Networx Unit Pricer

The Networx contracts require a basic level of security management for its contractors that ensures compliance with Federal Government generally accepted security principles and practices, or better. The contracts employ adequate and reasonable means to ensure and protect the integrity, confidentiality, and availability of Networx services, Operational Support Systems (OSS), and Government information transported or stored in the contractor's Networx services infrastructure. These requirements are detailed in Section C.3.3.2 Security Management of the Networx contracts.

In addition to this mandatory level of security, the Networx contracts provide additional security services that may be ordered on a fee-for-service basis. These are:

1. 1.Managed Tiered Security Services (MTSS)
2. 2.Managed Firewall Service (MFS)
3. 3.Intrusion Detection and Prevention Service (IDPS)
4. 4.Vulnerability Scanning Service (VSS)
5. 5.Anti-Virus Management Service (AVMS)
6. 6.Incident Response Service (INRS)
7. 7.Managed E-Authentication Service (MEAS)
8. 8.Secure Managed E-Mail Service (SMEMS)

The Managed E-Authentication Service (MEAS) offering is described below.

Managed E-Authentication Service (MEAS) Technical Summary

MEAS enables an individual to remotely authenticate his or her identity to an Agency Information Technology (IT) system. The service provides validation and verification of users via tokens and certificates. MEAS allows Agencies to securely conduct electronic transactions and implement E-Government initiatives via the Internet and other networks. The MEAS contractor provides and manages the authentication systems.

The diagram below illustrates a sample token-based MEAS implementation.

The following diagram illustrates a certificate-based MEAS implementation.

Note that illustrative hardware such as routers and firewalls depicted in the diagrams are not provided as part of the MEAS.

MEAS builds on the FTS2001 contracts offerings. The service connects to and interoperates with the Agency networking environment, including Demilitarized Zones (DMZs) and secure LANs as required by the Agency. The service also supports connectivity to extranets and public networks such as the Internet.

MEAS enables the remote authentication of individual users over a network for the purpose of electronic government and commerce. MEAS technical capabilities are defined in three major categories that are further detailed in Sections C.2.10.6.1.4.1, C.2.10.6.1.4.2 and C.2.10.6.1.4.3 of the Networx contracts.

Design and Engineering Services

• Provide system architecture and equipment recommendations, a baseline assessment, a final design configuration, and operational procedures.
• Support the Agency in developing a detailed implementation plan.
• Provide installation and integration support.

Token-Based Implementation Management

Token-Based Implementation

• Setup the authentication service at the identity authentication assurance level specified by the Agency.
• Issue smart cards and/or other token devices.
• Follow the E-Authentication federated authentication model to allow agencies to validate multiple levels of authentication via a single interface, enabling inter-Agency acceptance of digital certificates, and a single sign-on capability.
• Provide authentication methods such as passwords and Personal Identification Numbers (PINs), mechanisms based on fingerprints, and network authentication systems and servers for embedded devices (e.g., routers, modem servers, switches, etc.).
• Support Agencies in developing, implementing, and maintaining the Authentication, Authorization, and Accounting (AAA) system and servers for network access, including the related tokens, based on, but not limited to protocols such as RADIUS, TACACS/TACACS+ (Cisco), and DIAMETER.

Token-Based Management

• Manage and maintain the user authentication service including the related tokens, such as one-time password devices, smart cards, and hardware tokens.
• Provide change management functions such as adding/deleting a user, resetting a PIN, modifying the IP addresses of software agent, and user ID administration.
• Ensure uninterrupted operations using mechanisms such as redundant servers that are located in geographically separate locations with the content continuously synchronized between them.

Certificate-Based Implementation and Management

Certificate-Based Implementation

• Set-up a managed Public-Key Infrastructure (PKI) that comprises, but is not limited to Certification Authority (CA), Registration Authority (RA), directory, and associated servers.
• Host and administer PKI certificates for the Agency, including but not limited to certificate issuance, validation services, Agency application certificate registration, and management.
• Setup the authentication service at the identity authentication assurance level specified by the Agency.
• Follow the E-Authentication federated authentication model to allow agencies to validate multiple levels of authentication via a single interface, enabling inter-Agency acceptance of digital certificates, and a single sign-on capability.

