Department of the Treasury, Internal Revenue Service (IRS), ISC, 2701 Prosperity Avenue, Fairfax, VA 22031

D -- IRS EVALUATION/TESTING OF COMMERCIAL INFORMATION/NETWORK ENCRYPTION PRODUCTS Contact, Dale Burtyk, Telecommunications Specialist, (703) 876-4336. The Internal Revenue Service's (IRS) Infrastructure project office seeks vendors to provide encryption products free of charge for limited-duration useability, functionality, interoperability, and performance tests. The purpose of this Request for Information (RFI) is to solicit vendors to provide technical, marketing, and other pertinent materials on products they would like to be considered for evaluation by IRS. IRS plans to evaluate secret key encryption and public key technologies for possible implementation on existing subnetworks within the IRS. All technical evaluation, integration, and testing of vendor-contributed products will be performed by an existing IRS contractor at any of several IRS sites throughout the United States. Contributed hardware and/or software/based products are required for installation, testing, and evaluation in any or all of the following IRS Proof-of-Concept testing environments: subnetworks consisting of clients (NCR 3333) and servers (NCR 3430) running Windows for Workgroups and Windows NT using Internet Protocol (IP) over Ethernet; the subnetworks are connected to the CDN via Cisco 4000 routers. Also there will be asynchronous connections to communication servers by remote IRS users, i.e., personnel in the field, small Post of Duty (POD) offices, and system administrators requiring remote access. IRS will conduct a phased evaluation of vendor-contributed products, corresponding to the distinct requirements of these diverse IRS environments. Vendors may contribute encryption-based technologies for any or all the following phases: (A) dial-in security for remote users (i.e. personnel in the field, POD stations with less than 5 people, and remote access after hours for system administrators in critical situations) from a workstation to a communications server, (B) IRS subnetwork to IRS subnetwork traffic via CDN with selective encryption based on IP address, and (C) session-based workstation-to-workstation traffic with selective encryption based on destination. The dial-in security phase will evaluate and test the identified encryption products for dial-in security in the following scenarios: (1) Windows NT Remote Access Server (RAS)-to-RAS (client and server); (2) Windows for Workgroups client-to-RAS; (3) System administrator's laptop-to-System (Server, Mini, Mainframe (Windows NT, Sequent, Pyramid); and (4) MS-Mail Mail Transfer Agent (MTA)-to-MTA. For dial-in, encryption devices must support speeds of 28.8 kps or greater. The subnetwork access phase will provide selective encryption of traffic at the IP layer between IRS subnetworks, prior to CDN/TCS access and after CDN/TCS egress, based on source and destination domains. Protection shall occur under the control of IRS subnetwork owner before it enters the general IRS environment. Encryption devices must not degrade the speed of the underlying network, i.e., a minimum speed of 3 Mbps on 10 Mpbs LANS. The workstation-to-workstation phase provides end-to-end encryption of IP traffic at the workstation-to-workstation level, selectively, based on destination address. Some subnetworks use the Dynamic Host Configuration Protocol (DHCP) to dynamically assign IP addresses; therefore, support for selective encryption of dynamically addressed hosts is desired. Encryption products should use public key technology for key management and authentication. Support for X.509 certificates for authentication is required, and is desirable for key management as well. IRS' ultimate desire is to have one X.500 directory for users and devices. Products must support the Federal Data Encryption Standard (DES) for encryption, and any commercial public key algorithms for key management and authentication. Support for the Digital Signature Standard (DSS) is desired. Public key implementations shall be capable of using key lengths in excess of 512 bits. Cryptographic devices which comply with FIPS PUB 140-1 Level 2 are required; self-validation is acceptable. Preference will be given to products that do not require modifications to existing IRS systems or applications. IRS will base its evaluations of contributed products on the following criteria: (1) Level of support for DES; (2) Level of support for public key based authentication and key management, including conformance to relevant government, national, and international standards (e.g., ANSI X9.30 Part 3); (3) Range of test platforms, protocols, and operating environments supported; (4) Reliability in the test environments; (5) Performance in the test environments; (6) Ease of installation, integration, and day-to-day use on test platforms; (7) Life-cycle acquisition, operation, and maintenance costs. To be considered by IRS, vendor responses to this RFI received by U.S. mail or equivalent carrier at the following address by the close of business 30 calendar days from the RFI publication date: Mr. Dale Burtyk, Internal Revenue Service, ISC, Room 4025, 2701 Prosperity Avenue, Fairfax, VA 22031. No telephone inquiries will be accepted. Vendors must provide the following in order to be considered further by IRS: (1) draft agreement for IRS to use their products (and any requested additional hardware) for evaluation purposes only, at no cost, (2) statement of basic technical support and list of contact points for support for the duration of IRS testing, (3) descriptive technical literature on the contributed products, including information on the products' supported platforms and operating systems, technical architecture, and X.509 public-key certificate support, (4) statement of the products' commercial availability plus current catalogs, pricing, and user references (if applicable); General Services Administration (GSA) and/or Treasury Multi-User Acquisition Contract (TMAC) catalogs and pricing are preferred, where applicable. Those vendors selected for further evaluation will be notified by U.S. mail no later than 60 calendar days after the date on which this RFI is published. Additional information on IRS requirements for the phases will be provided to the selected vendors at the time they are notified. Selection for testing neither implies endorsement by IRS nor any expressed or tacit commitment or agreement by IRS to acquire the products at a later date. In addition, selection for testing will neither provide vendors with an advantage nor preclude them from bidding on related future procurements. IRS and its contractor will execute any necessary non-disclosure agreements with vendors; the contractor has already executed such an agreement with IRS. Any product-related information obtained by the contractor and/or IRS during the testing and evaluation process will be used only for evaluation purposes. (220)

Loren Data Corp. http://www.ld.com (SYN# 0017 19950809\D-0002.SOL)