Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF JANUARY 07, 2015 FBO #4792
SOURCES SOUGHT

D -- Next Generation End Point Security System

Notice Date
1/5/2015
 
Notice Type
Sources Sought
 
NAICS
541511 — Custom Computer Programming Services
 
Contracting Office
Defense Information Systems Agency, Procurement Directorate, DITCO-Scott, 2300 East Dr., Building 3600, Scott AFB, Illinois, 62225-5406, United States
 
ZIP Code
62225-5406
 
Solicitation Number
MAC0099
 
Archive Date
2/17/2015
 
Point of Contact
Brittney Galle,
 
E-Mail Address
brittney.e.galle.civ@mail.mil
(brittney.e.galle.civ@mail.mil)
 
Small Business Set-Aside
N/A
 
Description
REQUEST FOR INFORMATION The Defense Information Systems Agency (DISA), Program Executive Office - Mission Assurance (PEO-MA), is seeking information from industry to assist with the development and planning of a potential new requirement, to determine sources with competencies to provide solutions/capabilities for Next Generation End Point Security System requirements. THIS IS A REQUEST FOR INFORMATION (RFI) NOTICE ONLY. THIS IS NOT A REQUEST FOR PROPOSALS (RFP). NO SOLICITATION IS AVAILABLE AT THIS TIME. OVERVIEW: This RFI is seeking responses from both large and small businesses (including the following subsets, Small Disadvantaged Businesses, HUBZone Firms; Certified 8(a), Service-Disabled Veteran-Owned Small Businesses and Woman Owned Small Business) describing capabilities meeting or exceeding listed desired capabilities. The anticipated North American Industry Classification System Code (NAICS) for this requirement is 541511, 541512, 541513, 541519, all with the corresponding size standard of $25,000,000.00. The purpose is to communicate to Industry DISA's vision of endpoint security and discover capabilities to strengthen the posture of the endpoint. This RFI document defines endpoint types and requests industry's response to achieving effective and efficient tools protecting against advanced persistent threats and where they are effective in the kill chain model discussed below. In additon, DISA has interest in a management tool that can provide effective management on multiple endpoint Operating Systems (OS) for endpoints types described below. A holistic response to all requirements is not required and it is preferred that responses are on core capability of vendor. DISA is looking for innovative approaches with a product or product family that can mitigate against persistent threats and their common attack patterns. DISA is interested in novel approaches to the problem of end-point security; the solutions presented do not need to be similar to current solutions employed by the government or approaches implied by the collective set of requirements. DISA is also interested in innovative combinations of technology that provide the necessary protection, detection, response and recovery for an end-point with the smallest overall footprint and lowest cost. SCOPE OF EFFORT : The endpoint has evolved to encompass a complex hybrid environment of desktops, laptops, mobile devices, virtual endpoints, servers, and infrastructure, involving both public and private clouds. New technologies - including those for virtualization, workforce mobility, and Cloud services - are changing the way we conceptualize the desktop. DISA is requesting responses for innovative solutions to provide security services in heavily virtualized environments that provide economies over replicating security services in each virtual endpoint. Traditional approaches have used signature based defenses; however these methods have become un-scalable. Responses detailing how the vendor treats the different endpoint types are desired. As we build our cyber security strategy for endpoints it merits an assessment of the changing environment and our changing fiscal circumstances. Assessing available OS security tools and determining enhancements to those tools is one of our objectives. To achieve our endpoint security objectives we will need capabilities that do not interfere with anti-exploitation features of the OS on which they run. DISA is interested in capabilities having light weight agents or agentless to minimize the footprint on virtual machines. DISA is also interested in the integration depth to the hypervisor that could allow inspection of a virtual machine's hardware files and components in real-time. The DoD enterprise is estimated near four million endpoints and vendor capabilities will be required to scale. Providing proven scalability in the response is desired. TECHNICAL CHARACTERISTICS: DISA outlines the following strategic objectives for endpoint security: •· Utilization of underlying OS security solutions available •o Windows and Non-Windows •· Enhance the underlying OS security solutions with capabilities to: •o Counter the classes of attacks posing the greatest risk (i.e. most likely and with the greatest impact) •o Alert of reconnaissance activities on various endpoints •o Reduce exposed attack surface area and exploitable attack vectors (mitigate risks). •o Detect malware delivery prior to exploit •o Security for a broad range of OS such as Windows, Linux, HP-UX, Solaris, and AIX •· Support both high and low agility