search

18F / tts-buy-cloudgov-3pao

Other
1 stars 5 forks source link

Questions relating to RFQ 1322561 #6

Open nalinimartinez opened 6 years ago

nalinimartinez commented 6 years ago

Question

Name and affiliation Nalini Martinez Director, Sales Kratos SecureInfo Voice: 703.668.1012 Nalini.Martinez@KratosSecureInfo.com

I am a director of sales working for Kratos and will be acting as the interface for communication between Kratos and GSA.

Section of RFQ documents RFQ #1322561: Section 3.0 (Requirements)

Questions

  1. How many controls require testing for the systems annual assessment?
  2. Please explain what the anticipated significant changes to the system are in order to determine level of effort for significant change assessment activities.
  3. How many overall vulnerabilities have been remediated since the last annual assessment that will require validation by the 3PAO and what type of vulnerabilities are they? 3.1. Penetration testing vulnerabilities? 3.2. Vulnerability scanning vulnerabilities? 3.3. Control vulnerabilities? 3.4. Manual Testing vulnerabilities?
  4. How many devices (if applicable) cannot be scanned using vulnerability scanners and require manual testing?
  5. Which penetration testing attack vectors are in scope for the assessment?
  6. Does the system include any mobile applications? If yes, how many?
  7. Approximately how many dynamic web application pages are in scope for this system?
  8. Approximately how many hosts makeup the inventory of this system?
kagreen70 commented 6 years ago

  1. This will have to be determined in collaboration with the JAB. It should be the standard 1/3 controls plus the default set. There are no agency-specific controls.

  2. We estimate no more than 10 SCRs, with variable level of effort. We don’t have the exact changes planned this far in advance - the idea would be to scope out each change as needed.

  3. Vulnerabilities identified in our last annual assessment in our SAR, which have been remediated and will likely need 3PAO validation as part of the next annual assessment:

    3.1. Penetration testing vulnerabilities: 2 3.2. Vulnerability scanning vulnerabilities: 7 3.3. Control vulnerabilities: We don’t have this as a separate category - each vulnerability has an associated control. 3.4. Manual Testing vulnerabilities: 17

  4. We scan all VMs in the system using automated scanners (Nessus and OWASP ZAP).

  5. This will have to be determined in collaboration with the JAB.

  6. No

  7. We have 13 dynamic web applications. Most of these are internal deployments of open source web applications, such as Kibana, Concourse, Prometheus, and Grafana.

  8. About 135