Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF JUNE 04, 2005 FBO #1286
MODIFICATION

D -- THIS IS A REQUEST FOR INFORMATION (RFI) FOR AN INSIDER THREAT SOLUTION TO PROTECT THE DOD FROM THOSE WHO CONDUCT MALICIOUS ACTIVITY AGAINST OR ACROSS THE NETWORK, SYSTEM OR DATA

Notice Date
6/2/2005
 
Notice Type
Modification
 
NAICS
541519 — Other Computer Related Services
 
Contracting Office
Defense Information Systems Agency, Procurement and Logistics, DITCO-Scott, P.O. Box 25857, Scott AFB, IL, 62225-5406
 
ZIP Code
62225-5406
 
Solicitation Number
RFI325
 
Response Due
6/21/2005
 
Archive Date
7/6/2005
 
Point of Contact
Anne Keller, Contract Specialist, Phone 618-229-9504, Fax 618-229-9440, - Karen Kincaid, Contract Specialist, Phone 618-229-9707, Fax 618-229-9508,
 
E-Mail Address
Anne.Keller@disa.mil, Karen.Kincaid@disa.mil
 
Description
Change is made to the Section ?Required Capabilities, Protect against system compromise, number 3?. In the current version capability number 3 reads as follows: "3. Track all critical system component modifications, protecting against administrator account lockout, and monitoring access and changes to" That sentence should be changed to the following: "3. Track all critical system component modifications, protecting against administrator account lockout, and monitoring access and changes to documentation which prevent modifications to systems." THIS IS A REQUEST FOR INFORMATION (RFI) FOR AN INSIDER THREAT SOLUTION TO PROTECT THE DOD FROM THOSE WHO CONDUCT MALICIOUS ACTIVITY AGAINST OR ACROSS THE NETWORK, SYSTEM OR DATA. SUBJECT This document is a Request for Information (RFI) about available Insider Threat Solutions to protect the DoD from those who conduct malicious activity against or across the network, system or data. Responses to this RFI are due NLT Tuesday, June 21, 2005, at 5:00PM Eastern Daylight Time (EDT) (GMT-4). DESCRIPTION The Defense Information System Agency (DISA) in support of the Computer Network Defense (CND) mission established by the United States Strategic Command (STRATCOM) is seeking information from industry, academia, and government that will assist in the deployment of a software product solution to assists in elevating the CND posture of the Department of Defense (DOD) computer network systems. The current solution to our computer network environment currently provides inadequate protective measures: Individual Host and Network-based protective mechanisms do not provide real time protection from malicious insider attack behavior. Transformational technology provides hope but not proven concepts for deployment. The DISA is in search of product solution that can address the requirements below for possible further evaluation. REQUIRED CAPABILITIES This section describes the high-level capabilities for the Insider Threat Toolset. Protect against system compromise: 1. Prevent malicious code insertion, system modification, vulnerability exploitation, content manipulation, and deceptive content. a. Malicious code insertion involves prevention of virus-bearing portable/removable media, the execution of mobile code, and the insertion of malicious code. b. Prevent and protect systems, servers and network devices from implementation of untrusted patches; resource reallocation and/or redirection; and modifications to software files by other than system administrators. c. Track all critical system component modifications, protecting against administrator account lockout, and monitoring access and changes to d. Protect against replay attacks, zero-day exploits, the use of covert channels, and the installation or use of steganographic tools. 2. Prevent unauthorized configuration changes, and monitor internal e-mail events a. Prevent the manipulation of content including unauthorized workflow changes that enable product modifications or modification of data. b. Prevent and protect against ignorant manipulation, strategic information manipulation, and deleting/withholding content from reports upon inception. 3. Protect against the accessing of unauthorized files and information including the prevention of unauthorized use or misuse, hacking exploits, transitive trust exploitation, and spoofing. a. Prevent unauthorized use/misuse and hacking exploitation using replay attacks that retransmit valid data. b. Prevent and protect against unauthorized use and/or misuse of files/information. c. Implement a data tagging/classification system. 4. Minimize exposure time of un-patched systems. 5. Prevent the use of keystroke loggers and steganographic tools. 6. Implement sandbox technology to enforce policy requirements regarding protection of system resources. 7. Prevent covert channel use, internal e-mail attacks, telephone taps, and protect against database adjustments. 8. Prevent transitive trust exploitation by protecting data integrity, stopping exploitation of collaboration tools, and protecting against workflow changes to include or exclude other analysts (dissemination). 9. Prevent spoofing and protect against using assets to collect information that benefits an unauthorized party. 10. Prevent exfiltration of data/information by using hard media, copying to removable media, and by electronic means via a network. a. Protect against unauthorized broadcasting or transmitting devices in classified areas or meetings and disallowing telephone tap recording. b. Prevent electronic exfiltration of data/information via network means by preventing the exploitation of web conferencing capabilities, along with the cutting and pasting of data between classification levels (high to low), and the usage of cameras to shoulder surf. 11. Prevent and protect against RF transmissions, in and around local facilities. Detect a potential insider threat 1. Detect the introduction of malicious code and usage of cellular and wireless data devices. 2. Create a comprehensive list of system and user behavior attributes that can be monitored to establish normal and abnormal patterns enabling anomaly and misuse detection. 3. Use of network mapping tools to detect alterations in the configuration of a network along with scanning and analyzing system and network audit logs to detect anomalous system and inside activity. 