environments (e.g. from small IT networks to ships). Support hosts in Disconnected, Intermittent and Low Bandwidth/High Latency (DIL) environments (e.g., aircraft, ships, tactical Command Centers, etc.) and garrison/fixed environments. •· Minimize operations and management costs (including manpower and training) complexity. •· Support required environments and platforms (Thick, Thin/ Zero, Mobile Clients, Servers, Virtual Servers and Virtual Clients). The ideal central management solution (CMS) would be one that leverages open standards and/or specifications to manage any set of host based security tools supporting all major technology platforms. The Government expects commercial vendors to partner together to provide a modular solution that integrates multiple products as seamlessly as possible and allows for custom modules where necessary. In any resulting acquisition, preference will be given to solutions that demonstrate a commitment to open standards and interfaces and which are composed of components delivered by multiple competing vendors. DISA outlines the following strategic objectives for management of endpoint security: •· Converge management of endpoint security operations to single console that supports large enterprise needs across multiple endpoint types •§ Provide fully integrated patch, configuration and vulnerability management services, as well as the ability to monitor other endpoint agents to enable the war fighter to place greater emphasis and resource allocation on mission objectives •§ Support unified Mobile Device Management (MDM) with the same management infrastructure. Services include inventory profile management, remote location and wiping, location-based policy management, and application deployment •· Ability to directly feed the government's Secure Configuration Management Continuous Monitoring Risk Scoring System (CMRS) and Cybersecurity Situational Awareness Analytical Cloud (CSAAC) •· Support an interoperable multi-vendor environment •· Deliver a common management solution quickly •· Support rapid policy and configuration changes in response to cyber threats •· Provide appropriate transparency in acquisition •· Provide ongoing maintenance, updates and upgrades to both software and hardware •· The database for the solution shall allow custom fields to be created for rollup data, or allow custom rollups. •· Capability for rapid policy and configuration changes in response to cyber threats Endpoints: Thick Client - Network clients running on fully-capable systems - Local storage and processing capability; Can operate independently if not connected to network Thin Client - Network client running on minimally-capable system - Minimal local storage and processing capability Zero Client - Client with no capability outside of network context Mobile Client - Endpoints move frequently and connect at different points Changing threat profiles, policies and protection requirements May connect directly to commercial systems/internet, then back to enterprise Server - Respond to client requests; provide enterprise services -Typically in data centers; Users are System Administrators Virtual Client - Client running virtually on a host platform; no physical resources Cyber Kill Chain (CKC) Model - A model of the stages of attack: Reconnaissance - the attacker examines the target to determine what attacks might prove effective Weaponization - the attacker creates the attack weapon(s) Installation - the attacker begins to attack the system Delivery - the attacker delivers additional attack code Exploitation - the attacker takes control of the target system Command and Control - the attack code beacons back to control servers for updates/instructions/additional attacks Action on Objections - the attack code begins to carry out its objectives; e.g., exfiltrate data; move within the system DESIRED CAPABILITIES: The Government envisions and is seeking information on the availability of a solution for the Endpoint Security Program with the following desired capability set. The listed requirements in the RFI are intended to provide the government the capability to evaluate innovation and creativity of among responding vendors. Category Sub-Category Requirement (Provide Modifications Inline) Generic Compatibility All components of the solution shall be compliant with applicable sections of DODI 8330.01 (Interoperability). Generic Compatibility All components shall not interfere with any anti-exploitation features of the operating systems on which they run (e.g. Microsoft EMET, DEP, ASLR, SEHOP, Deep Hooks, etc.) Generic Compatibility Host agents shall be made available to support server, thick-client workstation, thin/zero client, virtual client (e.g. VDI), and mobile operating systems/environments. Generic Compatibility Solution components shall not impair authorized system operations (e.g., patching, scanning, business software usage, etc.) nor shall they degrade managed system performance in anyway which may adversely impact a system's primary business/mission functions. Generic Compatibility The solution shall support both IPv4 and IPv6 interface/network environments. Generic Compatibility The solution shall support both physical and