Networx Unit Pricer

Technical Summary

In November 2007, the Office of Management and Budget (OMB) announced its Trusted Internet Connections (TIC) initiative which will limit the number of internet connections (gateways) into Federal Departments and Agencies. In response, GSA developed MTIPS, a Networx service that enables Agencies to meet their TIC requirements. This is a new service that was not offered on previous GSA contracts.

MTIPS allows Agencies to transport Internet Protocol (IP) packets to/from external networks including the Public Internet, business partner's networks and Government-wide intranets and extranets. MTIPS enables Federal Agencies to achieve full compliance with the TIC mandate by facilitating the reduction of the number of Internet connections in Government networks while providing stipulated security functions and controls to all Government users.

The figure below shows a notional architecture for MTIPS. It is a realization of the TIC 1.0 Reference Architecture as required by the OMB TIC initiative.

As shown in the figure, MTIPS is comprised of (1) the network infrastructure to transport IP traffic originating in the Agency Enterprise Wide Area Network (WAN) and (2) the TIC portal (DHS Approved Access Point). Together they create an Agency TIC Trusted Domain (DMZ) for IP traffic. (The term DMZ was originally coined as an acronym for demilitarized zone). The DMZ is created by the contractor to ensure that Agency traffic is protected and physically isolated when transported to the TIC portal and the public internet. Contractor-provided access to the MTIPS Transport POP is included in the DMZ.

The MTIPS (TIC) Portals built by Networx contractors provide access to multiple Tier 1 Internet Service Providers (ISPs). An MTIPS portal functions as an OMB approved Multi-Service Trusted Internet Connection Access Provider (TICAP) capable of hosting multiple Agencies and able to manage and correlate multiple independent traffic streams for each subscribing Agency. The MTIPS Portal provides security services to multiple clients, but allows for specific controls based on Agency requirements.

Prior to subscribing to MTIPS, Agencies must do the following:

• Designate a Dedicated Approval Authority (DAA).
• Sign a "Banner" Memorandum of Agreement (MOA) with DHS. The MOA is signed by the DAA and is a legal requirement to monitor Agency traffic using EINSTEIN devices (see Technical Detail section below).
• Identify MTIPS Gateway Site(s). It is recommended that the Agency consolidate internet/external network bound traffic at a single or at a few Agency sites and conduct site assessments.
• Review MTIPS C&A certification package and issue Authorization to Operate (ATO) or accept a Global ATO from GSA.

The MTIPS ensures 100% compliance with the OMB mandate upon subscription by the Agencies. MTIPS is an enhancement to the Networx Internet Protocol Service (IPS). It provides an additional layer of security which isolates Agencies internal traffic from un-trusted zones (i.e., the Public Internet and other external networks).

MTIPS Technical Capabilities

MTIPS supports the following technical capabilities described in detail in Section C.2.4.1.5.1.4 of the Networx contracts:

• Access to the Internet - This capability includes:
  • Established public peering arrangements from the contractor's network to the Internet.
  • Established private peering arrangements from the contractor's network with redundant links to connect to private peering partners.
• Hosting for the EINSTEIN Enclave - The MTIPS contractors provide cage, power and environmental conditions to host the EINSTEIN enclave; the Government provides the network elements as GFE.
• DCID 6/9 SCIF - Contractor-provided SCIF space.
• MTIPS Portal Security Operations Center (SOC) - The SOC provides the following functions:
  • Event Generation of Security Sensors - The security sensors installed support the following functions
    • E-mail scanning and Filtering.
    • Network Based Firewall virtualized to support all hosted Agencies.
    • Intrusion Detection and Protection in support of vendor and Agency supplied signatures.
    • Anti Virus Protection.
  • Event collection and normalization - The event collectors gather raw information from the security sensors. The messages are normalized and reflect the operating states of the security appliances at the Portal.
  • Control Mechanisms - The MTIPS provides mechanisms for the exchange of information and enables action and reaction to attacks to mitigating and preventing them.
  • Systems Logs.
• MTIPS Transport Collection and Distribution Capabilities.