4. Monitor system and application logs using a structured monitoring approach 5. Check file and access permissions within the system(s) to flag potential problem areas. 6. Use ?honey pots? and/or ?honey tokens.? 7. Randomly audit insider computer usage, focused monitoring of individual users, and for critical systems the capability to allow maintenance of a continuous map of selected user?s activity. 8. Perform a rapid and effective audit to detect anomalies in programs and files. 9. Audit user activities associated with each file to ascertain who executes, read, modify or print activities, as well as when and where the activity occurred. React to an insider?s actions 1. Respond with an alarm or countermeasure. 2. Perform a rapid and effective audit to detect anomalies in programs and files 3. Audit user activities associated with each file to ascertain who executes read, modification or print activities, as well as when and where the activity occurred. 4. Preserve data regarding malicious insider activity throughout the infrastructure. 5. Make accurate copies of hard drives with sufficient rigor to provide the potential use as evidence in criminal or administrative proceedings. 3.1 Any Insider Threat solution installed on DoD systems or networks shall: 1. Provide capability to maintain a working state after a computer network attack has occurred including virus and worm activity. 2. Provide minimum interference with user day-to-day productivity, usability, and functionality. 3. Provide minimum degradation on Central Processing Unit (CPU) performance. 4. Focus primarily on Microsoft Windows (MS) based Operating System (OS) and applications. 5. React to an insider?s actions including the capability to respond with an alarm, countermeasure or escalating alerts as necessary. 6. Protect data regarding malicious insider activity from modification throughout the infrastructure. 7. Install and deployment on small (500 users) and large-scale networks (up to 40,000 users). SAMPLE RESPONSE OUTLINE This outline is intended to structure the responses for ease of analysis by the government. Respondents are free to develop their response as they see fit but should answer the fundamental questions provided. Section 1 ? Product Describe working product as a possible solution to the Insider Threat Protection Problem. Discuss the product and the described capability (from section 3.0) it provides. Please discuss existing functionality or functionality currently being developed. (5-7 pages to include description and diagrams) Please answer the questions accordingly. 1. Please specify if the product solution is hardware, software or both. 2. Please describe the best type of product solution or service? (Examples: Host or Network-based Insider Detection/Monitoring System, Behavior-based Protection). 3. Please list the operating systems the product supports to include patch and service pack levels. 4. Please describe the minimum client and server requirements and dependencies that are required to operate your solution. 5. Please describe, architecturally, client and server interoperability and operations. 6. Please describe the recommended deployment architecture and strategy to include installation and maintenance. 7. Please describe operational impacts of tool?s use such as: how the product would be deployed and used on a network. 8. Please describe how the proposed solution protects data for forensic uses. 9. Please describe how your solution addresses any or all of the required capabilities described in section 3.0. Section 2 ? Cost and Schedule Estimates Provide cost estimate in describing licensing agreement, support, and maintenance for non-recurring and annual recurring costs. (2-3 pages) Section 3 ? Corporate Experience 1. Briefly describe your company, your products and services, history, ownership, financial information, and other information you deem relevant. 2. Describe any projects you have been involved in that are similar in concept to what is described in this RFI, including management and operations approach, requirements, processes, and any relevant lessons learned (1-2 pages per project). Please list government and commercial clients. If for any reason clients cannot be discussed, please describe the number of seats deployed for each client. Section 4 ? Additional Materials Please provide any other materials, suggestions, and discussion you deem appropriate. DISCLAIMER THIS RFI IS NOT A REQUEST FOR PROPOSAL (RFP) AND IS NOT TO BE CONSTRUED AS A COMMITMENT BY THE GOVERNMENT TO ISSUE A SOLICITATION OR ULTIMATELY AWARD A CONTRACT. RESPONSES WILL NOT BE CONSIDERED AS PROPOSALS NOR WILL ANY AWARD BE MADE AS A RESULT OF THIS SYNOPSIS. All information contained in the RFI is preliminary as well as subject to modification and is in no way binding on the Government. FAR clause 52.215-3, Request for Information or Solicitation for Planning Purposes (Oct 1977), is incorporated by reference into this RFI. All information received in response to this RFI that is marked Proprietary will be handled accordingly. Responses to the RFI will not be returned. In accordance with FAR 15.202(e), responses to this notice are not offers and cannot be accepted by the Government to form a binding contract. Responders are solely responsible for all expenses associated with responding to this RFI. SUBMISSION INSTRUCTIONS How to submit: Submission by email; email should be time stamped no later than the due date. Email should not exceed 5 Megabytes (MB). Email to Mr. Paul Carr at Paul.Carr@tic.dod.mil or Paul.Carr@tic.darpa.smil.mil. Due Date Tuesday, June 21, 2005, at 5:00PM Eastern Daylight Time (EDT) (GMT-4) CONTACT INFORMATION The three Point of Contacts (POCs) for all questions relating to this RFI: Paul Carr, CISSP JTF-GNO ATU 2110 Washington Blvd, Suite 100 Arlington, VA 22204 Bus: (703) 769-9511 Fax: (703) 769-9517 NIPR E-Mail: Paul.Carr@tic.dod.mil SIPR E-Mail: Paul.Carr@tic.darpa.smil.mil MAJ Jack Mast Acquisition Manager (703) 882-1634 jack.mast@disa.mil Mr. Donald Parker Asst. Acquisition Manager (703) 882-0164 Donald.parker1@disa.mil
 
Record
SN00820559-W 20050604/050602234443 (fbodaily.com)
 
Source
FedBizOpps.gov Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.