virtual hosts whether connected to the network or operating in a disconnected (standalone) environment. Generic Compatibility The solution shall support hosts in Disconnected, Intermittent and Low Bandwidth/High Latency (DIL) environments (e.g., aircraft, ships, tactical Command Centers, etc.) and traditional fixed environments. Generic Compatibility The solution shall support integration with existing directory services (e.g., LDAP and Active Directory). Generic Manageability The solution should require minimal manual configuration and tuning, both during initial installation and sustainment. Where possible, the solution should automate the creation of policies and configurations under the supervision of administrators and/or be provisioned with the most common initial policies and configurations. (The Government is aware that this requirement must be traded off against security functionality and configurability.) Generic Manageability All solution components shall provide the capability to roll-back to previous versions following patching and upgrades. Generic Management The CMS shall support scheduling and prioritization of pushed policies and/or signature updates. Generic Security All components of the solution shall be compliant with applicable sections of DODI 8500.01. Generic Security All components of the solution shall support Department of Defense PKI as a primary means of authenticating authorized users. Generic Security All components shall be protected against unauthorized/malicious access and modification. This applies to executable code, data and component settings. Generic Security All components, where appropriate, of the solution shall be validated as NIST FIPS 140-2 compliant. Generic Security CMS shall have the ability to evaluate itself to determine its own compliance, risk and report results to multiple levels of a tiered structure. Generic Security The CMS shall perform certificate revocation checking. Generic Security The CMS, components, plug-ins and host agents shall securely store and transmit data in a manner that ensures the Confidentiality, Integrity, Availability and source authentication of the data. Generic Training The solution should require minimal training. Ideally, advanced technical support should be trainable within 3 weeks, while minimal front-line support should be trainable within a day. (The Government is aware that this requirement must be traded off against security functionality and configurability) Host Change Control BIOS / UEFI Integrity A host agent shall provide the capability to check BIOS integrity and settings against a preset baseline and report any changes to higher management tiers. Host Change Control Configuration Control A host agent shall perform host monitoring and configurable scheduled/immediate reporting to the CMS of any changes to a configurable set of host baselines (e.g., user/administrative accounts and permissions, installed/uninstalled software, services, port configurations, hardware, registry, file permissions and network interfaces). Host Change Control File Integrity Control A host agent shall provide the capability to scan the host by automated scheduled or manual scans for any changes from the authorized software and hardware configuration baseline and report activity to the CMS. Incident Response Analysis The solution shall have the ability to support automated export and querying of data to external systems (e.g., Security Information Event Managers (SIEMs), situational awareness systems, and cloud analytics) to include retrospective and retrodictive analysis using open standards and/or well-documented interface specifications. Incident Response Live Box Analysis A host agent shall provide the capability to pull (on-demand or on a specified schedule) configurable information from managed systems including: complete software inventory, cryptographic (MD5/SHA2/fuzzy) hashes of all (including hidden/obfuscated) files and running processes (including their loaded libraries), event logs, running services, startup/autorun enumeration, process tree with related services/executables, network interfaces and interface configurations, stored cookies, Mutex listings, DNS resolver cache contents, file system path structure and scheduled tasks. Incident Response Live Box Analysis The host agent shall not modify the last access date/time attribute on files in the process of forensic discovery and shall provide the capable to select target files/folders based on size, path (included mapped drives) and attribute(s) (e.g., owner, read/modify, etc.). Incident Response Live Box Analysis The solution shall provide an automated data assessment/correlation/reduction tool. Intrusion Prevention Anomaly Detection A host agent shall identify threatening and anomalous activities/behaviors originating from the network, prevent unauthorized activities and report to the CMS. Intrusion Prevention Antivirus A host agent shall provide the capability to perform on-demand or scheduled scans for malware or malicious activity based on commercial and/or government developed signatures without leaving significant traces of the signature or indicator(s) on the managed system(s), quarantine suspected malware and