Opens a Microsoft Word document-Task Order Title.doc

Task Order Title Department of Defense (DoD)-wide Enterprise License for an automated Secure Configuration Remediation (SCR) tool. Background Vulnerability Management Vulnerabilities exist when there is a flaw or weakness in hardware or software that can be exploited resulting in a violation of security policy. Vulnerabilities can be the result of a flaw in the coding of software, configuration, and a great number of other factors. As systems and applications become more complex, the number of lines of code multiplies exponentially. Consequently, the potential for flaws also multiplies. By exploiting vulnerabilities malicious code can cause significant and pervasive damage. Contractors, users, researches, and hackers often discover vulnerabilities in existing systems or applications. To rectify the problem, contractors often issue a short-term fix in the form of a patch or recommended change to protocol or configuration. While the threat to Department of Defense (DoD) systems cannot be eliminated, the following processes effectively manage the risk associated with vulnerabilities: Automated Vulnerability Identification and Reporting Automated Vulnerability Remediation A critical aspect of effective Computer Network Defense (CND) is ensuring software operating systems and applications are kept up-to-date with the latest vulnerability patch. 4.0 TECHNICAL REQUIREMENTS 4.1 OBJECTIVE This SCR Initiative effort is to provide an ENTERPRISE-wide automated standardized tool to remediate emerging and known IA vulnerabilities at the asset level. 4.1.1 INTEROPERABILITY REQUIREMENTS The system shall accept the input from the Secure Configuration Compliance Validation Initiative (SCCVI) tool. This tool is the eEye Digital Security Retina suite. This tool shall be interoperable with those SCCVI tools that are currently deployed in the “ENTERPRISE” (for example. Harris STAT, ISS, Foundstone, Nessus). The system shall accept input and deliver output via standard