Enterprise Infrastructure Solutions (EIS)
Final Proposal Revisions Volume 1 – Attachment 1 EIS Services Risk Management Framework Plan
Contractor Bid or Proposal Information – See FAR
3.104. Use or disclosure of data contained on this
sheet or displayed on this screen is subject to the restriction on the title pag
of this Proposal document or electronic file. This document or electronic file contains contractor trade
secrets and commercial or financial information obtained from a person in a privileged or confidential
position, and is exempt from disclosure under FOIA (5 USC 552). See FAR 24.202.
1-1-
Security Assessment Report will contain results of the completed assessment test cases
as well as the results of any vulnerability scans performed.
Using the Security Assessment Report as input, a risk analysis report will be prepared
to determine the security risk associated with operating the system. The security risk is
analyzed for both individual test case findings and the overall EIS Services security
posture. The risk determination will be included as part of the authorization package. Per
GSA CIO Security Procedural Guide 06-30, the risk assessment will consist of one or
more of the following activities:
A list of threats to the system (hackers, malicious insiders, attacks against the system
facility, natural disasters, etc.) will be developed based on threat information available
to GSA.
Using the threat information, Vulnerability/Threat Pairings will be developed.
Each system instance of absent controls and/or vulnerabilities identified during the
Security Assessment will be assessed to evaluate the likelihood that one of the
identified threats will exploit an identified vulnerability.
The possible impact to the system and the GSA if the vulnerability was exploited will
be assessed and a determination of risk will be made on the likelihood that the threat
will exploit the vulnerability and the resulting impact.
The overall risk level of each EIS Service Offering will be determined by evaluating
the risks of all identified vulnerabilities.
The Security Assessment Report will document any findings from the security
assessment that are not “Fully Satisfied” with vulnerability/threat pairing, in-place controls
discussion, likelihood, impact, and risk discussion/rating, and recommended
countermeasures for correcting deficiencies in security controls.
6.5 Remedial Actions