|
COMMERCE BUSINESS DAILY ISSUE OF APRIL 15,1999 PSA#2325Department of Commerce, Patent and Trademark Office (PTO), Office of
Procurement, Box 6, Washington, DC, 20231 D -- PUBLIC KEY INFRASTRUCTURE SECURITY SYSTEM SOL 192P9901183 DUE
041299 POC Marva Brown, Contract Specialist, Phone (703) 306-2701, Fax
(703) 305-8294, Email marva.brown@uspto.gov -- Christopher Zeleznik,
Contracting Officer, Phone (703)305-8417, Fax (703)305-8924, Email WEB:
Visit this URL for the latest information about this,
http://www.eps.gov/cgi-bin/WebObjects/EPS?ACode=P&;ProjID=192P9901183&Lo
cID=251. E-MAIL: Marva Brown, marva.brown@uspto.gov. United States
Patent and Trademark Office (USPTO) intends to issue to Entrust
Technologies, 2010 Corporate Ridge, Mail Stop 2-1, McLean, VA 22102, a
sole source purchase order for its Commercial-Off-The-Shelf (COTS)
Public Key Infrastructure (PKI) software product; a security mechanism
that secures email to electronic commerce. Software products provided
by Entrust Technologies are not available from any other sources.
USPTO has determined that there is no other feasible alternative source
of supply that can satisfy 100% of the stated specifications. This
purchase order is being issued pursuant to FAR 6.302-1, "only one
responsible source", pursuant to FAR Part 12, "acquisition of
commercial items", and FAR Part 13, "Test Programs for Certain
Commercial Items". Entrust Technologies is the developer of PKI
software and is the only source for licensing and maintenance of its
products. Neither third party Entrust Technologies solution providers,
nor Entrust Technologies designated integrators, have accessto
proprietary information (software source code), posses necessary
Entrust Technologies' corporate knowledge or the capability of
providing maintenance for the Entrust Technologies software. Selection
of this product will allow the USPTO to implement an enterprise-wide
public key infrastructure to support a wide range of applications, both
internal and external, that require digital signature and encryption
services. USPTO requires its PKI to interoperate with PKIs of other
federal and non-federal agencies and organizations in order to support
electronic government and electronic commerce initiatives. The
Enterprise-wide Public Key Infrastructure initiative in the USPTO
Strategic Information Technology Plan provides additional project
description, commitments, benefits and performance measures associated
with this endeavor. USPTO has selected ENTRUST software to satisfy
this requirement based upon various marketing surveys to find
commercially available PKI software capable of fulfilling 100% of PTO's
requirements to implement an enterprise-wide solution without having to
develop software or integrate multiple products to achieve the same
functionality. A formal market survey of Public Key Infrastructure
(PKI) products and services for the United States Patent and Trademark
Office (USPTO) Office of the Chief Information Officer (OCIO) was
completed 14 February, 1999. It is intended that the USPTO applications
requiring PKI-based security services will be extranet-based (i.e.,
WorldWide Web browser-based access by non-USPTO users), many other
applications will be internal workflow applications that implement
traditional client/server architectures and will not rely on the use of
Web browsers. These internal client/server-based applications will
require client software that implements digital signature and
encryption services via software and/or hardware (e.g., tokens, smart
cards). USPTO will implement secure email to support internal and
external communications and file encryption to protect sensitive data
files on USPTO workstations and laptops. Since the value of the PKI
infrastructure (as with any infrastructure investment) increases with
the number of applications using its services, the USPTO will also
implement, where practical and appropriate, virtual private network,
remote access, single sign-on, and access control solutions based upon
digitally-signed certificates created, distributed, and managed by the
USPTO PKI. Due to the sensitive nature of the information processed by
the USPTO and the uncertain legal aspects of outsourcing critical PKI
functions (e.g., warranties, limitations of liability of the
Certification Authority), all PKI resources and services will be
managed in-house. By being its own Certification Authority (CA), the
USPTO will be more readily able to negotiate interoperability
agreements, and terms and conditions with other agencies and
organizations. The USPTO will achieve interoperability with other
agencies or organizations' PKIs through cross-certification with the
Federal Bridge Certification Authority, cross-certification with other
industry-specific "bridge" CAs, and direct cross-certification.
Entrust Technologies is the only source that can supply this software.
Entrust Technologies' products provide a full-featured PKI that
includes certification authority, directory and client level
functionality. Specifically, Entrust PKI product will: 1) have full &
local control over policy, operations and maintenance regarding the PKI
issues; 2) will be interoperable with the Federal PKI through
cross-certification with the Federal Bridge Certification Authority
(CA) and other agency and organization PKIs through cross-certification
(near term); 3) will provide an enterprise-wide solution with full key
and certificate life-cycle management, including creation, update,
distribution, recovery, and archive. Certificate and key management
services should be as transparent to users as possible; 4) will provide
separate public key pairs for digital signature and encryption, and
backup and recovery services for encryption keys only to support full
non-repudiation; 5) will support digital signatures and encryption for
web-based and internal, client/server-based workflow applications; 6)
will support digital signature and encryption of Microsoft Exchange
email and email attachments; 7) will be compliant with FIPS 140-1,
providing hardware-based (level 3) certificate authority root key
protection services, and software and hardware-based (level 1/2) user
key management services for Windows NT and 95/98 client platforms; 8)
will meet the following digital signature standards: RSA (PKCS #1) and
DSS (FIPS 186); 9) will meet the following encryption standards: DES
(FIPS 46-2) and triple-DES and; 10) will be flexible enough to
accommodate future standards for digital signature and encryption
(e.g., Advanced Encryption Standard, Elliptic Curve Cryptography); 11)
will be able to issue X509.v3 certificates to support secure email
(S/MIME), virtual private network/remote access (IPsec), secure file
enveloping (PCKS#7), and e-commerce (SET) solutions; 12) will include
software toolkits to address specific interfacing requirements (secure
session management, file encryption, certificate management and
storage schemes, IPsec/ISAKMP); 13) will be able to publish
certificates in a readily accessible manner via X500, LDAP-compliant
directories; 14) be highly scalable (user community greater than
10,000); and 15) be a proven product; one that has been deployed
successfully in a production Posted 04/13/99 (D-SN318722). (0103) Loren Data Corp. http://www.ld.com (SYN# 0053 19990415\D-0001.SOL)
D - Automatic Data Processing and Telecommunication Services Index Page
|
|