HomeMy WebLinkAboutCORRESPONDENCE - AGREEMENT MISC - DIVERSE COMPUTING INC (2)g
cJ Audit tsuAcE'"& Compliance Experts diverse"COMPUTING
CJIS ACE
Subject Matter Expert Services
Statement of Work
Prepared for the Fort Collins Police Services
DIVERSE COMPUTING, INC.
3717 APALACHEE PARKWAY, SUITE IO2
TALLAHASSEE, FL323II
Prepared by Bill Tatun
Work: 850.656.3333 ext. 283
Email: wtatun@diversecomputing.com
3717 Apalachee Pkwy, STE 102
Tallahassee. FL 3231 I
www.CJISACE.com I
www.diversecomputing.com
850.6-56.3333 x3
Table of Contents
DCI Statement of Work
Fort Collins Police Services
Background
[. Scope of Work
m. Period of Performance
IV. Location of Performance
V. DCI CJIS ACE Project Staff 7-9
VI. Schedule 10
VII. Fees and Costs l1
VIII. Acceptance t2
Fort Collins Police Services
luly 6,2017
Statement of Work
Copyright v Diverse Computing, Inc.
Page2 of 12
I. Background
Fort Collins Police Services understands the importance of complying with established operational,
technological and security policies related to criminal justice information systems and services. Fort
Collins Police Services serves the community by protecting life and property, preserving peace and order,
preventing and detecting crime, enforcing laws and ordinances, and promoting the safe, efficient use of
the City's street and highways. Fort Collins Police Services has need for consulting services related to its
technology infrastructure, security and business processes as they interrelate to criminal justice
information and systems.
Diverse Computing Inc., through its CJIS ACE SME Services, shall provide subject matter expert (SME)
consulting hours to help Fort Collins Police Services meet the mandatory minimum requirements put
forth by the CJIS Security Policy, the CJIS Systems Officer (CSO) of Colorado, and any additional
internal organizational requirements. The CJIS ACE SME Services will help Fort Collins Police Services'
leadership understand the organization's current state of compliance and overall security standing as well
as provide strategies to help mitigate any identified compliance issues.
Compliance with the requirements set forth by the CJIS Security Policy, and those set by the Colorado
CSO, is essential for Fort Collins Police Services to provide appropriate controls to protect the
confidentiality, integrity and availability of critical criminal justice information. Additionally, compliance
contributes to maintaining the operational integrity and security of interconnected criminal justice
information systems critical to ensuring public safety. Demonstrating compliance allows Fort Collins
Police Services to maintain the trust of Colorado's and the nation's criminal justice communities.
Fort Collins Police Services
July 6,2017
Statement of Work
Copyrightr Diverse Computing, Inc.
Page 3 of l2
II. Scope of Work
Fort Collins Police Services has a requirement for contractual consulting services for its services to ensure
CJIS Security Policy compliance. Fort Collins Police Services understands the need to meet the
requirements of various policies and directives from the CJIS Security Policy and the Colorado CSO. Fort
Collins Police Services is undertaking a review of its operational, technological and security profiles as
they relate to applicable and mandated requirements for their business systems and processes.
The project requirements are for DCI's CJIS ACE SME Services to review Fort Collins Police Services'
business, technology and security processes related to the criminal justice systems and services. Based on
the review, the CJIS ACE SME will develop recommendations for potential revision and enhancement of
services related to national and state CJIS security policies.
The first phase of this project consists of a comprehensive review of Fort Collins Police Services'
criminal justice information systems, related technology infrastructure and system/data utilization by
administrators and users. Information system components that have access to criminal justice information
originating from the FBI CJIS Division and/or the Colorado Bureau of Investigation will be part of this
review. An organization Compliance Profile will be established and presented as a deliverable in report
format.
The second phase of the project consists of working with appropriate Fort Collins Police Services staff to
prioritize findings made in the Compliance Profile Report and develop a Mitigation Strategy and Plan for
the organization with a focus toward achieving overall compliance and process improvement.
Additionally, CJIS ACE performs an optional Post Mitigation Compliance Review to evaluate Fort
Collins Police Services' work implementing the prescribed mitigation strategies. This review would
develop a "final" Compliance Profile.
