Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF JULY 08, 2005 FBO #1320
MODIFICATION

D -- Request for Information (RFI) for Host-Based Security Manager Support

Notice Date
6/1/2005
 
Notice Type
Modification
 
NAICS
541519 — Other Computer Related Services
 
Contracting Office
Defense Information Systems Agency, Procurement and Logistics, DITCO-Scott, P.O. Box 25857, Scott AFB, IL, 62225-5406
 
ZIP Code
62225-5406
 
Solicitation Number
RFI326
 
Response Due
7/8/2005
 
Point of Contact
Anne Keller, Contract Specialist, Phone 618-229-9504, Fax 618-229-9440,
 
E-Mail Address
Anne.Keller@disa.mil
 
Description
CHANGES HAVE BEEN MADE TO THE DUE DATE FOR RESPONSES, DATE OF INFORMATION EXCHANGE MEETING AND THE DATE OF THE GOTS/COTS DEMONSTRATION DAY. CHANGES ARE SPECIFIED BELOW. THIS IS A REQUEST FOR INFORMATION (RFI) FOR HOST-BASED SECURITY MANAGER SUPPORT. SUBJECT: This document is a Request for Information (RFI) for host-based security tools and centralized manager applications that could be deployed on host-machines across the DoD. Traditional efforts to secure Department of Defense (DoD) networks have been focused on placing defenses at the network boundary with less emphasis on end-point or host-based security. While such defenses as network firewalls and network intrusion detection systems (NIDS) have proven effective at countering identifiable threats originating from outside the network boundary, they do not address the insider threat or defend against external threats that are able to penetrate boundary defenses or enter through backdoors. Such threats include viruses, worms or other attacks that target known or previously unknown operating system and application-specific vulnerabilities. In order to address the insider threat, increase end-point security, reduce end-point management requirements, and provide defense in depth, DoD is considering integrating existing capabilities and fielding enhanced host-based security products and associated integrated managers across the enterprise. Under the host-based security concept, security products are installed directly on network end-points. In general, this means installing agent-based tools on host machines (e.g., workstations, laptops, servers). In order to be effective across enterprise networks, host-based capabilities must be centrally managed to support installation, monitoring, updating, and configuration however, existing security product management requires an independent manager for each of the multiple products, in effect, reducing time available for detection and response efforts as a result of the excessive redundant management requirements. DoD intends to integrate existing security products and capabilities, eliminate redundant management processes, and enhance end-point security through a unified security product and management suite. The intent is to reduce the impact of management traffic and redundancy of end-point security agents. For this RFI, the following descriptions will be used: Central Manager: The portion of the host-based security manager suite that provides the central management functionality is called the central manager. The central manager provides centralized installation, management, monitoring, and configuration of host-based Information Assurance (IA) capabilities. This central manager will reside at Tier 3, however it must be able to accept policy and configuration changes from higher-level tiers. Security information collected by Tier 3 central managers will report to higher tiers as well as an external security information manager (SIM). Host Agent/Modules(s): Those tools (or portions of tools), which actually perform the tasks associated with protecting host machines, are referred to as modules in this RFI. The local host capability to communicate with the central manager and control modules is referred as the host-based agent or just agent. The capabilities listed in Section 3.0 could be provided either by a single agent with multiple modules, the use of multiple agents/modules, or a combination of the two. Each module will implement the security policies to be enforced using a set of rules that may be modified by the central manager. Additional definitions regarding the functions and designations of host-based security components are given in Attachment 3. A copy of Attachment 3 can be obtained from either Capt. Strakos or Mr. Carr. Phone numbers and e-mail addresses to contact Capt. Strakos or Mr. Carr are specified under paragraph 5. DESCRIPTION: The Defense Information Systems Agency (DISA), in support of the Computer Network Defense (CND) mission assigned to the United States Strategic Command (USSTRATCOM), is seeking information from industry, academia, and government that will assist in the deployment of host-based security capabilities to enhance the CND posture of the DoD computer network systems. The DoD host-based security concept for acquiring and implementing capabilities on DoD computers and computing