National Institute of Standards & Technology, Acquisition & Assistance Div.,100 Bureau Drive Stop 3572, Bldg. 301, Rm B117, Gaithersburg, MD 20899-3572

D -- SOLE SOURCE CONTRACT FOR FIPS-140-1 CRYPTOGRAPHIC MODULE REFERENCE IMPLEMENTATION DEVELOPMENT SOL 52SBNB0C1064 DUE 072400 POC Teresa A. Reefe, Contract Specialist, (301) 975-6364, Alba Sanchez, Contracting Officer, (301) 975-6344, FAX (301) 963-7732 WEB: NIST Contracts Homepage, http://www.nist.gov/admin/od/contract/contract.htm. E-MAIL: NIST Contracts Office, Contract@nist.gov. This CBD Synopsis amends the CBD notice, which was published on June 9, 2000. The previous synopsis is hereby deleted and replaced with the following. The National Institute of Standards and Technology's (NIST's) Information Technology Laboratory (ITL) intends to negotiate a contract on a sole-source basis from CORSEC Security, Inc. under the authority of 41 USC 253 (c)(1) -- "only one responsible source" to provide Cryptographic Module Reference Implementation Development. On July 17, 1995, NIST established the Cryptographic Module Validation Program (CMVP) which validates cryptographic modules to Federal Information Processing Standards (FIPS) 140-1 (Security Requirements for Cryptographic Modules), and other cryptography based standards. The CMVP is a joint effort between NIST and the Communications Security Establishment (CSE) of the Government of Canada. ITL's Security Technology Group of the Computer Security Division together with CSE, serves as the validation authorities for the program. Products validated as conforming to FIPS 140-1 are accepted by the Federal agencies of both countries for the protection of sensitive information. FIPS 140-1 defines a framework and methodology for NIST's current and future cryptographic standards. FIPS 140-1 provides users with: a specification of security features that are required at each of four security levels; flexibility in choosing security requirements; a guide to ensuring the cryptographic modules incorporate necessary security features; and the assurance that the modules are compliant with cryptographic algorithm and cryptography based standards. FIPS 140-1 is a mandatory standard for Federal agencies and departments implementing cryptography as part of their security solution. This involves the acquisition of validated cryptographic modules (which may be incorporated in a product/application) for protecting sensitive unclassified data. Purpose and Objectives of the Procurement: Federal agencies, industry, and the public, now rely on cryptography for the protection of information and communications used in electronic commerce, critical infrastructure and other application areas. At the heart of all products which offer cryptographic services are the cryptographic modules. Cryptographic modules are used in products and systems to provide security services such as confidentiality, integrity, and authentication. Weaknesses such as poor design, weak algorithms, or incorrect implementation of the cryptographic module, can render the product insecure. Therefore, adequate testing and validation of the cryptographic module against established standards is essential to provide security assurance. CMVP has reference implementations covering all of the FIPS approved cryptographic algorithms and cryptography based standards, but currently there is no reference implementation of a FIPS 140-1 cryptographic module. NIST wishes to develop a cryptographic module reference implementation that embodies all of our existing cryptographic standards plus other recognized industry standards. This reference module will be validated against FIPS 140-1 and will be publicly available as a working reference example. In addition, the module will be used in the proficiency testing of the CMVP Laboratories. There are currently four National Voluntary Laboratory Accreditation Program (NVLAP) accredited laboratories that test cryptographic modules against FIPS 140-1. In addition to serving as the validation authority for the CMVP, NIST and CSE also work with NVLAP to accredit new laboratories and reaccredit existing laboratories to perform cryptographic module testing. This accreditation uses a cryptographic module artifact to test the laboratories technical proficiency. In the past partially developed or very basic prototype modules served as the cryptographic module artifact. With the advances in technology since the beginning of the CMVP in 1995, a fully designed and developed cryptographic module is now needed for this laboratory proficiency testing. The specific tasks to be performed under this contract include: 1) Attend and document an initial kick-off meeting defining the general specifications of cryptographic module reference implementations: Document