Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY - FEDBIZOPPS ISSUE OF DECEMBER 22, 2017 FBO #5873
MODIFICATION

D -- Application containment and Endpoint Detection and Response (EDR) capabilities

Notice Date
12/20/2017
 
Notice Type
Modification/Amendment
 
NAICS
541519 — Other Computer Related Services
 
Contracting Office
Defense Information Systems Agency, Procurement Directorate, DITCO-Scott, 2300 East Dr., Building 3600, Scott AFB, Illinois, 62225-5406, United States
 
ZIP Code
62225-5406
 
Solicitation Number
831812054
 
Archive Date
1/20/2018
 
Point of Contact
Ellen T. Crain, Phone: 6182299679, Terina A. Folsom, Phone: 6182299740
 
E-Mail Address
ellen.t.crain.civ@mail.mil, terina.a.folsom.civ@mail.mil
(ellen.t.crain.civ@mail.mil, terina.a.folsom.civ@mail.mil)
 
Small Business Set-Aside
N/A
 
Description
REQUEST FOR INFORMATION AMENDMENT 01 The Defense Information Systems Agency (DISA) / Development and Business Center (DBC), Endpoint Security Solutions (ESS) Branch (DBC/ID/ID3), is seeking information from industry to assist with the development and planning of a potential new requirement. THIS IS A REQUEST FOR INFORMATION (RFI) NOTICE ONLY. THIS IS NOT A REQUEST FOR PROPOSALS (RFP). NO SOLICITATION IS AVAILABLE AT THIS TIME. 1. Overview/Purpose/Description of Procurement: DISA, ESS Branch is seeking information from potential sources capable of providing application containment and Endpoint Detection and Response (EDR) capabilities that provide the necessary protection, detection, and response for an endpoint with the smallest overall footprint and lowest cost. Proposed solutions do not need to be similar to current solutions employed by the Government. 2. Scope of Effort: DISA is responsible for the transition to an enhanced ESS. This includes the identification, testing, and piloting of products that address the need for endpoint (excluding devices like phones and tablets) security and management solutions. DISA is requesting responses for innovative products that support the containment and EDR capabilities of endpoint security. Any proposed solution must continue to be effective in disconnected, virtual, intermittent, and low bandwidth network conditions without a dependence upon regularly recurring (e.g. daily, weekly, monthly) content updates. The proposed products must be capable of scaling to millions of endpoints and provide information in near real-time. The scope of this effort is to gather information on viable products that may be able to be part of the eventual ESS. DISA is requesting responses on specific products that meet capability requirements, instead of proposed solutions made up of many components. Responders to this RFI will be considered for solution test and pilot activities. 3. Technical Characteristics: The technical requirements for the ESS build on the recommendations to acquire new solutions to deliver an ESS for application containment and endpoint detection and response capabilities. Part of the need for new and innovative ESS is to identify solutions that can operate in disconnected, virtual, intermittent, and low bandwidth network environments. These new capabilities are described as follows: Containment: Provides the ability to restrict execution of high-risk applications and computer processing activities to an isolated environment. High-risk applications and activities (e.g., web browsing, manipulating documents, and viewing portable document formats from untrusted sources) continue to be an avenue for adversaries to install malware and perform malicious actions within the Department of Defense (DoD). Containment capabilities use virtual computing environments running on the endpoint to execute untrusted content. When untrusted content is processed within the virtual environment, any changes made to that virtual environment, malicious or benign, are completely discarded at the conclusion of that activity. Optionally, suspicious changes may be forwarded to a common management server where detailed intelligence can be gathered of the changes made to the virtual computing environment. This data can then inform analysis and facilitate threat sharing with other systems such as Security Information and Event Management (SIEMs) and perimeter based defenses. EDR: Provides capabilities allowing cyber defenders to quickly detect and investigate security incidents and automatically detect malicious system activities and behaviors. EDR capabilities continuously record significant events occurring on managed systems for the purpose of identifying, reporting, and investigating malicious activity; thereby reducing and adversary's dwell time on DoD networks. Recorded data accessible through a management console query interface. The EDR capability complements other endpoint security measures and capabilities; the ability to restrict execution of high-risk applications and computer processing. For the purposes of this RFI endpoints are described as follows: •· Thick Client - Network clients running on fully-capable systems - Local storage and processing capability; can operate independently if not connected to a network. •· Thin Client - Network client running on minimally-capable system - Minimal local storage and