Finally, the CJIS ACE SME Block is another optional add-on services that consists of subject matter
expert consulting time (off-site) to be used for additional reviews, interpretation clarifications and/or any
other topic related to the CJIS Security Policy. These blocks of time shall be valid for one year, can be
renewed, and can be purchased in additional quantities (blocks).
Below is a sample engagement overview to illustrate the chronology and "flow" of the process:
Fort Collins Police Services Engagement Overview (sample)
Phase 1: CJIS ACE Compliance Profile:
l. Schedule and Conduct Kick-off Call (after the SOW is signed)
a. Attendees usually consists of IT and other management
b. Introductions and identify areas of responsibility
c. Discuss logistics, process and schedule on-site assessment day
d. Answer any questions and/or address any issues
e. Approximate time 20 - 30 minutes
2. Pre-On-Site Assessment Discovery Email
Fort Collins Police Services
July 6,2011
Statement of Work
Copyrightr Diverse Computing, Inc.
Page 4 of 12
a. CJIS ACE Background Information template
i. Effort to get as much background information prior to the on-site
assessment day
Ii. Contains both technical, policy and administrative items
b. Email follow up, as needed, during this process (usually minimal)
c. CJIS ACE will also give Ted DeRosa (CBI - CSO) a call to update ourselves with any
specific CO requirements he may have (the CJIS ACE team knows Ted very well)
d. This is not usually an extensive time commitment, but an effort in gathering
and providing artifacts such as organizational charts, network diagrams,
existing policies, etc.
3. On-Site Assessment Day
a. CJIS ACE team member is on-site the entire day
b. Often clients have management, technical and administrative personnel
available at the start of the day for the "kick-off"
c. Step through line-by-line each and every requirement of the CJIS Security
Policy (we help prepare for everything)
d. It usually works out best to have technical and policy-type personnel available
the entire day, if possible (for knowledge transfer purposes - which is a BIG
value add)
e. If certain personnel can only be available certain times (e.g. The morning vs the
afternoon) we can schedule accordingly
f. The physical security assessment is done at this time also (need to visit where
CJI is being processed, stored, and/or utilized)
g. We spent the entire day on-site (we do not rush this - we spend as
much time as needed on individual topics and will follow up with anything not
Covered, as appropriate - see below)
4. Follow Up EmaiUConference Calls (specific groups/personnel)
a. Depending on prior progress, follow up activities are conducted (emails) or
scheduled (conference calls) as appropriate and as needed
b. When conference calls are scheduled, they are done so at the availability of Fort
Collins personnel
c. Time commitment on these activities varies, but we ensure we are complete
while also being flexible to fit local schedules
5. From the above activities, as inputs, and CJIS ACE analysis, the DRAFI CJIS ACE
Compliance Profile is produced and presented to management for review.
6. Management input is integrated and the FINAL Compliance Profile is produced and
delivered.
Phase 2: CJIS ACE Mitieation Strateev and Recommendations:
l. Conference Call with Management (and others management invite)
a. Discuss any input management may have into mitigation process
b. CJIS ACE will describe next steps and talk about estimation of effort/cost levels
Fort Collins Police Services Page 5 of 12
luly 6,2017
Statement of Work
Copyrightr Diverse Computing, Inc.
c. Approximate time 30 minutes
2. CJIS ACE team compiles mitigation strategies and recommendations in a DRAFT
document and presents to management.
3. Management input is integrated into the document and a FINAL Mitigation Strategy
and Recommendations is produced and delivered.
Fort Collins Police Services
htly 6,2017
Statement of Work
Copyrightv Diverse Computing, Inc.
Page 6 of 12
III. Period of Performance
The period of performance for CJIS ACE Services shall commence on or about August l, 2017 and
follow an agreed upon schedule thereafter using the general time frames set forth in Section VI.
IV. Location of Performance
Services and tasks associated with this engagement will be performed at DCI's work locations in Florida,
New York, Texas and/or Virginia and on site at Fort Collins Police Services' work location.
V. DCI CJIS ACE Project Staff
The CJIS ACE team has extensive experience with CJIS policies and will have access to DCI business
analysts and technical experts during this engagement, as needed. In addition, the team has extensive
experience with the business processes of information technology services, criminal justice, and law
enforcement. Most importantly, they know how these disciplines need to interact to be effective and
efficient with one another.