Certificate-Based Management

• Maintain the database of user names, user IDs, and passwords.
• Provide digital certificates and digital signatures as well as CA services.
• Ensure uninterrupted operations using mechanisms such as redundant servers that are located in geographically separate locations with the content continuously synchronized between them.
• Provide change management functions such as adding/deleting a user, resetting a password, modifying the IP addresses of software agent, and user ID administration.

The MEAS feature set is described in Section C.2.10.6.2 of the Networx contracts. It consists of:

• Biometric Characteristics - Provide biometric authentication methods including iris scan, voice, and facial recognition, as required by the Agency.
• Encryption/Digital Signature Client Software - Provide and support the encryption/digital signature client software for the Agency.
• E-Authentication Training - Provide E-Authentication training to Agency personnel as required.
• Directory/Repository Function - Develop, implement, and maintain a Directory/Repository function that will support the PKI and/or other e-authentication mechanism chosen by the Agency.

MEAS is required to support the User-to-Network Interfaces (UNIs) defined in applicable Networx services, for example:

• C.2.3.1 Frame Relay Service (FRS)
• C.2.3.2 Asynchronous Transfer Mode Service (ATMS)
• C.2.4.1 Internet Protocol Service (IPS)
• C.2.7.2 Premises-based IP VPN Services (PBIP-VPNS)
• C.2.7.3 Network-based IP VPN Services (NBIP-VPNS)

Each Networx contractor may provide variations or alternatives to the offering and pricing for MEAS. The specific details can be found within each Contractor's Networx contract files and pricing notes for MEAS.

For more information on the general MEAS specifications and requirements, please refer to Section C.2.10.6 of the Networx contract for technical specifications and Section B.2.10.6 for pricing.

MEAS Price Basics

MEAS provides various methods (e.g., tokens, digital certificates, biometrics, e-signatures) for the authentication, validation, and verification of users over an Agency's systems and networks. Any required software components are included in the service prices. MEAS provides the following components:

• Token-based MEAS.
• Certificate-based MEAS.

MEAS builds on the FTS2001 contracts offerings.

Price components required for service are:

• Underlying transport services, such as IPS, to provide connectivity.
• Basic service (NRC ICB and/or MRC) consisting of either:
  • Token-Based MEAS (NRC ICB + MRC per user)
  • Certificate-Based MEAS (NRC ICB + MRC per user)
• Features ordered as needed by the Agency:
  • *Biometric Characteristics
  • Encryption/Digital Signature Client Software
  • E-Authentication Training
  • *Directory/Repository Function
• Service Enabling Devices (SEDs) may be required to implement MEAS. [Please note that SEDs under Networx replace the FTS2001 User-to-Network Interfaces and Access Adaptation Functions (UNIs/AAFs). SEDs may differ between Networx providers. The pricing structure for SEDs provides for either a one-time payment or monthly term payments for purchase, plus a NRC for installation, and a MRC for maintenance.]
• Design and Engineering (NRC ICB), if necessary.

* Some or all price components are priced on an Individual Case Basis (ICB). CLINs with ICB prices are not available in the unit pricer.

Token-based MEAS for 251 - 500 users

• Underlying transport: Choose Networx telecommunications services such as IPS.
• Basic Service NRC: Choose CLIN 380002 (Token-based MEAS NRC ICB).
• Basic Service MRC: Choose CLIN 380025 (Token-based MEAS between 251 and 500 users MRC per user).
• SEDs must be chosen based on equipment required at each location. CLINs may differ between contractors.
• A Design and Engineering NRC may be applicable.

Certificate-based MEAS for 501 - 1,000 users

• Underlying transport: Choose Networx telecommunications services such as IPS.
• Basic Service NRC: Choose CLIN 380003 (Certificate-based MEAS NRC ICB).
• Basic Service MRC: Choose CLIN 380036 (Certificate-based MEAS between 501 and 1,000 users MRC per user).
• SEDs must be chosen based on equipment required at each location. CLINs may differ between contractors.
• A Design and Engineering NRC may be applicable.

Each Networx contractor may provide variations or alternatives to the offering and pricing for MEAS. The specific details can be found within each Contractor's Networx contract files and pricing notes for MEAS.

For more information on the general MEAS specifications and requirements, please refer to Section C.2.10.6 of the Networx contract for technical specifications and Section B.2.10.6 for pricing.