Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF NOVEMBER 25, 2005 FBO #1460
SOURCES SOUGHT

D -- Technologies to Support PKI on FIPS 201 PIV Smartcards

Notice Date
11/23/2005
 
Notice Type
Sources Sought
 
NAICS
541990 — All Other Professional, Scientific, and Technical Services
 
Contracting Office
Department of Health and Human Services, National Institutes of Health, National Library of Medicine, 8600 Rockville Pike, Bethesda, MD, 20894
 
ZIP Code
20894
 
Solicitation Number
Reference-Number-PKI-SmartCard
 
Response Due
12/12/2005
 
Archive Date
12/27/2005
 
Description
Objective: The U.S. Department of Health and Human Services, (DHHS), seeks information on technologies that support the installation and management of Public Key Infrastructure (PKI) credentials on FIPS 201 compliant PIV Cards. The purpose of this RFI is to: (1) identify qualified vendors, resources, technology, and solutions that enable the registration, identity proofing, issuance and maintenance of PKI credentials and other data on PIV cards; (2) learn about product functionalities, technical architectures and system requirements; and (3) determine how these products would operate in the DHHS environment (e.g., interoperate and/or supplement existing identity management and physical access systems). Description of Environment: DHHS is comprised of the Office of the Secretary and twelve semi-independent Agencies with more than 100,000 Federal employees and contractors scattered across over 1000 locations nationwide. PIV registration, ID card issuance and physical access control (PAC) are managed locally by each Agency, utilizing a number of PAC systems (see list below), with PIV user data maintained in a number of separate databases and/or directories. The DHHS desktop environment is primarily Microsoft Windows. Macintosh (Apple OS X) accounts for about 5% of the desktops along with a small percentage of Linux and other UNIX based desktops. PKI support for Blackberries and other PDAs is also required. DHHS intends to issue 3 sets of digital certificates (i.e., authentication, digital signature, key management certificates) to each PIV card. Certificates may be issued using one or more of the following methodologies: (1) Centralized Issuance - Certificates are downloaded and injected onto PIV card by the DHHS security officer; (2) Desktop Issuance ? Certificates are downloaded and injected onto PIV card by the user at their desktop; (3) ?Kiosk? Issuance ? Certificates are downloaded and injected onto PIV card by the user at a centralized facility; and/or (4) Mixed Mode ? Authentication certificates are downloaded and injected onto PIV card by the DHHS security officer. The other certificates are downloaded and injected onto the PIV card by the user at their desktop. Requirements: The proposed solution must: 1. Meet all FIPS 201 and Federal PKI Common Policy Certificate Issuance and Management Requirements. 2. Be GSA FIPS 201 certified where applicable (http://www.cio.gov/ficc/documents/GSAacquisitionHSPD12.pdf) by October 2006. 3. Interoperate with third-party certificate authorities that are federally approved shared service providers (http://www.cio.gov/ficc/) and/or GSA ACES (http://www.gsa.gov/aces) certificate vendors. 4. Support the issuance of all mandatory and optional FIPS 201 digital certificates onto PIV-2 smartcards. 5. Provide full certificate lifecycle support including certificate issuance, re-issuance (i.e., update), renewal, key recovery (for S/MIME encryption keys) and revocation. 6. Support the DHHS additions to the Federal Certificate Profile, as follows: (a) Subject Distinguished Name (DN): UID=<FASC-N Personal identifier>, C=US, o=U.S. Government, ou=HHS, ou=Agency, cn=firstname lastname <(company name for contractors or other non-HHS employees)>; (b) Subject Alternative Name: RFC822 Name=<Primary SMTP email address>; (c) Subject Alternative Name: pivFASC-N=<FASC-N Personal Identifier>; (d) Extended Key Usage: Microsoft Smartcard Logon; (e) Other Name: Principal Name=<User Principal Name> 7. Support the HHS desktop environment including Microsoft Windows (required), Macintosh (required), Citrix (highly desirable), Linux (highly desirable) and other UNIX systems (highly desirable). 8. Interface with multiple separate data sources (e.g., X.500, LDAP, Microsoft Active Directory, virtual directories, Oracle, SQL). 9. Interface with physical access control systems (PACS) currently in use at DHHS [i.e., Andover Continuum, MDI SAFEnet, Hirsch Velocity 2.5, Johnson Controls? Cardkey? P2000 (Pegasys 2000), Lenel OnGuard, and AMAG]. The proposed solution should also support other FIPS 201 PIV business processes and/or interface with other systems used to perform these functions. Other PIV business processes include: Authorization (i.e., initial approval to obtain a PIV card), Registration (i.e., identity proofing, collection of fingerprint and facial biometrics, and criminal/credit background checks), Card Issuance (i.e., loading mandatory and optional PIV elements onto the PIV card) and card management (i.e., PIV card re-issuance, renewal and revocation). Disclaimer: This Request for Information (RFI) is for planning purposes only and shall not be construed as either a solicitation or obligation on the part of DHHS. DHHS may or may not solicit a requirement based on responses, and it will not pay for the preparation of any information submitted or for DHHS? use of such information. DHHS will not reimburse respondents for costs associated with providing information in response to this announcement or follow-up information requests. Should a solicitation materialize as a result of this RFI, no basis for claims against the Government shall arise as a result of a response to this RFI or DHHS? use of such information as either part of our evaluation process, or in developing specifications for any subsequent requirement. Proprietary information should be so marked and DHHS will keep it confidential. DHHS will not acknowledge receipt of responses nor will DHHS notify respondents of DHHS' evaluation of the information received. Request for Information: At a minimum, responses should address the attached list of questions and provide sufficient detail for DHHS to understand the market availability, technical characteristics, and functionality of solutions, tools, or products capable of satisfying the requirements of this RFI. DHHS will consider complete and partial solutions that meet all or some of the requirements set forth in this RFI. Responders are encouraged to provide supplemental information that will enable DHHS to fully understand the solution that is being proposed, including, but not limited to: technical documentation, whitepapers and no-cost evaluation software and/or no-cost access to on-line demonstration systems. However, DHHS offers no assurance that supplemental materials will be reviewed and/or demonstration software or on-line systems will be evaluated. Responses are due by 4:00pm EST on December 12, 2005. DHHS will not accept responses after this time. Please send responses to this RFI to: National Library of Medicine Office of Acquisitions Management 8600 Rockville Pike, Building 38A, Room B1N20 Bethesda, Maryland 20894 Attention: Karen D. Riggs, Contracting Officer You may also send responses by email to kr33v@nih.gov.
 
Place of Performance
Address: National Library of Medicine, Office of Acquisitions Management, 8600 Rockville Pike,, Building 38A, Room B1N20, Bethesda, Maryland
Zip Code: 20894
 
Record
SN00936890-W 20051125/051123211714 (fbodaily.com)
 
Source
FedBizOpps.gov Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.