Loren Data Corp.

'

 
 

COMMERCE BUSINESS DAILY ISSUE OF APRIL 15,1999 PSA#2325

Department of Commerce, Patent and Trademark Office (PTO), Office of Procurement, Box 6, Washington, DC, 20231

D -- PUBLIC KEY INFRASTRUCTURE SECURITY SYSTEM SOL 192P9901183 DUE 041299 POC Marva Brown, Contract Specialist, Phone (703) 306-2701, Fax (703) 305-8294, Email marva.brown@uspto.gov -- Christopher Zeleznik, Contracting Officer, Phone (703)305-8417, Fax (703)305-8924, Email WEB: Visit this URL for the latest information about this, http://www.eps.gov/cgi-bin/WebObjects/EPS?ACode=P&;ProjID=192P9901183&Lo cID=251. E-MAIL: Marva Brown, marva.brown@uspto.gov. United States Patent and Trademark Office (USPTO) intends to issue to Entrust Technologies, 2010 Corporate Ridge, Mail Stop 2-1, McLean, VA 22102, a sole source purchase order for its Commercial-Off-The-Shelf (COTS) Public Key Infrastructure (PKI) software product; a security mechanism that secures email to electronic commerce. Software products provided by Entrust Technologies are not available from any other sources. USPTO has determined that there is no other feasible alternative source of supply that can satisfy 100% of the stated specifications. This purchase order is being issued pursuant to FAR 6.302-1, "only one responsible source", pursuant to FAR Part 12, "acquisition of commercial items", and FAR Part 13, "Test Programs for Certain Commercial Items". Entrust Technologies is the developer of PKI software and is the only source for licensing and maintenance of its products. Neither third party Entrust Technologies solution providers, nor Entrust Technologies designated integrators, have accessto proprietary information (software source code), posses necessary Entrust Technologies' corporate knowledge or the capability of providing maintenance for the Entrust Technologies software. Selection of this product will allow the USPTO to implement an enterprise-wide public key infrastructure to support a wide range of applications, both internal and external, that require digital signature and encryption services. USPTO requires its PKI to interoperate with PKIs of other federal and non-federal agencies and organizations in order to support electronic government and electronic commerce initiatives. The Enterprise-wide Public Key Infrastructure initiative in the USPTO Strategic Information Technology Plan provides additional project description, commitments, benefits and performance measures associated with this endeavor. USPTO has selected ENTRUST software to satisfy this requirement based upon various marketing surveys to find commercially available PKI software capable of fulfilling 100% of PTO's requirements to implement an enterprise-wide solution without having to develop software or integrate multiple products to achieve the same functionality. A formal market survey of Public Key Infrastructure (PKI) products and services for the United States Patent and Trademark Office (USPTO) Office of the Chief Information Officer (OCIO) was completed 14 February, 1999. It is intended that the USPTO applications requiring PKI-based security services will be extranet-based (i.e., WorldWide Web browser-based access by non-USPTO users), many other applications will be internal workflow applications that implement traditional client/server architectures and will not rely on the use of Web browsers. These internal client/server-based applications will require client software that implements digital signature and encryption services via software and/or hardware (e.g., tokens, smart cards). USPTO will implement secure email to support internal and external communications and file encryption to protect sensitive data files on USPTO workstations and laptops. Since the value of the PKI infrastructure (as with any infrastructure investment) increases with the number of applications using its services, the USPTO will also implement, where practical and appropriate, virtual private network, remote access, single sign-on, and access control solutions based upon digitally-signed certificates created, distributed, and managed by the USPTO PKI. Due to the sensitive nature of the information processed by the USPTO and the uncertain legal aspects of outsourcing critical PKI functions (e.g., warranties, limitations of liability of the Certification Authority), all PKI resources and services will be managed in-house. By being its own Certification Authority (CA), the USPTO will be more readily able to negotiate interoperability agreements, and terms and conditions with other agencies and organizations. The USPTO will achieve interoperability with other agencies or organizations' PKIs through cross-certification with the Federal Bridge Certification Authority, cross-certification with other industry-specific "bridge" CAs, and direct cross-certification. Entrust Technologies is the only source that can supply this software. Entrust Technologies' products provide a full-featured PKI that includes certification authority, directory and client level functionality. Specifically, Entrust PKI product will: 1) have full & local control over policy, operations and maintenance regarding the PKI issues; 2) will be interoperable with the Federal PKI through cross-certification with the Federal Bridge Certification Authority (CA) and other agency and organization PKIs through cross-certification (near term); 3) will provide an enterprise-wide solution with full key and certificate life-cycle management, including creation, update, distribution, recovery, and archive. Certificate and key management services should be as transparent to users as possible; 4) will provide separate public key pairs for digital signature and encryption, and backup and recovery services for encryption keys only to support full non-repudiation; 5) will support digital signatures and encryption for web-based and internal, client/server-based workflow applications; 6) will support digital signature and encryption of Microsoft Exchange email and email attachments; 7) will be compliant with FIPS 140-1, providing hardware-based (level 3) certificate authority root key protection services, and software and hardware-based (level 1/2) user key management services for Windows NT and 95/98 client platforms; 8) will meet the following digital signature standards: RSA (PKCS #1) and DSS (FIPS 186); 9) will meet the following encryption standards: DES (FIPS 46-2) and triple-DES and; 10) will be flexible enough to accommodate future standards for digital signature and encryption (e.g., Advanced Encryption Standard, Elliptic Curve Cryptography); 11) will be able to issue X509.v3 certificates to support secure email (S/MIME), virtual private network/remote access (IPsec), secure file enveloping (PCKS#7), and e-commerce (SET) solutions; 12) will include software toolkits to address specific interfacing requirements (secure session management, file encryption, certificate management and storage schemes, IPsec/ISAKMP); 13) will be able to publish certificates in a readily accessible manner via X500, LDAP-compliant directories; 14) be highly scalable (user community greater than 10,000); and 15) be a proven product; one that has been deployed successfully in a production Posted 04/13/99 (D-SN318722). (0103)

Loren Data Corp. http://www.ld.com (SYN# 0053 19990415\D-0001.SOL)


D - Automatic Data Processing and Telecommunication Services Index Page