National Institute of Standards & Technology, Acquisition & Assistance Div., Bldg. 301, Rm B117, Gaithersburg, MD 20899

D -- ROLE-BASED ACCESS CONTROL/WORLD WIDE WEB (RBAC/WEB) ADMINISTRATIVE TOOL SOL 52SBNB860078 DUE 063098 POC Calvin Montgomery, (301) 975-6334 WEB: NIST Contracts Homepage, http://www.nist.gov/admin/od/contract/contract.htm. E-MAIL: NIST Contracts Office, Contract@nist.gov. The National Institute of Standards and Technology (NIST) intends to negotiate on a sole source basis under the authority of 41 USC 253(c)(1) with VDG, 6009 Brookside Drive, Chevy Chase, MD 20815 for a follow-on contract. This is a small-business set-aside. The SIC code is 7371 and the applicable size standard is $18.0 million dollars in annual receipts. Under a contract with the National Security Agency (NSA), NIST was responsible for the development of a formal RBAC security model, and RBAC implementation on top of NSA's Synergy Microkernal. The purpose of this effort was to demonstrate Synergies flexibility in supporting commercial oriented security policies. Through a full and open competition VDG was awarded a purchase order to provide programming services for porting NIST UNIX-based software to other operating systems and to assist in testing such software. The software was developed using C and Perl programming languages, running on Sun/OS or Solaris. Services were provided for the period 9/16/96 through 9/30/97. NIST intended to perform any subsequent work. Purchase Order 43NANB715716 was awarded to VDG. Under this purchase order, VDG performed the following duties: (1) Design Analysis of SoD Policies in RBAC/Synergy; (2) Implementation of SoD Policies in RBAC/Synergy; and, (3) Testing of the Implementation of the SoD Policies. This included the development of source codes, data dictionary, and test scripts for the implementation of the SoD. The period of performance under this purchase order was approximately three months. This short time was possible because of the VDG's prior experience and knowledge of the RBAC Synergy implementation. The intent of this requirement is to extend an existing administrative tool for the current NIST RBAC/Web implementation. The purpose of the administrative tool is to create and maintain user/role and role/role relationships within the RBAC/Web authorization database. The existing tool graphically displays role hierarchies and through the use of various symbols depicts constraint relationships among the roles. In addition, the tool maintains consistency between the role hierarchies and the role constraints, with respect to NIST's RBAC model. The administrative tool was designed and developed as a prototype for NIST by VDG under purchase order numbers 43NANB615666 and 43NANB715716. The extension under this requirement shall consist of an administrative tool that defines an application-oriented policy within RBAC/WEB semantics. The administrative tool shall include a component that (1) initializes the RBAC/WEB environment according to the defined policy and (2) verifies that the policy is satisfied by subsequent administrative or user actions (i.e., the constraints of the application-oriented policy are satisfied). The contractor shall design, implement and demonstrate these extensions by defining an application-oriented policy and enforcing it within the NIST RBAC/WEB environment. There are three tasks that are a part of this requirement. Under TASK A. Design analysis of RBAC/Web administrative extensions, the contractor shall perform the design analysis for the proposed application-oriented policy and its mapping into the RBAC/WEB environment. The design analysis shall also refer to the capability to verify policy enforcement within the RBAC/WEB environment. Under TASK B. Implementation of the RBAC/Web administrative extensions, the contractor shall implement the RBAC administrative tool designed in TASK A. Under TASK C. Demonstration of the RBAC/Web administrative extensions, the contractor shall demonstrate the operation and use of the extended RBAC administrative tool implemented in TASK B. The Government estimates a period of performance from the date of contract award through 150 days thereafter. A written quotation will be requested from VDG for this requirement. A solicitation/Request for Quotation will not be issued. The anticipated contract award date is June 30, 1998. See Numbered Notes 1 and 26. (0168)

Loren Data Corp. http://www.ld.com (SYN# 0028 19980619\D-0006.SOL)