DISA/DITCO/DTS6, 2300 East Drive, Scott AFB, IL 62225- 5406

D -- INSTRUSION AND MISUSE DETERRENCE SYSTEM (IMDS) PHASE 3 DUE 052300 POC Ed Thompson, 717-267-9931, thompsoe@ritchie.disa.mil E-MAIL: thompsoe@ritchie.disa.mil, thompsoe@ritchie.disa.mil. This is an modification to the Request for Information (RFI) posted on the CBD Net on 23 Feb 00 to specify a cut off date for responding to this RFI of 23 May 00. The following is the RFI as posted on 23 Feb 00: REQUEST FOR INFORMATION. The following Request for Information is issued for the purpose of conducting market research and to encourage IT companies to provide suggestions about current commercial industry practices and products. All information submitted in response to this RFI will be used for planning purposes only. FAR Clause 52.215-3 applies. Defense Information Systems Agency (DISA), Field Security Office (FSO) is in the process of formulating the acquisition strategy for our Intrusion and Misuse Deterrence System (IMDS) Phase 3 (referred to, throughout the industry, as a "honeypot"). The purpose of this RFI is to allow interested companies whose core business is information assurance tools development, software support, and networking services to provide insight to commercial business practices, products and common operating procedures and to allow them the opportunity to submit comments, ideas, and /or suggestions. All information received will be considered as the acquisition strategy is developed. This is not a formal solicitation under FAR Part 15 or a FAR Part 13 Simplified Acquisition, but a request for interested companies to provide information. In addition you may provide information about your company's software support and networking services. Specific information relating to IMDS type systems is requested. IMDS, a network monitoring tool, the prime purpose of which is to deter actual network intrusions by creating a virtual view or fa ade of a site's network, hosts, and services, and to allow the appropriate personnel to observe what intrusion methods are being directed toward the systems and to develop countermeasures. The countermeasures are designed to reduce/eliminate the chances of the adversary's success against the protected source. IMDS detects, documents, and tracks any attempted scans, logons, and/or attacks against this facade. The product should identify as much information as possible about the intruder so at least the IP address can be manually added to network associated Access Control Lists if appropriate. We would be especially interested in a system that could transition from a "honeypot" to a "sandbox" with it's intrinsic features, and have enough flexibility so it can expand to add new services to "honeypot" hosts to capture new hacker attempts. Upon detection it will notify appropriate host site security staffs, via a one-way e-mail message, that an intrusion attempt is in progress. This security tool works in conjunction with other security tools as a secondary order of defense against system attacks. We prototyped the concept, piloted its implementation at several sites, and now that the concept has been validated we are looking for a vendor supported COTS product, to include SW maintenance and technical support as required, to replace a GOTS product that we currently use. Please address whether your COTS product has the flexibility and data integrity to use audit logs for evidentiary purpose in a court of law. IMDS will eventually be deployed throughout DOD commands. All information received will be safeguarded from unauthorized disclosure. Please ensure any sensitive information is clearly marked as such. This is not a solicitation announcement for proposals and no contract will be awarded from this announcement. No reimbursement will be made for any costs associated with providing information in response to this announcement and/ or any follow-up information requests. No telephone calls will be accepted requesting a bid package or solicitation. In order to protect the integrity of any future procurement, additional information will not be given and no appointments for presentations will be made in reference to this RFI. Questions concerning this RFI should be addressed to Ed Thompson, 717-267-9931, thompsoe@ritchie.disa.mil. Posted 02/28/00 (W-SN429020). (0059)

Loren Data Corp. http://www.ld.com (SYN# 0029 20000301\D-0003.SOL)