Loading...
HomeMy WebLinkAboutCORRESPONDENCE - AGREEMENT MISC - DIVERSE COMPUTING INC (2)g cJ Audit tsuAcE'"& Compliance Experts diverse"COMPUTING CJIS ACE Subject Matter Expert Services Statement of Work Prepared for the Fort Collins Police Services DIVERSE COMPUTING, INC. 3717 APALACHEE PARKWAY, SUITE IO2 TALLAHASSEE, FL323II Prepared by Bill Tatun Work: 850.656.3333 ext. 283 Email: wtatun@diversecomputing.com 3717 Apalachee Pkwy, STE 102 Tallahassee. FL 3231 I www.CJISACE.com I www.diversecomputing.com 850.6-56.3333 x3 Table of Contents DCI Statement of Work Fort Collins Police Services Background [. Scope of Work m. Period of Performance IV. Location of Performance V. DCI CJIS ACE Project Staff 7-9 VI. Schedule 10 VII. Fees and Costs l1 VIII. Acceptance t2 Fort Collins Police Services luly 6,2017 Statement of Work Copyright v Diverse Computing, Inc. Page2 of 12 I. Background Fort Collins Police Services understands the importance of complying with established operational, technological and security policies related to criminal justice information systems and services. Fort Collins Police Services serves the community by protecting life and property, preserving peace and order, preventing and detecting crime, enforcing laws and ordinances, and promoting the safe, efficient use of the City's street and highways. Fort Collins Police Services has need for consulting services related to its technology infrastructure, security and business processes as they interrelate to criminal justice information and systems. Diverse Computing Inc., through its CJIS ACE SME Services, shall provide subject matter expert (SME) consulting hours to help Fort Collins Police Services meet the mandatory minimum requirements put forth by the CJIS Security Policy, the CJIS Systems Officer (CSO) of Colorado, and any additional internal organizational requirements. The CJIS ACE SME Services will help Fort Collins Police Services' leadership understand the organization's current state of compliance and overall security standing as well as provide strategies to help mitigate any identified compliance issues. Compliance with the requirements set forth by the CJIS Security Policy, and those set by the Colorado CSO, is essential for Fort Collins Police Services to provide appropriate controls to protect the confidentiality, integrity and availability of critical criminal justice information. Additionally, compliance contributes to maintaining the operational integrity and security of interconnected criminal justice information systems critical to ensuring public safety. Demonstrating compliance allows Fort Collins Police Services to maintain the trust of Colorado's and the nation's criminal justice communities. Fort Collins Police Services July 6,2017 Statement of Work Copyrightr Diverse Computing, Inc. Page 3 of l2 II. Scope of Work Fort Collins Police Services has a requirement for contractual consulting services for its services to ensure CJIS Security Policy compliance. Fort Collins Police Services understands the need to meet the requirements of various policies and directives from the CJIS Security Policy and the Colorado CSO. Fort Collins Police Services is undertaking a review of its operational, technological and security profiles as they relate to applicable and mandated requirements for their business systems and processes. The project requirements are for DCI's CJIS ACE SME Services to review Fort Collins Police Services' business, technology and security processes related to the criminal justice systems and services. Based on the review, the CJIS ACE SME will develop recommendations for potential revision and enhancement of services related to national and state CJIS security policies. The first phase of this project consists of a comprehensive review of Fort Collins Police Services' criminal justice information systems, related technology infrastructure and system/data utilization by administrators and users. Information system components that have access to criminal justice information originating from the FBI CJIS Division and/or the Colorado Bureau of Investigation will be part of this review. An organization Compliance Profile will be established and presented as a deliverable in report format. The second phase of the project consists of working with appropriate Fort Collins Police Services staff to prioritize findings made in the Compliance Profile Report and develop a Mitigation