processing capability. •· Zero Client - Client with no capability outside of network context. •· Server - Respond to client requests; provide enterprise services (typically in data centers). Users are System Administrators. •· Virtual Client - Client running virtually on a host platform; no physical resources. The target is an endpoint (excluding devices like phones and tablets) security and management solution that mitigates prevalent adversary attack vectors, tactics, and techniques used to compromise a system. The proposed solution must automatically isolate the execution of high risk applications interacting with untrusted content from more trusted portions of the endpoint (e.g. host operating system); and/or the solution must facilitate incident detection, investigation, response and threat hunting. Any proposed solution must continue to be effective in disconnected, virtual, intermittent, and low bandwidth network conditions without a dependence upon regularly recurring (e.g. daily, weekly, monthly) content updates. The proposed solution must be capable of scaling to millions of endpoints and provide information in near real-time. Any proposed solution must be ready for testing and subsequent piloting. In order for the Government to evaluate the technical merits of the vendors' solution(s), the solution(s) shall be capable of meeting the following technical requirements: Containment •1. The solution shall automatically isolate applications interacting with untrusted content (e.g., internet web pages, email, removable media, and office documents) from more trusted portions of the device outside the container. •2. The solution shall automatically detect potentially malicious code behavior executing within the isolation container. •3. The solution shall automatically capture necessary details (e.g., ports and protocols in use, running executables and services, browser plugins in use, etc.) of events (e.g., malicious activity) occurring within the isolation container to support retrospective post-event analysis, threat analysis, and situational awareness. •4. The solution shall automatically constrain potentially malicious activity to within the isolation container. •5. The solution shall be configurable to control the ability of applications running within the isolation container to access only specified system resources (e.g., storage devices, network resources, human interface devices, etc.). •6. The solution shall automatically eliminate and report all isolation container artifacts of compromise and intrusion remnants to the common management server in support of rapid remediation and investigation. •7. The solution shall automatically restore access to a potentially compromised application within 60 seconds post-compromise, unless configured to allow malware to run for the purpose of analysis. •8. All components shall be protected against unauthorized/malicious access and modification. This applies to executable code, data, and component settings. •9. The solution shall provide continual verification of the integrity of the isolation container to ensure there is no unauthorized/malicious access or persistent modification. •10. Solution components shall not impair authorized system operations (e.g., patching, scanning, business software usage, information assurance tools/initiatives (Secure Host Baseline, Assured Compliance Assessment Solution, etc.) nor shall they degrade managed system performance in any way, which may adversely impact a system's primary business/mission functions. •11. The solution shall provide automatic time stamping of all collected data and events based on a single time standard (e.g., Coordinated Universal Time). •12. The solution shall support the Department's currently mandated means of authentication (e.g., Public Key Infrastructure (PKI)). •13. The solution shall securely store and transmit data in a manner that ensures the confidentiality, integrity, availability, and source authenticity of the data. •14. The solution shall automatically report operating status and configuration to its common management system, based on a pre-defined schedule, to ensure the capability is operating and configured as expected. •15. The solution shall interoperate with event monitoring and correlation systems (e.g. SIEMs) to facilitate aggregated situational awareness. •16. The solution shall allow for patching and update of containerized applications through a means of automated verification (e.g., integration with automated patch management infrastructure/processes). •17. The solution shall encrypt all data in transit or data at rest with Federal Information Processing Standards (FIPS) 140-2 compliant cryptographic modules. •18. The solution shall support open standards for automated threat information sharing. •19. The solution shall protect managed endpoints operating in Connected, Disconnected, Intermittent, and Limited (DIL) bandwidth networked and standalone environments. •20. The solution shall report to the Common Management Server all potentially malicious events encountered while the managed endpoint was without network connectivity. •21. The solution shall provide configurable alerting based upon administrator defined criteria. •22. The