The MTIPS Feature set is described in Section C.2.4.1.5.2.1 of the Networx contracts (MTIPS Feature Set). It consists of:

• Encrypted traffic - Provides scanning and filtering of incoming and outgoing email, web traffic and known bad mail.
• Agency security policy enforcement.
• Forensic analysis.
• Custom reports for ad-hoc user defined reports.
• Agency NOC/SOC Console-customized to Agency requirements.
• Custom Certification and Accreditation Support to support more stringent security controls.
• External network connection.
• Encrypted DMZ.

Each Networx contractor may provide variations or alternatives to the offering and pricing for MTIPS. The specific details can be found within each Contractor's Networx contract files and pricing notes for MTIPS.

For more information on the general MTIPS specifications and requirements, please refer to Section C.2.4.1.5 of the Networx contracts for technical specifications and Section B.2.4.1.5 for pricing.

MTIPS Price Basics

MTIPS facilitates the reduction of the number of Internet connections in Government networks and provides standard security services to all Government users. MTIPS is in full compliance with the Office of Management and Budget's (OMB) Trusted Internet Connection (TIC) initiative (M-08-05).

The MTIPS port price includes:

• TIC Security Operations Center (SOC) equipment
• TIC Portal Capabilities (Section C.2.4.1.5.1.4.1)
• Transport Collection and Distribution Capabilities (Section C.2.4.1.5.1.4.2)
• Network Operations and Management (Section C.2.4.1.5.5)
• TIC Portal SOC Federal Information Security Management Act (FISMA) Certification and Accreditation (C&A) (Section C.2.4.1.5.8)

CLINs are distinguished by access type:

• Embedded Access: One CLIN is ordered to obtain both access and transport with one rate.
• Independent Access (aka Access Services): A separate CLIN for the access is ordered from one contractor to connect an agency's site to another contractor's network.
• Dedicated Access: A separate CLIN for the access is ordered along with transport service from the same contractor. This is the most commonly ordered option as shown in Example 1 below.

MTIPS is a service that was not offered on the FTS2001 contracts.

Price components required for full end-to-end service for Domestic and Non-Domestic MTIPS:

• MTIPS Transport monthly recurring charge per port
• Dedicated Access Arrangements (DAA) Originating and Terminating Wireline Access (MRC) and (NRC)
• Features* ordered as needed by the Agency:
• Encrypted Traffic
• Agency Security Policy Enforcement
• Forensic Analysis
• Custom Reports
• Agency NOC/SOC Console
• Custom Certification and Accreditation (C&A) Support
• External Network Connection
• Encrypted DMZ
  • Service Enabling Devices (SEDs) may be required to implement MTIPS. [Please note that SEDs under Networx replace the FTS2001 User-to-Network Interfaces and Access Adaptation Functions (UNIs/AAFs). SEDs may differ between Networx providers. The pricing structure for SEDs provides for either a one-time payment or monthly term payments for purchase, plus a NRC for installation and a MRC for maintenance.]

* All MTIPS features are priced on an Individual Case Basis (ICB). CLINs with ICB prices are not available in the unit pricer.

• MTIPS Transport: Choose CLIN 745359 (MTIPS - Dedicated T3 MRC per port)
• Access NRC: Choose CLIN 760117 Routine T3 Dedicated Access NRC
• Access MRC: Choose CLIN 760317 Routine T3 Dedicated Access MRC
• SEDs must be chosen based on equipment required at each location. CLINs may differ between contractors.

Each Networx contractor may provide variations or alternatives to the offering and pricing for MTIPS. The specific details can be found within each Contractor's Networx contract files and pricing notes for MTIPS.

For more information on the general MTIPS specifications and requirements, please refer to Section C.2.4.1.5 of the Networx contract for technical specifications and Section B.2.4.1.5 for pricing.