Strategy and Plan for the organization with a focus toward achieving overall compliance and process improvement. Additionally, CJIS ACE performs an optional Post Mitigation Compliance Review to evaluate Fort Collins Police Services' work implementing the prescribed mitigation strategies. This review would develop a "final" Compliance Profile. Finally, the CJIS ACE SME Block is another optional add-on services that consists of subject matter expert consulting time (off-site) to be used for additional reviews, interpretation clarifications and/or any other topic related to the CJIS Security Policy. These blocks of time shall be valid for one year, can be renewed, and can be purchased in additional quantities (blocks). Below is a sample engagement overview to illustrate the chronology and "flow" of the process: Fort Collins Police Services Engagement Overview (sample) Phase 1: CJIS ACE Compliance Profile: l. Schedule and Conduct Kick-off Call (after the SOW is signed) a. Attendees usually consists of IT and other management b. Introductions and identify areas of responsibility c. Discuss logistics, process and schedule on-site assessment day d. Answer any questions and/or address any issues e. Approximate time 20 - 30 minutes 2. Pre-On-Site Assessment Discovery Email Fort Collins Police Services July 6,2011 Statement of Work Copyrightr Diverse Computing, Inc. Page 4 of 12 a. CJIS ACE Background Information template i. Effort to get as much background information prior to the on-site assessment day Ii. Contains both technical, policy and administrative items b. Email follow up, as needed, during this process (usually minimal) c. CJIS ACE will also give Ted DeRosa (CBI - CSO) a call to update ourselves with any specific CO requirements he may have (the CJIS ACE team knows Ted very well) d. This is not usually an extensive time commitment, but an effort in gathering and providing artifacts such as organizational charts, network diagrams, existing policies, etc. 3. On-Site Assessment Day a. CJIS ACE team member is on-site the entire day b. Often clients have management, technical and administrative personnel available at the start of the day for the "kick-off" c. Step through line-by-line each and every requirement of the CJIS Security Policy (we help prepare for everything) d. It usually works out best to have technical and policy-type personnel available the entire day, if possible (for knowledge transfer purposes - which is a BIG value add) e. If certain personnel can only be available certain times (e.g. The morning vs the afternoon) we can schedule accordingly f. The physical security assessment is done at this time also (need to visit where CJI is being processed, stored, and/or utilized) g. We spent the entire day on-site (we do not rush this - we spend as much time as needed on individual topics and will follow up with anything not Covered, as appropriate - see below) 4. Follow Up EmaiUConference Calls (specific groups/personnel) a. Depending on prior progress, follow up activities are conducted (emails) or scheduled (conference calls) as appropriate and as needed b. When conference calls are scheduled, they are done so at the availability of Fort Collins personnel c. Time commitment on these activities varies, but we ensure we are complete while also being flexible to fit local schedules 5. From the above activities, as inputs, and CJIS ACE analysis, the DRAFI CJIS ACE Compliance Profile is produced and presented to management for review. 6. Management input is integrated and the FINAL Compliance Profile is produced and delivered. Phase 2: CJIS ACE Mitieation Strateev and Recommendations: l. Conference Call with Management (and others management invite) a. Discuss any input management may have into mitigation process b. CJIS ACE will describe next steps and talk about estimation of effort/cost levels Fort Collins Police Services Page 5 of 12 luly 6,2017 Statement of Work Copyrightr Diverse Computing, Inc. c. Approximate time 30 minutes 2. CJIS ACE team compiles mitigation strategies and recommendations in a DRAFT document and presents to management. 