The assigned CJIS ACE team and a brief list of past experiences establishing them as nationally
recognized subject matter experts are:
William "Bill" Tatun, Director - CJIS ACE Division
o New York State Trooper (> 24 years) last rank: Staff Inspector (executive-level)
o FBI CJIS Advisory Policy Board (APB) Member
o APB CJIS Security and Access Subcommittee Chairman
o NY State CJIS Systems Officer (CSO) and CJIS Information Security Officer (ISO)
o NY State NLETS Representative & Board Member for NLETS Board of Directors
o NLETS Technical Operations Committee Member
o NYS Director of Information Security and Sharing -
Public Safety
o NY State Police Director of Information Services
o NY State Police Information Security Officer
o NY State Division of Criminal Justice Services Information Security Officer
o B.S. Degree - Information Technology Security
o Certified Information Systems Security Professional (CISSP)
o Certified Information Security Manager (CISM)
Fort Collins Police Semices
luly 6,2017
Statement of Work
Copyrightr Diverse Computing, Inc.
Page7 of 12
I-arry Coffee, Senior ACE and Security Analyst
22 years of experience with the Florida Department of Law Enforcement (FDLE)
o FDLE CJIS Information Security Officer
o FDLE Tallahassee and Pensacola Regions Information Manager
o FDLE NCIC/FCIC auditor
o FBI-CJIS Advisory Policy Board (APB) experience
o Security and Access Subcommittee member
o Security Policy Rewrite Task Force (v5.0) member
o Chairman of the Mobile Security Task Force
o NCIC Warrants Task Force Member.
Douglas Hopkins, CJIS Security Analyst and CJIS Subject Matter Expert
o Experienced information technology as developer, supervisor and manager (>36 years)
o Responsibility related to the New York Statewide Police lnformation Network (NYSPIN) (>30
years)
o 30 years experience in project management methodologies
o 30 years experience in business process analysis and improvement
o l-5 years as the NYS lead in implementing NLETS services within NYSPIN
o Member of cross-agency team charged with developing a roadmap for migration of NYSPIN to
open systems technology
o Managed team of 20+ developers and analysts in converting mainframe state message switch
(NYSPIN) to open systems technology (NYS eJusticeNY -
Integrated Justice Porral)
e NYS NLETS Representative
r Member of the NLETS Technical Operations Committee
o Experience with CJIS audits for policy and procedure compliance (>12 years)
o NYS audit coordinator for NCIC and [T Security compliance (6 years)
o Team Member - NYS IT transformation for Criminal Justice agencies, developing a roadmap for
consolidation of state agency IT staff into a single NYS IT organization
Alan Ferretti, CJIS Security Analyst and CJIS Subject Matter Expert
o 12 Years of Service with the Texas Department of Public Safety
o CJIS Information Security Officer for the State of Texas
o APB Security and Access Subcommittee Chairman and Member
o Specialized in:
o Advanced Authentication
o Virtualization
o Encryption
Fort coltins porice
service,
o t*un phones and tablet compliance
Page 8 of l2
luly 6,2017
Statement of Work
Copyrightr Diverse Computing, Inc.
o Mobile Device Management (MDM)
o Compliant Cloud computing
o Established the CJIS Compliance Program for the State of Texas
o Hired and Trained a staff of l2 CJIS Auditors
o Supported Criminal Justice and Noncriminal Justice Users
o Worked with the Cloud Vendor Community on CJIS Compliance
o Programming Manager for the Texas conversion to NCIC 2000
Patrick "Pete" Fagan, CIIS Security Analyst and CIIS Subject Matter Expert
o Virginia State Police (26 years) Last Rank: Assistant Division Comnrander - CJIS Division
o Assistant CJIS Systems Officer (CSO) (6 years)
o Virginia NLETS Representative
o Virginia 2417 Operations Duty Officer for all FBI CJIS Systerns (NCIC, m, IAFIS, N-Dex)
o Virginia Program Manager - Operations and CJA/NCJA Audits (NCIC, IIl, NIBRS, lSO, NICS,
IAFISS) - 400+ agencies/27,000+ users
o Administrative Project Lead: Advanced Authentication and Encryption Implementation
o Implementation of Virginia CJIS Security Awareness Training Program
o Virginia State Police CJIS Division - Continuity of Operations Officer
o Virginia State Police Administrative Headquarters Physical Security Control Oftrcer
o FBI CJIS Advisory Board: Uniforrn Crime Reporting Subcommittee Member
o Virginia AMBER/Senior Alert Program Manager
o IACP CJIS Committee Menrber
o National Institute of Justice - Intelligence Sharing Advisory Group Meurber
o N-Dex Operations Task Force Metnber
o Virginia State Police - Bureau of Criminal lnvestigations (14 years) - Illicit Drug Investigations,
Technical Surveillance Operations
Fort Collins Police Semices
luly 6.2017
Statement of Work
Copyrightr Diverse Computing, Inc.