provide an alert to the CMS. Intrusion Prevention Antivirus For virtual non-persistent clients (e.g., VDI), the solution shall allow offloading virus scan and quarantine functionality to the virtualization host system, which will provide regular signature updates to non-persistent clients. Intrusion Prevention Application Execution Control A host agent shall provide the capability to restrict file execution using configurable policies (such as application white lists), based on a number of criteria with wild cards including file names, file paths, file hashes, file/directory and user permissions, resource access permissions (such as external media/devices), digital signatures, and trusted updaters. Intrusion Prevention Cloud-Based Reputation For fixed business networks and sanctuary environments with Internet access, a host agent shall provide the capability to leverage real-time intelligence from commercial and/or government cloud hosted threat databases (file hash, file signature, IP address, DNS, digital certificate, and other reputation services) in order to detect and/or block malicious activity on the host. Intrusion Prevention Host Firewall Based on user and/or specified role, the host agent shall provide the capability to block connections to and from specified services, ports, and IP addresses on a per-process or per-role basis and report activity to the CMS. Intrusion Prevention Host Traffic Inspection A host agent shall provide the capability to detect, log and report malicious activity within protocols that are tunneled over other protocols (before encryption is applied or after decryption). Intrusion Prevention Host Traffic Inspection A host agent shall provide the capability to inspect network traffic to identify and block malicious activity based on commercial and government developed signatures, DNS reputation, and white and/or blacklists. Intrusion Prevention Host Traffic Inspection Host agents which monitor network traffic shall provide the capability to inspect both IPv4 and IPv6 traffic on the host. Intrusion Prevention Memory Integrity A module shall provide the capability to monitor the integrity of all host Random Access Memory (RAM) (including Video RAM and process memory) and detect or prevent memory corruption attacks (e.g., buffer overflow and use-after-free) and memory resident malware (e.g., injected libraries and position independent code) and report anomalies to the CMS. Intrusion Prevention Process Behavior A host agent shall detect malicious Application Programming Interface (API) function calls based on custom (user-defined) behavior rules Intrusion Prevention Process Behavior A host agent shall detect threatening and anomalous application behavior and/or prevent applications from taking unauthorized actions (e.g., modifying registry keys/hives, file system, memory, etc.) and report activity to the CMS. Intrusion Prevention Process Behavior A host agent shall provide the capability to prevent common host internet browsers (e.g., Internet Explorer, Firefox, Chrome and Safari) and plugins from executing malicious code and content types (e.g., Java, Flash, XML, HTML5, etc). Intrusion Prevention Removable Media Control A host agent shall provide the capability to log and /or control access to removable media based on specified rule sets and report activity to the CMS. Management Host Agents Al solution components shall have the ability to be automatically deployed and configured based on predefined configurations. Management Host Agents Authorized CMS administrators shall have the ability to terminate, enable or disable host endpoint security agents. Management Host Agents The solution shall have the ability to securely push or pull upgrades, patches, signature-less rule-sets, signatures, policies/benchmarks and other configuration data for all components of the system to associated host agents through offline/online or manual/automatic mechanisms based on administrator requirements. Management Human Machine Interface The CMS shall provide a customizable and extensible situational awareness display capable of displaying detailed and/or roll-up data, alerts and events from all lower tier hosts. Management Human Machine Interface The CMS user interface shall be remotely and securely accessible via web browser over the network; by multiple, simultaneous users using DoD PKI (including CAC) authenticated and encrypted secure communications including TLS supporting AES 256 encryption. Management Manageability The solution shall support automated methods of reassigning host agents to alternate CMS servers without need for reinstallation. Management Modularity The solution shall have the capability to integrate new functionality, through the addition of non-proprietary management plug-ins and host agents developed by the government, open source and/or commercial vendors. Management Reliability The CMS shall support multiple Continuity of Operations (COOP) use cases; including hardware failure, network reconfiguration, bandwidth degradation, isolation, and recovery. Management Reporting Authorized administrators shall have the ability to locally or remotely export incident and event data in the Structured Threat Information