3. Management input is integrated into the document and a FINAL Mitigation Strategy and Recommendations is produced and delivered. Fort Collins Police Services htly 6,2017 Statement of Work Copyrightv Diverse Computing, Inc. Page 6 of 12 III. Period of Performance The period of performance for CJIS ACE Services shall commence on or about August l, 2017 and follow an agreed upon schedule thereafter using the general time frames set forth in Section VI. IV. Location of Performance Services and tasks associated with this engagement will be performed at DCI's work locations in Florida, New York, Texas and/or Virginia and on site at Fort Collins Police Services' work location. V. DCI CJIS ACE Project Staff The CJIS ACE team has extensive experience with CJIS policies and will have access to DCI business analysts and technical experts during this engagement, as needed. In addition, the team has extensive experience with the business processes of information technology services, criminal justice, and law enforcement. Most importantly, they know how these disciplines need to interact to be effective and efficient with one another. The assigned CJIS ACE team and a brief list of past experiences establishing them as nationally recognized subject matter experts are: William "Bill" Tatun, Director - CJIS ACE Division o New York State Trooper (> 24 years) last rank: Staff Inspector (executive-level) o FBI CJIS Advisory Policy Board (APB) Member o APB CJIS Security and Access Subcommittee Chairman o NY State CJIS Systems Officer (CSO) and CJIS Information Security Officer (ISO) o NY State NLETS Representative & Board Member for NLETS Board of Directors o NLETS Technical Operations Committee Member o NYS Director of Information Security and Sharing - Public Safety o NY State Police Director of Information Services o NY State Police Information Security Officer o NY State Division of Criminal Justice Services Information Security Officer o B.S. Degree - Information Technology Security o Certified Information Systems Security Professional (CISSP) o Certified Information Security Manager (CISM) Fort Collins Police Semices luly 6,2017 Statement of Work Copyrightr Diverse Computing, Inc. Page7 of 12 I-arry Coffee, Senior ACE and Security Analyst 22 years of experience with the Florida Department of Law Enforcement (FDLE) o FDLE CJIS Information Security Officer o FDLE Tallahassee and Pensacola Regions Information Manager o FDLE NCIC/FCIC auditor o FBI-CJIS Advisory Policy Board (APB) experience o Security and Access Subcommittee member o Security Policy Rewrite Task Force (v5.0) member o Chairman of the Mobile Security Task Force o NCIC Warrants Task Force Member. Douglas Hopkins, CJIS Security Analyst and CJIS Subject Matter Expert o Experienced information technology as developer, supervisor and manager (>36 years) o Responsibility related to the New York Statewide Police lnformation Network (NYSPIN) (>30 years) o 30 years experience in project management methodologies o 30 years experience in business process analysis and improvement o l-5 years as the NYS lead in implementing NLETS services within NYSPIN o Member of cross-agency team charged with developing a roadmap for migration of NYSPIN to open systems technology o Managed team of 20+ developers and analysts in converting mainframe state message switch (NYSPIN) to open systems technology (NYS eJusticeNY - Integrated Justice Porral) e NYS NLETS Representative r Member of the NLETS Technical Operations Committee o Experience with CJIS audits for policy and procedure compliance (>12 years) o NYS audit coordinator for NCIC and [T Security compliance (6 years) o Team Member - NYS IT transformation for Criminal Justice agencies, developing a roadmap for consolidation of state agency IT staff into a single NYS IT organization Alan Ferretti, CJIS Security Analyst and CJIS Subject Matter Expert o 12 Years of Service with the Texas Department of Public Safety o CJIS Information Security Officer for the State of Texas o APB Security and Access Subcommittee Chairman and Member o Specialized in: o Advanced Authentication o Virtualization o Encryption Fort coltins porice service, o t*un phones and tablet compliance Page 8 of l2 luly 6,2017 Statement of Work Copyrightr Diverse Computing, Inc. o Mobile Device Management (MDM) o Compliant Cloud computing o Established the CJIS Compliance Program for the State of Texas o Hired and Trained a staff of l2 CJIS Auditors o Supported Criminal Justice and Noncriminal Justice Users o Worked with the Cloud Vendor Community on CJIS Compliance o Programming Manager for the Texas conversion to NCIC 2000 Patrick "Pete" Fagan, CIIS Security Analyst and CIIS Subject Matter Expert o Virginia State Police (26 years) Last Rank: Assistant Division Comnrander - CJIS Division o Assistant CJIS Systems Officer (CSO) (6 years) o Virginia NLETS Representative o Virginia 2417 Operations Duty Officer for all FBI CJIS Systerns (NCIC, m, IAFIS, N-Dex) o Virginia Program Manager - Operations and CJA/NCJA Audits (NCIC, IIl, NIBRS, lSO, NICS, IAFISS) - 400+ agencies/27,000+ users o Administrative Project Lead: Advanced Authentication and Encryption Implementation o Implementation of Virginia CJIS Security Awareness Training Program o Virginia State Police CJIS Division - Continuity of Operations Officer o Virginia State Police Administrative Headquarters Physical Security Control Oftrcer o FBI CJIS Advisory Board: Uniforrn Crime Reporting Subcommittee Member o Virginia AMBER/Senior Alert Program Manager o IACP CJIS Committee Menrber o National Institute of Justice - Intelligence Sharing Advisory Group Meurber o N-Dex Operations Task Force Metnber o Virginia State Police - Bureau of Criminal lnvestigations (14 years) - Illicit Drug Investigations, Technical Surveillance Operations Fort Collins Police Semices luly 6.2017 Statement of Work Copyrightr Diverse Computing, Inc. Page9ofl2 VI. Schedule Below is a proposeddraft schedule showing approximate timeframes. An actual start date and schedule will be established upon statement of work execution, P.O. receipt by DCI and availability of appropriate Department and DCI personnel. Phase 1: Establish Compliance Profile Conduct Preliminary Compliance Review Conference (kick-offl 8/l Data Gathering (outreach as needed to appropriate personnel) & Compliance Review Meeting(s), as needed (in lieu of on-site) 8/l-30 Present Draft Compliance Profile Report (w/10-day review/comments) 9/6 Deliver Final Compliance Profile Report 9116 Phase 2: Establish the Mitigation Strategy and Plan Prioritize Compliance Profile Recommendations (Conference Calls) 9ll9 Develop Mitigation Strategy and Plan (Conference Calls as needed) 9120'31 Present Draft Mitigation Strategy and Plan (w/I0-day review/comments) 1016 Deliver Final Mitigation Strategy and Plan 10116 (Note- Depending on the process and findings of the Compliance Profile, the Mitigation Strategy and Plan timeline could be greatly accelerated to produce a combined final document for both Phases.) CJIS ACE Services (Optional Add-ons) Post Mitigation Review (olf-site) - Follow-up review after implementation of mitigation strategies. LASO Boot-Camp (on-site) - Intensive one-day on-site training: What a LASO Needs to Know. CJIS ACE Services - Consulting Time Block [10 hours] (off'site) - General consulting time to be used for subject matter expert review, input, etc. Fort Collitts Police Services luly 6,2017 Statement of Work Copyrightv Diverse Computing, Inc. Page l0 of 12 VII. Fees and Costs DCI's efforts will be billed according to the table below at a fixed price of $5,900.00 + optional Post Mitigation Review and CJIS ACE SME Time, if desired. Subsequent CJIS ACE SME Time will be billed at a fixed price of $2,900.00 per block. Additionally, a Follow-up Compliance Review (on-site) is billed at a fixed rate of $3,500. Payments will be made to DCI upon completion and acceptance of all identified tasks in Phases 1 and2 and prior to the utilization of subject matter expert time. Description Phase l: Establish Compliance Profile (includes one day, on-site review) $3,s00.00 Phase 2: Establish Mitigation Strategy and Plan $2,400.00 Total: $s,900.00 Optional Add-ons Post Mitigation Review (off-site) $3,000.00 LASO Boot Camp (on-site) $2,395.97 CJIS ACE SME Time (Quantity I = l0 hours) (off-site) $1,650.00 Payment terms are Net 30. A single invoice will be prepared. Payment will be made out to Diverse Computing Inc., and sent to 3717 Apalachee Parkway, STE 102, Tallahassee,FL 32311. Primary Contact: Craig Gibbens, Account Manager 3717 Apalachee Parkway, STE 102, Tallahassee, FL 32311 850.656.3333 ext.254 cgibbens @diversecomputing.com Accounting Contact: Dan Percy 3717 Apalachee Parkway, STE 102, Tallahassee, FL 32311 850.656.3333 ext.252 dpercy @diversecomputin g.com Fort Collins Police Semices \tly 6,2017 Statement of Work Copyrightv Diverse Computing, Inc. Page I I of 12 VUI. Acceptance The contents of this document are approved by: <Signatory> Fort Collins Police Services Fort Collins Police Services July 6,2017 Statement of Work Copyrightv Diverse Computing, Inc. Craig Gibbens Account Manager Diverse Computing, Inc. Page 12 of I 2