MODIFICATION
D -- Automated Dynamic Malware Analysis Tools
- Notice Date
- 4/17/2018
- Notice Type
- Modification/Amendment
- NAICS
- 511210
— Software Publishers
- Contracting Office
- Department of State, Office of Acquisitions, Acquisition Management, 1735 N. Lynn St., Arlington, Virginia, 22209, United States
- ZIP Code
- 22209
- Solicitation Number
- 19AQMM18N0045
- Archive Date
- 5/4/2018
- Point of Contact
- Jessica Osterberger, Phone: 2026742501
- E-Mail Address
-
OsterbergerJL@state.gov
(OsterbergerJL@state.gov)
- Small Business Set-Aside
- N/A
- Description
- April 10, 2018 REQUEST FOR INFORMATION - 19AQMM18N0045 Department of State, Bureau of Diplomatic Security, Office of Security Technology Automated Dynamic Malware Analysis Tools Purpose This is a Request for Information (RFI) as outlined in FAR 15.201(c) (7). The purpose of this RFI is to accomplish market research pursuant to Federal Acquisition Regulation (FAR) Part 10, and to identify small businesses capable of performing the services described herein. This notice is issued solely for information and planning purposes and does not constitute a Request for Proposal (RFP) or a commitment on the part of the Government to issue a solicitation for the below-listed services in the future. Responders are advised that the Government will not pay for information submitted in response to this RFI, nor will it compensate interested parties for any costs incurred in the development/furnishing of a response. Please note that a decision not to submit a response to this RFI will not preclude a vendor from participating in any future solicitation. Instructions The Government is seeking responses from small businesses ONLY. The respondent must self-certify itself as small under North American Industry Classification System (NAICS) Code 511210, Computer Software Publishers, with a corresponding small business size standard of $38.5 million average annual receipts over the last 3 years. Responses are limited to 10 pages or less and be submitted in Microsoft Word or Portable Document format (PDF), using Times New Roman, 12-point font. The Government will not entertain telephone calls or questions for this RFI. The responses should include the following information: A. Company Profile, to include: 1. All interested companies must have an active registration in the System for Award Management (SAM) and not be on the Excluded Party List. 2. Statement self-certifying the company as small under the NAICS code 511210, Computer Software Publishers, and identifying the socioeconomic category of the business (e.g., 8(a), Service Disabled Veteran Owned, Women Owned, HUBzone, Small Business, etc.). 3. Information regarding all Government wide acquisition contracts held, i.e., vehicle name, contract number, etc. 4. DUNS Number 5. CAGE Code to include National Industrial Security Program Clearance Information (if applicable) 6. Company Point-of-Contact and contact information, i.e., telephone number and email address. B. Technical Capability, to include: 1. Documentation in enough detail to allow the Government to determine if the software can meet the following required salient characteristics: I. ADMA Required Capabilities: The system shall have the ability at the network and/or endpoint (PC, Server) layer to: 1. Automate processes for detection and tactical analysis. 2. Assess the damage from an intrusion by providing a risk score. 3. Discover and catalog indicators of compromise that will reveal other machines that have been affected by the same malware intruder's technique. 4. Determine the sophistication level of the malcode author. 5. Identify the vulnerability that was exploited to allow the malcode to infect the system in the first place. 6. Identify the intruder or insider that is responsible for installing the malcode. 7. Discover the purpose of the malcode. 8. Demonstrate how the malcode would infect the system. 9. Prevent malcode from spreading through the network. 10. Remove the malcode from the system upon detection. 11. Show if the malcode/program has any rootkit functionality. 12. Show if the malcode has any anti-debugging functionality. 13. Show the language (PERL, C, Python, etc.) to which the code was written. 14. Determine if the malcode is based on any other previously known threat intelligence. 15. Determine if the malcode is persistent. 16. Determine how the malcode was compiled. 17. Determine how the malcode was assembled and what was used to assemble it. 18. Interface with Bluecoat email proxy, Microsoft Active Directory (AD), and Splunk. 19. Must be 508 compliant. II. Operational Required Capabilities: The system shall have the ability to: 1. Detect and stop APTs using attachments such as: images, Portable Document format (PDF). ZIP, Resnal Archive (RAR), TransportNeutral Encapsulation Format (TNEF), Flash, Office documents, etc. 2. Stop inbound malware and outbound command and control communication (CnC); Detect and stop malicious Uniform Resource Locator (URLs/Hyperlinks) within email or webpages. 3. Detect and capture dynamic callback destinations by: 1. Destination IP address 2. Ports used; and 3. Protocols (e.g. HTTP, FTP, IRC, etc.). 4. Execute the malcode in either a built-in virtualization environment or have the ability to integrate with sandbox technologies. 5. Have real-time access to a quarantine directory that contains all malicious emails with their respective payloads used for future analysis. 6. Provide forensic analysis of the exploit with a report to include: 1. Summary report for management review. Data elements of the summary report include number of events processed listed by type, number of events flagged listed by type, number events blocked listed by type; and 2. Full technical report on each event reported at the time of the event and a verbose report including all data elements available. 7. Have the capability for YARA based rules creation and customization. 8. Integrate with Splunk for correlation and fast query abilities by: 1. Native Connector; and 2. Universal connector such as: Common Event Format (CEF). 