platforms follows the Network Operations (NetOps) Joint Concept of Operations (CONOPS) for the Global Information Grid. Under the NetOps CONOPS, the DoD is organized into three tiers to conduct CND. Tier 1 provides DoD-wide CND operational direction and support to all DoD components. Tier 2 provides DoD component-wide operational direction or support and responds to direction from Tier 1. Tier 3 provides local operational direction and support and responds to direction from a designated Tier 2 entity. Tier 1 entities include the CDRUSSTRATCOM and supporting entities, such as the Joint Task Force-Global Network Operations (JTF-GNO), CND Service Certification Authorities (DISA and the National Security Agency [NSA]), the CND Law Enforcement and Counterintelligence Center, and the National Security Incident Response Center. Tier 2 includes CND Service Providers designated by Heads of Components to coordinate Component-wide CND and associated major command entities. Tier 3 includes all entities responding to direction from DoD Component Tier 2 CND Service Providers, e.g., local control centers that manage and control information systems, networks and services, either deployed or fixed at DoD installations. A copy of Attachment 1 can be obtained from the either Capt Strakos or Mr. Carr. Phone numbers and e-mail addresses to contact Capt. Strakos or Mr. Carr are specified under paragraph 5. REQUIREMENTS: This section describes the desired capabilities for the Host-based Security Manager. The DoD does not expect that any one product will have all of the capabilities listed however, a goal of the Host-based Security Manager is to provide as many of these capabilities as possible under a single management architecture. A solution with multiple products under a single manager is acceptable for the purpose of this RFI. Individual products with a subset of these capabilities are also of interest, and vendors and/or government organizations with these solutions are encouraged to respond to this RFI. A copy of Attachment 2 can be obtained from the either Capt Strakos or Mr. Carr. Phone numbers and e-mail addresses to contact Capt. Strakos or Mr. Carr are specified under paragraph 5. Agent Control / Management: Central Manager: Provides centralized installation, management, monitoring, and configuration of host-based Information Assurance (IA) capabilities. Agent / Module Characteristics: Agent: Provides agent software to be installed on host systems that reports to the central management server. The configuration of the agent and the modules it controls will be managed from the central management server. Modular Protection: Implements security policies to be enforced using a set of rules that are disseminated and updated by the central manager. Alert Generation: Sends alerts to the central manager and SIM, as configured, when rules are enforced or other auditable events occur. Access Control or Communications Management: Ports, Protocols, and Services Control and Management: Provides control over inbound and outbound external network traffic as well as services running on a host. Application Wrapper: Monitors and controls the inputs and outputs of an application. OS Wrapper: Monitors security-relevant procedure calls to the operating system (OS) kernel. File Protection: Protects files and directories from malicious /unauthorized activity. Registry Protection: Prevents unauthorized changes to the registry settings. Signature-based Detection: File Integrity Checking: Inventories properties of known objects (intended to be a fingerprint/hash). Anti-virus: Monitors status and provides updates to currently installed anti-virus software. Anti-spyware/adware (Malware): Monitors status and provides updates to currently installed anti-spyware/adware software. Intrusion Detection: Signature-based IDS examines traffic passing through network interface cards (NIC) or virtual equivalents. Intrusion Prevention: Provides an automated response capability based on configurable conditions. Behavior-based Detection: Anomaly Detection (machine/user profiling): Monitors status and provides updates to anomaly detection software. Process Monitor: Detects and sends alerts for anomalous process activity or initiation. Policy Violations: Detects policy violations or misuse and alerts based on rules. Security Configuration Management: Hardware/Software Inventory: Real-time or controlled reports of host information. Audit Log Filtering and Reporting: Performs real-time audit reduction and alerting. Application Status Monitoring: Audits application installation. Non-compliant Host Quarantine: Limits communication from a non-compliant host to only approved resources based on its configuration. System Snapshot Generation and Comparison: Captures current system configuration and compares it against a baseline. Granular Device Control: Applies fine-grained access controls to internal and external devices. Boot Sequence Authentication: Authenticates the boot sequence. Kernel