Exchange (STIX) and Trusted Automated Exchange of Indicator Information (TAXII) formats, with embedded Cyber Observables Expression (CybOX) and Malware Attribute Enumeration and Characterization (MAEC). Management Reporting The solution shall have the ability to automatically generate standardized or ad-hoc report or be queried at any time and configurable for automated scheduled reporting and manually executed reporting/queries. Management Scalability The CMS application shall scale to support the management of a client load of at least 200,000, dependent upon hardware capacity. Management Scalability The solution shall have the ability to configure reports at varying levels of detailed data from raw (full data) to aggregate (summarized or statistical) data from the hierarchy of management systems up to the requesting tier, both through a human-readable interface and machine readable formats. Management Scalability The solution shall have the capability to be remotely deployed and managed in a multi-tiered operational environment, supporting a nested hierarchy of common management systems. Management Scalability The solution shall have the capability to report status and activity in a multi-tiered operational environment, supporting a nested hierarchy of common management systems. Management Security All CMS components shall control access to administrative functions for all administrators using configurable access control policies (e.g. Role-Based Access Control). Management Security The solution shall securely log and attribute the activities of authorized administrators and other privileged users of the CMS server. Management System Identification The CMS shall have the ability to create and track globally unique identifiers (GUIDs) for every installed component (host and administrative terminal). Management System Identification The solution shall track and provide identifying information about the host on which it runs, including at a minimum: System Host Name, Operating System-specific System Identifier (e.g. Windows GUID), Installed Modules, Time of Last Communication with CMS, Time of last automated or manual scan, Description, Time Zone, Current Logged-In User Name(s),Last logged-in user name(s), Active Directory Domain Name (if applicable), Domain/OU Container, Workgroup, DNS Name(s), IPv4 Address(es), IPv6 Address(es), Subnet Address(es), Subnet Mask(s), MAC Address(es), OS Identifier in SWId / CPE format (Name, Version, Service Pack Version, Build Number, Platform), OS OEM Identifier, hardware information, vendor information, User-Defined Tags Quarantine The solution shall provide the capability to automatically quarantine systems based on customizable rules (e.g., when specified malware types are detected). Management Authorized administrators shall have the ability to locally or remotely export host configuration and vulnerability data in SWIds and SCAP (ARF/ASR, OVAL/XCCDF, CVE, CPE). Management Authorized administrators shall have the ability to locally or remotely export other available data in CSV (delimited) and/or XML formats where more specific standards do not exist. Management The solution shall provide near real-time actionable reporting of specified events, with recommended response actions to improve security of the host (i.e. specific configuration/re-configuration actions). Management The solution shall provide the means of storing, correlating and managing historical data up to the limitations of available storage. Virtual Containment / Sandboxing A host agent module shall be able to be configured and control the ability of services, processes, tasks and applications to access peripheral devices (e.g., thumb drives, eSATA devices, SmartCard Readers, Printers, Microphones, etc.). Virtual Containment / Sandboxing A host agent shall strongly enforce isolation of applications (particularly high-risk applications) and separate user tasks from each other and from sensitive user information, for example using virtualization. Virtual Containment / Sandboxing A virtual containment host agent shall be able to be configured to detect and capture anomalous or unauthorized behavior of processes within the container, including sufficient detail to support retrospective security analysis of a minimum 90 days of online searchable data. Virtual Containment / Sandboxing A virtual containment host agent shall be able to remove the contents of application containers (e.g. VMs) suspected of being compromised and shall provide assurances that any compromise did not spread outside the container. Virtual Containment / Sandboxing A virtual containment host agent shall provide assurances that destructive malware within the container is unable to negatively impact user data or the integrity of the system. SPECIAL REQUIREMENTS: Must have Top Secret clearance. Must be ISO 9001 certified. Capability Maturity Model Integration (CMMI) Level 3. RESPONSE GUIDELINES: Interested parties are requested to respond to this RFI with a white paper. Submissions cannot exceed 20 pages, single spaced, 12-point type with at least one-inch margins on 8 1/2" X 11" page size. The response should not exceed a 5 MB e-mail limit for all items associated with the RFI