9. Have the ability to ''View/playback" malcode to see exactly what the executed code on victim machine does and how it behaves in a secure virtual environment or sandbox. 10. Have the ability to perform configuration changes via Command Line Interface (CLI). 11. Have the ability to alert on Virtual Machine (VM) aware malcode. This function is critical for tool technologies that utilize virtual machine sandboxing technologies. 12. Have the ability to import or customize virtual victim operating systems, configurations, and hosted applications images to include multiple instances of: 1. Operating Systems ( Windows 7 & 8, Windows Servers 2003/2008/2012); and 2. Browsers (Edge, Internet Explorer, Firefox/Mozilla, Chrome, Opera). 13. Have a secure analyst client that is non-java based to include: 1. Secure browser access; and 2. EXE compiled client. 14. Have the ability to accept DoS approved IP addressing configurations. 15. Have a mechanism to show how victim systems normal configuration state changed to include at a minimum: 1. DLL changes; 2. Registry changes; 3. File system changes (permissions) 4. Operating system modification reports; and 5. Addition or removal of files. 16. Utilize Microsoft Active Directory for Single Sign-on capabilities. 17. Have the ability to implement policy triggers at a minimum: 1. Customize/create special policies based on DOS internal policies; 2. Native policy obtained from a one-way pull cloud-based subscription; 3. Capability to generate reports based on violated policies and to send to appropriate stakeholder based on format, content, frequency and roles based access; and 4. Alerts must be fully configurable (based on recipient) and customizable. III. Security Engineering and Support Required Capabilities: The system shall have the ability to: a. Scale in order to monitor and protect at least 3 Points of Presence (POPs). b. Have a single management console/interface to manage the infrastructure. c. Support the current network specification (Item 6 below) and ability to support projected 10% throughput growth annually for the next 5 years with no additional hardware or software. d. Provide hardware vendor agnostic platforms for both application and storage systems. e. Provide root access to operating system, application, and all components as required by DoS for full system lifecycle management and administration. f. Be architected to support Continuity of Operations (COOP)/Disaster Recovery (DR) requirements for DoS stakeholders utilizing the tool on a 24 x 7 x 365 basis. Must be configurable to support distributed topology architecture. g. Provide a dedicated Subject Matter Expert (SME) for Onsite support & tool optimization at DOS Security Operations Center (SOC). Frequency of support shall include: ii. integration and tuning support not to exceed 160 hours in a contract year; and iii. Intermittent onsite consultation for tool health checks and or troubleshooting not to exceed 160 hours in a contract year. h. Provide a detailed secure customer web portal with the following (minimum) characteristics: iv. Inventory of all purchased assets and versioning details; v. Standard Operating Procedures (SOPs), administration guides, installation guides, white papers; vi. A queriable knowledgebase for engineers and analysts; and vii. Online ticketing for break/ fix requests and historical tracking. i. Has 24 x 7, US-Based support accessible by phone, web, email, and liaison representative or SME designated for DoS and a clearly defined escalation and resolution process. j. Clear Returned Merchandise Authorization (RMA) processes with 4-hr shipment of replacement. Vendor shall assume and accept that DoS will not return any Hard Drives. k. Provide recurring software system updates via email notification and accessible by a secure download method to address: viii. New feature updates ix. Bug fix And security updates x. New knowledge base documents IV. Network Performance Specifications: The following charts below illustrate current measured bandwidth (BW) utilization on a 24-hr basis. The purpose of this measurement showing bi-direct ion now is to provide conceptual calculations as required for properly architecting a tool based on throughput handing abilities. It must be noted that any architecture considerations must calculate sustained growth for 5 years and architected accordingly. Estimate: Current Infrastructure Bandwidth (BW) Incoming & Outgoing SITE 1-E (inside border protection) Estimated Peak BW (Mbps) 10240 Estimated Average BW (Mbps) (@-54.5% Util.) 5550 SITE 1-E (outside I public facing) Estimated Peak BW {Mbps) 10240 Estimated Average BW (Mbps) (@-50.5%; Util.) 5150 SITE 2/SITE 3-W (inside border protection) Estimated Peak BW (Mbps) 10240 Estimated Average BW (Mbps) (@-34.5% Util.) 3500 SITE 2/SITE 3-W (outside I public facing) Estimated Peak BW (Mbps) 10240 Estimated Average BW (Mbps) (@-30.5% Util.) 3100 V. Email Statistics Required Capabilities: Provided below is the average number of email received by DS in a 24-hr period after email has passed through the DOS gateway security tools. It also shows the anticipated growth over a period of 5 years. The system shall be able to withstand this projected growth. It must be noted that the statistics below do not show emails containing embedded URL's. Emails Per Day (2018) 500,000 Email w/Attachments Per Day (2018) 15,000 Projected Emails Per Day (2023) 750,000 Projected Emails w/Attachments (2023) 22,500 C. Information the company's ability to provide cleared and qualified personnel. The required clearance level for the on-site support personnel is SECRET. Submit your response no later than Thursday, April 19, 2018 at 12:00 PM Eastern Time, to Jessica Osterberger at OsterbergerJL@state.gov.
- Web Link
-
FBO.gov Permalink
(https://www.fbo.gov/spg/State/A-LM-AQM/A-LM-AQM/19AQMM18N0045/listing.html)
- Record
- SN04892856-W 20180419/180417231117-f8e1ce0f1397e7e9f8f6c95f89ac0858 (fbodaily.com)
- Source
-
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's FBO Daily Index Page |