Risk Management Framework
Why Peregrine? – In one word—Trust! Peregrine has completed all contracts on time and budget. We are a small business that is very agile and responsive to our customers. However, we are also large enough with $22M revenue and 300 employees spread across all 54 states and territories, to effectively support this contract. Peregrine Technical Solutions, LLC., (Peregrine) is an SBA 8(a) certified, Alaskan Native Corporation (ANC), operating with a primary NAICS code of 541519, under the small business standard of $27.5M. Our CAGE Code is 68PP4 and our DUNS # is 96-6658028. In March 2013 Peregrine was recognized for our innovative efforts through a grant from York County, VA. In addition, we are known to NAVSUP FLC as a reliable small business with multiple prime contracts to include:
- NAVSUP INSPECTION I&A N00189-16-P-1584
- NAVSUP INSURV Legacy IT N00189-15-P-0462
- NAVSUP DINPACS-A N00189-15-F-0258
- NAVSUP DINPACS-E N00189-15-F-0262
- NAVSUP NAWDC N00244-15-F-0205
- NAVSUP INSURV Cyber N00189-13-C-0010
Likewise, we are prime on the following contracts, where work similar to the requirements of this sources sought is conducted:
- NAVAIR Cyber Resilience N68335-16-G-0019
- SPAWAR 8a Incubator N65236-15-D-8019
- OASD UAV Cyber Study HQ0034-14-C-0209
As a DoD and Federal contractor, we are certified as a Fully Qualified Naval Validator (C0124), where we have completed six IA contracts in the last two years, and we currently have four cyber security efforts ongoing. We are a great small business and our senior staff has been involved in Federal contracting for a long time. We understand the DoD and Navy software development, enlisted distribution and IA environment very well, and we have a wide gamut of talent on our staff to support you on these and other efforts. Because we are small, we are very agile and responsive Peregrine is 100% compliant with DFARS 252.204-7012 and as a SDB, our wrap rate is very low. Finally, Peregrine is the first corporation in Virginia for a registered Cyber Apprenticeship, http://www.alexandrianews.org/2016/06/governor-mcauliffe-announces-expansion-of-cybersecurity-apprenticeships/, and we are also registered with the Department of Labor for both the level I and Level II categories. Allow us the opportunity to support you … you will not be disappointed.
Our expertise lies in its senior staff, each of who has over 25 years’ experience in key IT / IA positions in support of the DoD and possesses multiple professional certifications to include the CISSP, CDFE and can provide expertise in these cyber security areas. We are an experienced small business with a seasoned senior staff, all of whom have worked for a number of large/small defense contractors over the last decade. We are DCAA compliant; we have a number of CPFF contracts; we regularly use iRAPT (formerly known as Wide Area Work Flow -- WAFW) – Invoicing, Receipt, Acceptance, and Property Transfer; and we use a centralized HR system and a DCAA accredited timekeeping system (JAMIS) to meet all contract needs.
Peregrine is committed to process improvement and the use of standards to ensure rigor and quality in the conduct of our work. We have pursued and obtained two relevant certifications, ISO 9001:2008 (5 May 2015) and ISO 27001:2013 (31 July 2015) for the “Provision of Cyber Security, Information Warfare, Computer Network Defense services to US federal government, military and commercial entities.” We are also CMMI Maturity Level 3 software development certified. Additionally, Peregrine has a GSA Schedule 70 Contract (Contract # - GS35F233CA), dated 13 March 2015 with SINs (132-51 and 132-60F) as a Small Business (SB), Small Disadvantaged Business (SDB), 8(a) and Hubzone, the latter which is especially hard to obtain.
Peregrine was founded to meet the expanding requirements in cyber offense/defense activities, our staff focuses on Certification and Accreditation (C&A) as well as full-spectrum Information Assurance (IA) and Security Engineering. Both our President (Dr. Leigh Armistead) and our Vice-President (Dave Wolfe) have supported the ODAA office over the last decade, and the Peregrine staff overall has been involved in the operational conduct of IA and cyber security for a wide variety of customers, and we can do the same with this requirement. For this effort, we will propose KBRwyle, formerly known as Honeywell Technology Solutions Inc. (HTSI) as our sole teammate. As an incumbent under Tetrad Digital Integrity (N00189-14-D-0001), KBR has been involved in this support of ODAA since 2005. They conduct full spectrum cybersecurity activities ranging from Computer Network Defense Service Provider (CNDSP), continuous monitoring of government networks and systems, vulnerability remediation for Enterprise Security Operations Center (ESOC) operations, Certification and Accreditation (C&A) work using the National Institute of Standards and Technology (NIST) Risk Management Framework (RMF), and conducting all level of vulnerability testing.
Peregrine’s senior staff has also supported the ODAA office for the last 11 years as well, and have a proven ability to respond in an expedited manner to all customers’ needs, tasking, and requirements, with reviews of hundreds of C&A Packages each year. We have also performed numerous IA risk assessments for the Navy, in accordance with the DIACAP (and now RMF), and we have supported a number of updates of proposed federal information security policies and procedures. In every case, our staff successfully provided C&A support services and met the deliverables required of Federal and DoD organizations with complex legacy networks as well as unique command and control systems. Peregrine has also successfully provided C&A support to SPAWAR plus comprehensive support to NADWC CCRI, during which Peregrine provided documentation and accreditation support on-site, and remotely.
Peregrine has significant experience supporting Federal agencies with similar requirements to this RFI, for example, our staff provided DIACAP Support to the Commander Naval Air Forces, Peregrine provided outstanding C&A support and services in the following areas:
- As SMEs for the authorization process, we met with the IT and security staffs and leadership of 16 separate organizations with systems that had never been through the C&A process and had no authorization to operate, and our staff helped the government personnel to understand the Federal, DoD, OMB, and other legal and regulatory requirements, including FISMA.