solution shall send alerts at administrator-definable intervals. •23. The solution shall, at a minimum, operate on the most common vendor supported operating systems approved for use in the DoD environment (e.g., Microsoft Windows 8.1, Windows 10 (including Secure Host Baseline), and Exchange Server 2016, Linux). •24. The solution shall provide the ability for designated administrators, authenticated according to DoD standards, to configure the solution in accordance with applicable DoD policies. •25. The solution shall automatically report potentially malicious events detected within the isolation container to a common management server and provide actionable information in a non-proprietary, standard format (e.g. Structured Threat Information expression (STIX)). •26. The isolation container shall ensure that destructive malware within the container is unable to negatively impact user data or the integrity of the host system. •27. The solution shall, where possible, inspect and/or sanitize active or potentially malicious untrusted content passing out of the container to the underlying more-trusted host. Examples include copy-paste, printing, file saving, and synchronization of configuration, and user data such as cookies and bookmarks. Sanitization should re-encode content in such a way as to minimize the likelihood of malicious exploitation when content is processed. •28. The solution should be capable of containing operating system kernel-level vulnerability exploitation. •29. The solution shall have the capability to be tuned/configured to reduce alerts resulting from false positives. •30. The solution's uninstall capability shall ensure no artifacts are left behind following execution of the uninstall processes. •31. All solution components shall have the ability to be automatically deployed and configured based on predefined configurations. EDR •1. The solution shall provide the ability to automatically capture, record and analyze a user-selectable range of endpoint parameters and events in order to assess system operations, support risk management and enable hunt and forensic activities. Examples of data the solution shall be capable of capturing include: - Windows Registry - Changes to Keys (and their associated processes; including auto-run keys), Access Control Lists (ACLs), license keys, ownership, and administrative rights. - User Activity - Authentication and privileged user activities. - Network Activity - File transfers, connections opened and closed, destination (Uniform Resource Locator, Internet Protocols, type of traffic and encryption method (e.g., File Transfer Protocol, Secure File Transfer Protocol, Server Message Block, Transport Layer Security, and Secure Sockets Layer. - Processes and Services - Automatic and manual starts and stops. Process parent and child relationships. Loaded and unloaded Dynamic Link Libraries, and record of their associated processes and files on the filesystem. - Software Changes - Operating System, driver and program installation, uninstall, patching, and modification information (e.g., software versions, software identification tags, patch information and mutex data). - Peripheral Connections - Wired and wireless connections to peripheral devices. - Other File Activity - Files created, opened, closed, saved, modified, moved, or deleted. - In-memory Activities - In-memory activities associated with potentially malicious activity; including mutexes and named pipes associated with processes. - Hardware Changes - Peripheral device detection, removal, or modification. •2. The solution shall not impair authorized system operations (e.g., patching, scanning, business software usage, information assurance tools/initiatives (secure host baseline, assured compliance assessment solution, etc.) nor shall it degrade managed system performance in any way, which may adversely impact a system's primary business/mission functions. •3. The solution shall encrypt all data in transit or data at rest with FIPS 140-2 compliant cryptographic modules. •4. The solution shall, at a minimum, operate on the most common vendor supported operating systems approved for use in the DoD environment (e.g., Microsoft Windows 8.1, Windows 10 (including secure host baseline) and Exchange Server 2016). •5. The solution shall support automated/scheduled transfer of endpoint data to Government approved data archives (e.g., commercial cloud, DoD-owned, federal data center, etc.). •6. The solution shall provide time stamping of all collected data and events based on a single time standard (e.g., coordinated universal time). •7. The solution shall securely store and transmit data in a manner that ensures the confidentiality, integrity, availability, and source authenticity of the data. •8. The solution shall provide the ability to automatically discover and alert on previously unknown external and/or internal hardware/peripheral devices (such as storage) connected to endpoints for the purpose of retrospective/post-event analysis. •9. The solution shall provide integrated and customizable search with, at minimum, the ability to, from the central management server or other authorized consoles, search data from all systems for information relevant