident Response
System Maintenance
Media Protection
Physical and Environmental
Enterprise Infrastructure Solutions (EIS)
Final Proposal Revisions Volume 1 – Attachment 1 EIS Services Risk Management Framework Plan
Contractor Bid or Proposal Information – See FAR
3.104. Use or disclosure of data contained on this
sheet or displayed on this screen is subject to the restriction on the title pag
e or opening view screen
of this Proposal document or electronic file. This document or electronic file contains contractor trade
secrets and commercial or financial information obtained from a person in a privileged or confidential
position, and is exempt from disclosure under FOIA (5 USC 552). See FAR 24.202.
1-1-
23
6.1 Assessment Preparation
Per Section G.5.6.4 of the EIS RFP, GSA is responsible for conducting security A&A
activities, including security control reviews and penetration testing.
The Security Assessment Plan will be developed according to GSA guidelines and the
template provided in Appendix A of GSA CIO Security Procedural Guide 06-30. The
assessment plan template includes the following sections:
Introduction – system background information
Methodology – assessment approach, evaluation criteria, test schedule, team,
resources, etc.
System Characterization – description of system being tested
Assessment Test Cases
6.2 Scanning and Penetration Testing
Enterprise Infrastructure Solutions (EIS)
Final Proposal Revisions Volume 1 – Attachment 1 EIS Services Risk Management Framework Plan
Contractor Bid or Proposal Information – See FAR
3.104. Use or disclosure of data contained on this
sheet or displayed on this screen is subject to the restriction on the title pag
e or opening view screen
of this Proposal document or electronic file. This document or electronic file contains contractor trade
secrets and commercial or financial information obtained from a person in a privileged or confidential
position, and is exempt from disclosure under FOIA (5 USC 552). See FAR 24.202.
1-1-
24
As stated in GSA IT Security Procedural Guide 11-51, “Conducting Penetration Test
Exercises”, Penetration or Pen Testing techniques provide a final assurance test for the
operational configuration of the EIS Services.
6.3 Security Control Assessment
All security technical, management, and operational controls lead to the authorization
to operate decision. The GSA Assessment Test Cases are the final testing for the
authorization decision.
Enterprise Infrastructure Solutions (EIS)
Final Proposal Revisions Volume 1 – Attachment 1 EIS Services Risk Management Framework Plan
Contractor Bid or Proposal Information – See FAR
3.104. Use or disclosure of data contained on this
sheet or displayed on this screen is subject to the restriction on the title pag
e or opening view screen
of this Proposal document or electronic file. This document or electronic file contains contractor trade
secrets and commercial or financial information obtained from a person in a privileged or confidential
position, and is exempt from disclosure under FOIA (5 USC 552). See FAR 24.202.
1-1-
26
Security Assessment Report will contain results of the completed assessment test cases
as well as the results of any vulnerability scans performed.
Using the Security Assessment Report as input, a risk analysis report will be prepared
to determine the security risk associated with operating the system. The security risk is
analyzed for both individual test case findings and the overall EIS Services security
posture. The risk determination will be included as part of the authorization package. Per
GSA CIO Security Procedural Guide 06-30, the risk assessment will consist of one or
more of the following activities:
A list of threats to the system (hackers, malicious insiders, attacks against the system
facility, natural disasters, etc.) will be developed based on threat information available
to GSA.
Using the threat information, Vulnerability/Threat Pairings will be developed.
Each system instance of absent controls and/or vulnerabilities identified during the
Security Assessment will be assessed to evaluate the likelihood that one of the
identified threats will exploit an identified vulnerability.
The possible impact to the system and the GSA if the vulnerability was exploited will
be assessed and a determination of risk will be made on the likelihood that the threat
will exploit the vulnerability and the resulting impact.
The overall risk level of each EIS Service Offering will be determined by evaluating
the risks of all identified vulnerabilities.
The Security Assessment Report will document any findings from the security
assessment that are not “Fully Satisfied” with vulnerability/threat pairing, in-place controls
discussion, likelihood, impact, and risk discussion/rating, and recommended
countermeasures for correcting deficiencies in security controls.
6.5 Remedial Actions
Enterprise Infrastructure Solutions (EIS)
Final Proposal Revisions Volume 1 – Attachment 1 EIS Services Risk Management Framework Plan
Contractor Bid or Proposal Information – See FAR
3.104. Use or disclosure of data contained on this
sheet or displayed on this screen is subject to the restriction on the title pag
e or opening view screen
of this Proposal document or electronic file. This document or electronic file contains contractor trade
secrets and commercial or financial information obtained from a person in a privileged or confidential
position, and is exempt from disclosure under FOIA (5 USC 552). See FAR 24.202.
1-1-
31
