The Chief Information Security Officer (CISO) maintains a cybersecurity program based upon the National Institute of Standards and Technology (NIST) risk management framework for complying with and assessing the security posture of all FSA information systems, including partner and other third-party entities. Furthermore, there is independent verification and validation of the controls tested and tracking to closure of all plans of actions and milestones for vulnerabilities, gathering metrics of compliance levels, scorecards, and cybersecurity statistics, and support in managing or audit findings. Independent Verification and Validation of findings, vulnerabilities, and mitigation shall support Federal resources assessments. As such, BPA holders awarded Call Orders under this Service Area are precluded from the award of services under Service Area 4.1.3.

The CISO provides support for FSA Information System Security Officers (ISSO’s) that are responsible for the overall cyber security administration, health, and hygiene of their respective information system. The duties of the CPSS contractor may include designation as a primary or alternate ISSO, as deemed necessary by the CISO. Such duties include acting as the primary point of contact for cybersecurity matters, ensuring compliance with current policies, ensuring cyber defenses are in place and operating as designated by the security plan, updating the entries in the Departmental tracking system (currently Cyber Security Assessment and Management, CSAM), ensuring completion of data sensitivity worksheet/self-assessments, ensuring boundary information is identified, accurate, and current, coordinating disaster recovery plans and tests, ensuring system related documentation is accurate and current, ensuring the system maintains a valid Authority to Operate (ATO), ensuring that users are current and maintain proper authorization, reporting and responding to any security incidents, attending and reporting on ISSO meetings.

The CISO is in charge for several teams focused upon the day- to-day operations and maintaining cybersecurity of FSA information systems. The CISO teams are based upon the five core functions as described within the NIST cybersecurity framework: identify, protect, detect, respond, and recover. FSA employs world-class services and products at its major data center, cloud implementations, as well as strict oversight of third-party contracted servicers. The DoED Security Operations Center (SOC) collaborates with approximately 70 different external contractors/partners at approximately 50 distributed data center sites that support over 200 Federal Information Security Management Act (FISMA) reportable systems. Each external contractor/partner manages a local incident response team (IRT) and/or SOC. The DoED SOC synthesizes data from each of these contractors/partners for oversight monitoring. DoED OCIO requires on-site support for the DoED SOC and FSA requires on-site support for the FSA SOC functions to integrate and monitor the systems and technologies, including the activities that relate to managing the security operations and incident response coordination with these external partners. BPA holders awarded Call Orders under this Service Area are precluded from the award of services under Service Area 4.1.1.

DoED and FSA CISOs address some security requirements through the maintenance and evergreening custom software, applications, and scripts to satisfy specific needs and requirements. Cybersecurity solutions maintain robust protections and features that may fall outside a Commercial Off-The-Shelf (COTS) tool or vendor-standard report. All future technical requirements for software capabilities will adhere to DoED and FSA’s cybersecurity checklist of mandatory requirements.

The CISO is required to maintain the security architecture for
systems under Department control. The CISO provides the expertise to review and develop high-level architecture designs and diagrams as well as technical security architecture for security-sponsored capabilities. The security architecture support is responsible for ensuring that stakeholder protection needs and the corresponding system requirements necessary to protect organizational missions and business functions and individuals’ privacy are adequately addressed in the enterprise architecture including reference models, segment architectures, and solution architectures (systems supporting mission and business processes). The security or privacy architect serves as the primary liaison between the enterprise architect and the systems security or privacy engineer and coordinates with system owners, common control providers, and system security or privacy officers on the allocation of controls. The security architecture function is responsible for aspects of the enterprise architecture that protect information and information systems from unauthorized system activity or behavior to provide confidentiality, integrity, and availability. The security architecture function is responsible for aspects of the enterprise architecture that ensure compliance with privacy requirements and manages the privacy risks to individuals associated with the processing of Personally Identifiable Information (PII).

DoED OCIO and FSA Security Engineering team provides full- service engineering and architecture support to design and document ongoing and future initiatives to enhance the security monitoring and incident response capability. The support is focused on implementation, optimization, administration, and integration of security policy, guidelines, hardening standards, security tools, technology, security design associated documentation, and developing innovative solutions to keep the SOC on the cutting edge of technology.

DoED and FSA CISOs maintain a continuous monitoring program consistent with the Federal Government’s deployment of Information Security Continuous Monitoring (ISCM) and the Department of Homeland Security (DHS) Continuous Diagnostics and Mitigation (CDM) Program. The program implementation is in various levels of deployed with some components fully fielded and others with gaps yet to be addressed. CPSS contractors shall assess current capabilities and mature Department/FSA CDM levels. The overall Program is directed at reducing agency threat surface, improving situational awareness (especially in Federal space), improving response capabilities, and reporting requirements at the Department and FISMA.

Contractors supporting this BPA effort shall meet all the requirements of the FSA Information Resources Program Elements (IRPE) Standards of Work. The specific IRPE requirements shall be specified and provided in detail at the Call Order level.