to an incident investigation or risk analysis. •10. The solution shall have the ability to execute manual and scheduled scans of specified systems for indicators derived from threat intelligence or other sources. •11. The solution shall provide integrated analytics (including visualization) and support the creation of custom analytics, in order to identify anomalous endpoint behaviors, support incident investigation, and perform event analysis. •12. The solution shall have the ability to pull locally stored data from specified endpoints in near real time to support high priority hunt and forensic operations. •13. The solution shall provide automatic hardware-level, operating system-level, and application-level monitoring. •14. The solution shall allow administrative functions to be delegated to users based on roles/permissions and or groupings of endpoints they are responsible for managing. •15. The solution shall provide automated analysis and visualization of an attack; including production of an event timeline and initial assessment of severity/impact. •16. The solution shall support delegation (i.e., user-specified) of who can access/view collected endpoint data. •17. The management and analytic components of the solution shall scale to support an endpoint client load of at least 500,000 endpoints. •18. The solution shall support the Department's currently mandated means of authentication (e.g., PKI). •19. The solution shall automatically report detection of potentially malicious events to a common management server and provide actionable information in non-proprietary, standard formats (e.g. STIX). •20. The solution shall generate reports based on pre-saved user-defined formats and datasets to facilitate rapid analysis, decision making, and follow-up actions following events. •21. The solution shall, through a central management server, provide options for configurable automated or manual remediation actions in response to detected potentially malicious events. •22. The solution's uninstall capability shall ensure no artifacts are left behind following execution of the uninstall processes. •23. The solution shall support the rapid push (objective: within 30 seconds) of configuration changes from the management server to all installed agents. •24. The solution shall protect managed endpoints operating in Connected, DIL bandwidth networked, and standalone environments. •25. All solution components shall have the ability to be automatically deployed and configured based on predefined configurations. •26. The solution shall report to the common management server all potentially malicious events encountered while the managed endpoint was without network connectivity. •27. All components shall be protected against unauthorized/malicious access and modification. This applies to executable code, data, and component settings. 4. Requested Information: Interested vendors are requested to submit a maximum of ten page statement of their capabilities with respect to the following: •1. It is required that any proposed solution be ready for testing and subsequent piloting at the time of the RFI posting. •2. The costs associated with preparing and submitting responses are not considered an allowable direct charge to any contract or agreement. •3. Elaborate brochures or proposals are not desired. •4. Responders are strongly encouraged to use diagram(s) or figure(s) to depict the essence of the proposed solution. •5. Multiple responses addressing different topic areas may be submitted by the same organization; however, each response may only address one concept based on the stated topic area of interest as described in the problem statement. •6. The period of performance for any response or submission under this offering should generally be no greater than 12 months. •7. Technical data with military application may require appropriate approval, authorization, or license for lawful exportation. •8. All responses shall be unclassified. Responses containing data that is not to be disclosed to the public for any purpose or used by the Government except for evaluation purposes shall include the following sentences on the cover page: "This solution brief includes data that shall not be disclosed outside the Government, except to non-Government personnel for evaluation purposes, and shall not be duplicated, used, or disclosed -- in whole or in part -- for any purpose other than to evaluate this submission. If, however, an agreement is awarded to this company as a result of -- or in connection with -- the submission of this data, the Government shall have the right to duplicate, use, or disclose the data to the extent agreed upon by both parties in the resulting agreement. This restriction does not limit the Government's right to use information contained in this data if it is obtained from another source without restriction. The data subject to this restriction are contained in sheets [insert numbers or other identification of sheets]" Each restricted data sheet should be marked as follows: "Use or disclosure of data contained on this sheet is subject to the restriction on the title page of this proposal." •9. Due to security concerns, source code development must be done