Skip to content
This repository has been archived by the owner on Aug 27, 2019. It is now read-only.

Questions relating to RFQ 1322561 #6

Open
nalinimartinez opened this issue Aug 27, 2018 · 1 comment
Open

Questions relating to RFQ 1322561 #6

nalinimartinez opened this issue Aug 27, 2018 · 1 comment
Labels
answered

Comments

@nalinimartinez
Copy link

Question

Name and affiliation
Nalini Martinez
Director, Sales
Kratos SecureInfo
Voice: 703.668.1012
[email protected]

I am a director of sales working for Kratos and will be acting as the interface for communication between Kratos and GSA.

Section of RFQ documents
RFQ #1322561: Section 3.0 (Requirements)

Questions

  1. How many controls require testing for the systems annual assessment?
  2. Please explain what the anticipated significant changes to the system are in order to determine level of effort for significant change assessment activities.
  3. How many overall vulnerabilities have been remediated since the last annual assessment that will require validation by the 3PAO and what type of vulnerabilities are they?
    3.1. Penetration testing vulnerabilities?
    3.2. Vulnerability scanning vulnerabilities?
    3.3. Control vulnerabilities?
    3.4. Manual Testing vulnerabilities?
  4. How many devices (if applicable) cannot be scanned using vulnerability scanners and require manual testing?
  5. Which penetration testing attack vectors are in scope for the assessment?
  6. Does the system include any mobile applications? If yes, how many?
  7. Approximately how many dynamic web application pages are in scope for this system?
  8. Approximately how many hosts makeup the inventory of this system?
@kagreen70
Copy link
Contributor

  1. This will have to be determined in collaboration with the JAB. It should be the standard 1/3 controls plus the default set. There are no agency-specific controls.

  2. We estimate no more than 10 SCRs, with variable level of effort. We don’t have the exact changes planned this far in advance - the idea would be to scope out each change as needed.

  3. Vulnerabilities identified in our last annual assessment in our SAR, which have been remediated and will likely need 3PAO validation as part of the next annual assessment:

    3.1. Penetration testing vulnerabilities: 2
    3.2. Vulnerability scanning vulnerabilities: 7
    3.3. Control vulnerabilities: We don’t have this as a separate category - each vulnerability has an
    associated control.
    3.4. Manual Testing vulnerabilities: 17

  4. We scan all VMs in the system using automated scanners (Nessus and OWASP ZAP).

  5. This will have to be determined in collaboration with the JAB.

  6. No

  7. We have 13 dynamic web applications. Most of these are internal deployments of open source web applications, such as Kibana, Concourse, Prometheus, and Grafana.

  8. About 135

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees
No one assigned
Labels
answered
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@kagreen70 @nalinimartinez