Step 3: Provide Vendor Security Standards

In the previous step, the team provided context for tasks in the RFP. In this step, the team will provide a set of internationally recognized standards for the competing vendors to incorporate into the manufacturing of the database and security mechanisms.

These standards will serve additionally as metrics of security performance to measure the security processes incorporated in the product. To prepare, read the following resources:

• Database Models
• Common Criteria (CC) for information technology security evaluation
• evaluated assurance levels (EALs)
• continuity of service

To be completed by a designated team member:

Address the concepts and issues with respect to disasters and disaster recovery, mission continuity, threats, and cyberattacks. Include this in the RFP.

In the next step, the team will describe defense models for the RFP.

Step 4: Describe Defense Models

Now that team members have established security standards for the RFP, they will now focus on defense models. As the contracting officer’s technical representative (COTR), you can provide an approximate timeline for delivery since the networking environment will have numerous users and classes of access to be granted.

To be completed by a designated team member:

Provide requirements in the RFP for the vendor to state its overall strategy for defensive principles. Explain the importance of understanding these principles. To further your understanding, click the link and read about defensive principles.

Then, read these resources on the enclave computing environment. Explain how it relates to the defensive principles. The network domains should be at different security levels and have different accesses, as well as different read and write permissions using non-members of the enclave to taint access to resources and information in the enclave, or vice versa. Read these resources on enclave computing.

• enclave/computing environment
• cyber operations in DoD policy and plans

In the enclave computing environment, define enclave boundary defense and include enclave firewalls separating databases and networks. This can be fictional or modeled after an existing model, using your IEEE standard citation format. Define the different environments you expect the databases to be working in and the security policies applicable. Provide this information in the RFP.

In the next step, the team will consider database defenses.