solely and wholly within the United States. •10. The ability to obtain an agreement based upon a submission may depend upon the ability of the business to obtain necessary clearances and approvals to operate within Government organizations. Response Guidelines Interested parties are requested to respond to this RFI with a white paper. Responses cannot exceed ten pages, singled spaced, 12-point type with at least one-inch margins on 8 1/2" X 11" page size. The response should not exceed a 5 MB e-mail limit for all items associated with the RFI response. Responses must specifically describe the company's ability to meet the requirements outlined in this RFI. Oral communications are not permissible. FedBizOpps (FBO) will be the sole repository for all information related to this RFI. Companies who wish to respond to this RFI should send responses via email no later than 10:30 a.m. central standard time (CST) on January 5, 2018 to Ellen T. Crain, ellen.t.crain.civ@mail.mil and Terina A. Folsom, Terina.a.folsom.civ@mail.mil. RESPONSE DETAILS: Companies are asked to submit a response to the RFI describing how their technology/solution addresses the problem and requirements identified. The response should include the following: •1. Title Page (does not count against page limit) company name, title, date, point of contact name, e-mail address, phone, and address. •2. Executive Summary (one page) - Provide an executive summary of the technology. •3. Technology Concept •a. Describe the unique aspects of the technology and the proposed work as it relates to the topics described in the technical characteristics and the technical requirements; •b. Describe how the technology addresses the technical requirements listed above; •4. Company Viability •a. Provide a brief overview of the company (to include name, corporate address, and size/category (large, medium, or small)) •b. Identify the location (country, city, and state) of the corporate headquarters. •c. Identify all partners involved in the development of the proposed solution and list the location of their corporate headquarters •d. Describe corporate expertise and length of corporate experience in this area. •e. Provide information regarding any past Government supply chain risk management related investigations (i.e. if investigated, dates of investigation, outcome, activity related to investigation (contract or other business with government entity.) •f. Identify the company's Commercial and Government Entity code for conducting business with the Federal Government if held. •5. Estimated Cost Information •a. Cost Rough Order of Magnitude for ~3 M endpoints. •b. Existing Cost Model (individual, volume, unlimited) •6. Data Rights/Intellectual Property Considerations Industry Discussions: DISA representatives may choose to meet with potential responders and hold one-on-one discussions. Such discussions would only be intended to obtain further clarification of potential capability to meet the requirements, including any development and certification risks. Questions: Questions regarding this announcement shall be submitted in writing by e-mail to Ellen T. Crain, ellen.t.crain.civ@mail.mil and Terina A. Folsom, terina.a.folsom.civ@mail.mil. Verbal questions will NOT be accepted. Answers to questions will be posted to FBO. The Government does not guarantee that questions received after 10:30 a.m. CST on December 21, 2018 will be answered. The Government will not reimburse companies for any costs associated with the submissions of their responses Disclaimer : This RFI is not a RFP and is not to be construed as a commitment by the Government to issue a solicitation or ultimately award a contract. Responses will not be considered as proposals nor will any award be made as a result of this synopsis. All information contained in the RFI is preliminary as well as subject to modification and is in no way binding to the Government. Federal Acquisition Regulation (FAR) clause 52.215-3, "Request for Information or Solicitation for Planning Purposes," is incorporated by reference in this RFI. The Government does not intend to pay for information received in response to this RFI. Responders to this invitation are solely responsible for all expenses associated with responding to this RFI. This RFI will be the basis for collecting information on capabilities available. This RFI is issued solely for information and planning purposes. Proprietary information and trade secrets, if any, must be clearly marked on all materials. All information received in this RFI that is marked "Proprietary" will be handled accordingly. Please be advised that all submissions become Government property and will not be returned nor will receipt be confirmed. In accordance with FAR 15.201(e), responses to this RFI are not offers and cannot be accepted by the Government to form a binding contract.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/DISA/D4AD/DITCO/831812054/listing.html)
 
Place of Performance
Address: Ft Meade, MD and National Capital Region, Ft. Meade, Maryland, 20755-0549, United States
Zip Code: 20755-0549
 
Record
SN04772118-W 20171222/171220231019-9018bb4d9e8db0a9dfe50156894502c4 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.