response. Responses must specifically describe the contractor's capability in achieving effective and efficient tools protecting against advanced persistent threats and where they are effective in the kill chain model discussed, and management tools that can provide effective management on multiple endpoint Operating Systems (OS) for endpoints types described. Oral communications are not permissible. FedBizOpps will be the sole repository for all information related to this RFI. Companies who wish to respond to this RFI should send responses via email no later than Monday, February 2, 2015 to Brittney E. Galle, Contract Specialist, brittney.e.galle.civ@mail.mil. SUBMISSION DETAILS: Responses should include: •1) Business name and address; •2) Name of company representative and their business title; •3) Type of Small Business; •4) Cage Code; •5) Contract vehicles that would be available to the Government for the procurement of the product and service, to include ENCORE II, General Service Administration (GSA), GSA MOBIS, NIH, NASA SEWP, Federal Supply Schedules (FSS), or any other Government Agency contract vehicle. (This information is for market research only and does not preclude your company from responding to this notice.) Industry Discussions: DISA representatives may choose to meet with potential offerors and hold one-on-one discussions. Such discussions would only be intended to obtain further clarification of potential capability to meet the requirements, including any development and certification risks. Questions: Questions regarding this announcement shall be submitted in writing by e-mail to Brittney E. Galle, Contract Specialist, brittney.e.galle.civ@mail.mil, phone: 618-229-9327. Verbal questions will NOT be accepted. Questions will be answered by posting answers to Federal Business Opportunities website; accordingly, questions shall NOT contain proprietary or classified information. The Government does not guarantee that questions received after Monday, February 2, 2015 will be answered. The Government will not reimburse companies for any costs associated with the submissions of their responses DISCLAIMER: This RFI is not a RFP and is not to be construed as a commitment by the Government to issue a solicitation or ultimately award a contract. Responses will not be considered as proposals nor will any award be made as a result of this synopsis. All information contained in the RFI is preliminary as well as subject to modification and is in no way binding on the Government. FAR clause 52.215-3, "Request for Information or Solicitation for Planning Purposes", is incorporated by reference in this RFI. The Government does not intend to pay for information received in response to this RFI. Responders to this invitation are solely responsible for all expenses associated with responding to this RFI. This RFI will be the basis for collecting information on capabilities available. This RFI is issued solely for information and planning purposes. Proprietary information and trade secrets, if any, must be clearly marked on all materials. All information received in this RFI that is marked "Proprietary" will be handled accordingly. Please be advised that all submissions become Government property and will not be returned nor will receipt be confirmed. In accordance with FAR 15.201(e), responses to this RFI are not offers and cannot be accepted by the Government to form a binding contract. Appendix: Abbreviations and terminology AES - Advanced Encryption Standard APIs - Application Programming Interfaces ARF - Asset Report Format ASR - Assessment Summary Results ASLR - Address Space Layout Randomization CAPEC - Common Attack Pattern Enumeration and Classification CMS - Central Management Solution CAC - Common Access Card COOP - Continuity of Operations CPE - Common Platform Enumeration CSV - Comma-separated values CVE - Common Vulnerabilities and Exposures CybOX - Cyber Observable Expression DEP - Data Execution Prevention DLL - Dynamic Link Library DNS - Domain Name System DoD - Department of Defense EMET - Enhanced Mitigation Experience Toolkit FIPS - Federal Information Processing Standards FOUO - For Official Use Only GUI - Graphical User Interface GUIDs - Global Unique Identifiers IP - Internet Protocol MAC - Media Access Control MAEC - Malware Attribute Enumeration and Characterization NIST - National Institute of Standards and Technology OVAL - Open Vulnerability and Assessment Language PKI - Public Key Infrastructure RAM - Random Access Memory RFI - Request for Information SCAP - Security Content Automation Protocol SEHOP - Structured Exception Handling Overwrite SSL - Secure Sockets Layer STIG - Security Technical Implementation Guides STIX - Structured Threat Information Expression SWIds - Software Identifiers TLS - Transport Layer Security VDI - Virtual Desktop Infrastructure VPN - Virtual Private Network VM - Virtual Machine XCCDF - The Extensible Configuration Checklist Description Format XML - Extensible Markup Language
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/DISA/D4AD/DITCO/MAC0099/listing.html)
 
Record
SN03608320-W 20150107/150105234116-682ee38a751757acc6d41aa1b273c366 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.