- We introduced them to essential NIST and FIPS publications, in part by helping them to determine their systems’ security categorizations, and coaching them through the process of producing NIST SP 800-3 and CNSI 1253 overlays for RMF compliant Cyber Incident Response/IS Contingency Plans, where none had existed.
- Our personnel provided technical expertise, such as scanning their networks and teaching the system administrators to select and use the correct tools to adequately test all applicable security controls for the security categorization and the sensitivity of the data on the networks.
- Throughout the process, we responded to questions and helped them find the answers and resources needed to attain the best possible security posture for their systems.
- When their documentation was complete, our validator examined the packages to ensure that the systems were fully documented and tested, had all required artifacts, such as accurate network topologies, Privacy Impact Assessment, etc., and were ready to be submitted for an accreditation decision.
- Peregrine also provided fully qualified validators to work with the Commands’ information system owners to validate the information contained within their packages and to ensure they had adequately documented and tested their systems and attained a security posture deserving an ATO or IATO.
Our staff has significant experience in supporting the Navy DIACAP/RMF program. The services will include: preparation of A&A packages under strict adherence to DIACAP/RMF standardized processes and templates, and to submit completed packages for accreditation; monitoring and verification of DIACAP/RMF compliance of existing IS systems; monitor and evaluate the functionality of HBSS systems; monitor and evaluate the functionality of ACAS systems and Contingency Plan maintenance. In this response, Peregrine demonstrates that we are the best qualified with these discriminators:
- Fully Qualified Naval Validator (FQNV) – Peregrine has been certified by the Navy (C0124) and has conducted numerous C&A efforts a shown later in this response.
- Unique Cyber Security Research Capabilities – We own the only double-blind, peer reviewed academic journal (the Journal of Information Warfare (JIW) in the United States that focuses on these threats – www.jinfowar.com
- Operational IA Excellence – We are conducting multiple cyber security contracts across the Federal government with ISO certs (9001 and 27001) in IA.
- Agile HBZ Contracting Response – We are an ANC 8a with a Hubzone (HBZ) GSA Schedule to expedite response and give hard-to-find HBZ SB credit.
- Broad and Deep Bench Strength – Peregrine is a robust SB with over 300 employees.
Team Peregrine routinely performs expert evaluation of technology indicators and vulnerability data as part of its world-class C&A services. Performing system assessments as part of the C&A tasks requires that our personnel be fully aware of the latest technology indicators and vulnerability data. Our SMEs also has experience performing testing and assessments, while working with the customer to develop an in-depth understanding of functional requirements for operations and the management and technical requirements associated with accomplishing the mission. Our assessments consider network, systems and GOTS Source Code exploitable flaws, architectures, systems configuration, software bugs and hardware design flaws, human errors, and the susceptibility of users to social engineering attacks. We strive to ensure that as many of these technical and non-technical factors as possible can be controlled in order optimize systems security and performance.
Peregrine senior staff have over 25 years of experience in key cyber positions in support of the DoD and our employees possess many professional certifications, including the CISSP and Certified Digital Forensics Examiner (CDFE), in addition to extensive current expertise in all aspects of Certification and Accreditation. Both Peregrine’s President and Vice-President have supported the Navy at its senior level C&A office (ODAA), both are FQNVs, and the majority of our DoD IA contracts focus on C&A. We helped the Navy transition from DITSCAP to DIACAP in 2005, and we are supporting a Navy customer using the ACAS, which are supported by the very latest applicable FSO policies. We have conducted multiple C&A testing efforts, and one of our core program management competencies is ensuring that we meet all deliverables and support services. Peregrine uses a tailored PMP to address C&A testing, and we can bring that PMI-based methodology to this effort. Our personnel has provided full-spectrum security program services for civilian agencies and DoD components, including developing: Risk assessments and developing Plans of Actions and Milestones (POA&Ms); Vulnerability Management Plans; Continuous Monitoring Plans; Continuity of Operations Plans; System Security Plans, Disaster Recovery Plans; Security Assessment Plans and Security Test Plans. Finally, our personnel holds the requisite certifications such as CISSP, CDFE, and PMP based on DoD Directive 8570.1, which support the level IAT III within the Cyber Security Work Force requirements. Our staff is experienced with performing SA&A services, including developing and executing Security Test Plans and performing vulnerability assessments and penetration testing services. For many organizations, this has evolved into assisting with developing full security policies and procedural guides and implementing management, operational, and technical security controls.
Peregrine is an experienced 8(a) small business prime with multiple contracts. We are a trusted entity with a staff of cyber security Professionals. Our strength lies in our senior leadership’s combined 25 years of experience with the IA community in a variety of positions, each supporting the requirements of this RFI. We have a current Top Secret (TS) Facility Clearance (FCL), proven cyber security past performance, and senior leadership that is committed to ensuring mission success and a smooth contract transition. Our staff will include individuals who possess the required clearances, training, and certifications, and also have many years of IA experience. Our team members have significant knowledge, credentials, and practical experience with conducting similar highly technical IT activities for the DoD. Peregrine’s commitment to quality is grounded in our three core management principles:
- Experience – Peregrine has significant IA experience, knows the Navy C&A environment well, and implements sound methodology for our customers.
- Superior Task Management – Our seasoned professionals have proven experience in managing similar efforts for CNIC, CNAF, CFFC, and NAVSUP.
- Preparation – Our top quality professionals are all certified, credentialed, and cleared.