Page9ofl2
VI. Schedule
Below is a proposeddraft schedule showing approximate timeframes. An actual start date and schedule
will be established upon statement of work execution, P.O. receipt by DCI and availability of appropriate
Department and DCI personnel.
Phase 1: Establish Compliance Profile
Conduct Preliminary Compliance Review Conference (kick-offl 8/l
Data Gathering (outreach as needed to appropriate personnel) &
Compliance Review Meeting(s), as needed (in lieu of on-site) 8/l-30
Present Draft Compliance Profile Report (w/10-day review/comments) 9/6
Deliver Final Compliance Profile Report 9116
Phase 2: Establish the Mitigation Strategy and Plan
Prioritize Compliance Profile Recommendations (Conference Calls) 9ll9
Develop Mitigation Strategy and Plan (Conference Calls as needed) 9120'31
Present Draft Mitigation Strategy and Plan (w/I0-day review/comments) 1016
Deliver Final Mitigation Strategy and Plan 10116
(Note- Depending on the process and findings of the Compliance Profile, the Mitigation
Strategy and
Plan timeline could be greatly accelerated to produce a combined final
document for both Phases.)
CJIS ACE Services (Optional Add-ons)
Post Mitigation Review (olf-site)
- Follow-up review after implementation of mitigation strategies.
LASO Boot-Camp (on-site)
- Intensive one-day on-site training: What a LASO Needs to Know.
CJIS ACE Services - Consulting Time Block [10 hours] (off'site)
- General consulting time to be used for subject matter expert review, input, etc.
Fort Collitts Police Services
luly 6,2017
Statement of Work
Copyrightv Diverse Computing, Inc.
Page l0 of 12
VII. Fees and Costs
DCI's efforts will be billed according to the table below at a fixed price of $5,900.00 + optional Post
Mitigation Review and CJIS ACE SME Time, if desired. Subsequent CJIS ACE SME Time will be billed
at a fixed price of $2,900.00 per block. Additionally, a Follow-up Compliance Review (on-site) is billed
at a fixed rate of $3,500. Payments will be made to DCI upon completion and acceptance of all identified
tasks in Phases 1 and2 and prior to the utilization of subject matter expert time.
Description
Phase l: Establish Compliance Profile (includes one day, on-site review)
$3,s00.00
Phase 2: Establish Mitigation Strategy and Plan $2,400.00
Total: $s,900.00
Optional Add-ons
Post Mitigation Review (off-site) $3,000.00
LASO Boot Camp (on-site) $2,395.97
CJIS ACE SME Time (Quantity I = l0
hours) (off-site) $1,650.00
Payment terms are Net 30.
A single invoice will be prepared.
Payment will be made out to Diverse Computing Inc., and sent to 3717 Apalachee Parkway, STE 102,
Tallahassee,FL 32311.
Primary Contact:
Craig Gibbens, Account Manager
3717 Apalachee Parkway, STE 102, Tallahassee, FL 32311
850.656.3333 ext.254
cgibbens @diversecomputing.com
Accounting Contact:
Dan Percy
3717 Apalachee Parkway, STE 102, Tallahassee, FL 32311
850.656.3333 ext.252
dpercy @diversecomputin g.com
Fort Collins Police Semices
\tly 6,2017
Statement of Work
Copyrightv Diverse Computing, Inc.
Page I I of 12
VUI. Acceptance
The contents of this document are approved by:
<Signatory>
Fort Collins Police Services
Fort Collins Police Services
July 6,2017
Statement of Work
Copyrightv Diverse Computing, Inc.
Craig Gibbens
Account Manager
Diverse Computing, Inc.
Page 12 of I 2