the meeting in a report which details the requirements including implemented algorithms, cryptographic methodologies, and module capabilities, develop schedule, and create specifications based on the meeting and report; 2) Design a FIPS 140-1 Level 1 compliant software cryptographic module based on the specification created in task 1: develop all design related documentation specified in FIPS 140-1, and develop all design related diagrams, tables, and models specified in FIPS 140-1; 3) Develop a FIPS 140-1 Level 1 compliant software cryptographic module based on the design created in task 2: develop all software in compliance with FIPS 140-1 and the Recommended Software Development Practices as specified in Draft FIPS 140-2 Appendix B, develop a non-proprietary security policy for the module as specified in Draft FIPS 140-2 Appendix C; 4) Validate the cryptographic modules developed in tasks 4 and 5 through the CMVP: contract with one of the four testing laboratories using best business practices, provide the modules and all necessary documentation to the laboratory for testing, and provide copies of the final validation testing reports to NIST for review. The overall objectives of this SOW are to develop a cryptographic module that will be publicly available and used in the proficiency testing of the CMVP testing laboratories. Given the proficiency testing objective the CMVP laboratories can not be considered as potential providers for this contracting effort. NIST and the CMVP both have strong policies not to endorse vendors, products or laboratories. Therefore the cryptographic product vendor community must also be precluded from this contracting effort. The basis for the sole source award to CORSEC Security, Inc. is as follows: Corsec Security, Inc. is uniquely qualified to perform the tasks defined in this Statement of Work (SOW) due to their unique expertise in FIPS 140-1 design services, software development, security consulting and their complete neutrality, since they are neither a CMVP testing laboratory or a vendor of cryptographic modules. Their expertise is based on their experience from previously testing cryptographic modules and currently serving as consultants for vendors during cryptographic module design and development. Specifically, Corsec has in-depth experience in the areas of FIPS 140-1 validation, cryptographic security engineering, public key infrastructure, and digital signatures. Corsec has demonstrated their unique capabilities by assisting customers in securing data, networks, and computing resources by effectively designing and implementing cryptographic products and services. Corsec has leading edge cryptographic software development experience combined with unparalleled FIPS 140-1 design and development experience. Corsec has worked with many of the leading hardware and software security product companies, aiding them in designing for FIPS 140-1 compliance. Corsec's design experience is free of bias since Corsec owns no competing products. Furthermore, Corsec provides the experience of former FIPS 140-1 laboratory managers and evaluators unfettered by the restrictions placed on testing laboratories. Corsec offers a compelling combination of security software development knowledge, cryptography and security consulting, and FIPS 140-1 expertise. Corsec Security, Inc. is uniquely qualified to: 1) Develop a general specifications of cryptographic module reference implementations; 2) Design a FIPS 140-1 Level 1 compliant software cryptographic: develop all design related documentation specified in FIPS 140-1, and develop all design related diagrams, tables, and models specified in FIPS 140-1; 3) Design a FIPS 140-1 Level 2 compliant hardware cryptographic: develop all design related documentation specified in FIPS 140-1, and develop all design related diagrams, tables, and models specified in FIPS 140-1; 4) Develop a FIPS 140-1 Level 1 compliant software cryptographic: develop all software in compliance with FIPS 140-1 and the Recommended Software Development Practices as specified in Draft FIPS 140-2 Appendix B, develop a non-proprietary security policy for the module as specified in Draft FIPS 140-2 Appendix C; 5) Develop a FIPS 140-1 Level 2 compliant hardware cryptographic: develop all software, firmware and/or hardware in compliance with FIPS 140-1 and the Recommended Software Development Practices as specified in Draft FIPS 140-2 Appendix B, and develop a non-proprietary security policy for the module as specified in Draft FIPS 140-2 Appendix C. The Government intends to award a firm-fixed price contract with a one year period of performance. See Numbered Notes 22 and 26. Posted 06/09/00 (W-SN463468). (0161)

Loren Data Corp. http://www.ld.com (SYN# 0021 20000613\D-0002.SOL)