Integrity Monitor: Monitors the integrity of the OS kernel independent of the OS. OS Service Monitor: Monitors the execution path of vulnerable OS services to prevent buffer overflow exploits. Execution Control: Prevents the execution of unauthorized executables. Information Tracking / Management: Honey Token or Beaconing: Selectively deploys embedded code that allows for the unique identification of data or products generated on a particular host machine or by a particular user. Data Tagging: Applies cryptographically bound metadata tags, which tell what classification a document possess as well as other distribution and releasability attributes. Post-delivery Content Management: Controls access to data and information after dissemination. SAMPLE RESPONSE OUTLINE: This outline is intended to minimize the effort of the respondent and structure the responses for ease of analysis by the government. Respondents are free to develop their response accordingly, but should answer the fundamental questions provided. Section 1 Product (5-7 pages): Describe a working product as a possible solution to the Host-based Security Manger Requirement. Discuss the product and its capability to currently meet one or more of the requirements. Please discuss working or developmental functionality. (This should be five to seven pages, including description and diagrams.) Please address the following issues: Specify if the product solution comprises hardware (e.g., an appliance), software, or both. Include minimum and optimum hardware requirements, descriptions of any fail-over capabilities, and database requirements. Describe the type of functions performed by the product solution. List the OSs the product(s) supports to include patch and service pack levels. Describe how the central manager will manage the host-based capabilities. Describe the recommended deployment architecture and strategy to include installation and maintenance. Describe the scalability of the product(s) in terms of the number of hosts each central manager can support. Describe any testing that has been or will be conducted for compliance, such as the Common Criteria for Information Technology (IT) Security Evaluation and/or the Cryptographic Module Validation Program (CMVP) described in the National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 140-2. Provide descriptions and certification of software security assurance practices used. Provide information on existing and planned IPv6 compatibility. Section 2 Feasibility Assessment (2 pages): Describe the feasibility of deploying the solution described in Section 1 on networks with as many as 40,000 host machines. Include data on the amount of network traffic generated between agent and central manager. Describe the estimated amount of manpower required to manage the solution. Section 3 Cost and Schedule Estimates (2-3 pages): Provide a cost estimate in describing licensing agreement, support, and maintenance for non-recurring and annual recurring costs. Section 4 Corporate Experience: Briefly describe your company, your products and services, history, ownership, financial information, and other information you deem relevant. Describe any projects you have been involved in that are similar in concept to what is described in this RFI, including management and operations approach, requirements, processes, and any relevant lessons learned (1-2 pages per project). List government and commercial clients. If for any reason clients cannot be discussed, describe the number of seats deployed for each client. Section 5 Additional Materials: Provide any other materials, suggestions, and discussion you deem appropriate. INFORMATION EXCHANGE MEETING: The government will hold an information meeting to discuss this RFI with interested potential respondents. This meeting is scheduled for 14 June 2005 at 9:00 a.m. It will be held at the Applied Technology Unit (ATU) of the Joint Task Force for Global Network Operations. The address of the ATU is 2110 Washington Blvd, Suite 100, Arlington, VA 22204. No more than two representatives from each respondent should attend. The ATU is located in a contractor-owned facility know as the Technology Integration Center (TIC). Directions to the TIC can be found at the following sub-page of the TICs web site: http://tictdc.isotic.org/tic_directions.cfm. The TICs home page is at http://tictdc.isotic.org/tic_index.cfm. When you arrive at the front desk to sign in, please inform the front desk of any hardware, software, and other equipment you are carrying into this meeting. Thumb drives (USB memory sticks) are not permitted in any part of this facility. Primary point of contact if you plan the attend is: Capt Dany Strakos -- Commercial Phone: 210-925-3455; DSN: 945-3455, E-Mail: dany.strakos@lackland.af.mil Secondary point of contact is: Mr. Paul Carr -- Commercial Phone: (703) 769-9511, E-Mail: Paul.Carr@tic.dod.mil A Commercial off-the-shelf/Government off-the-shelf (COTS / GOTS) demonstration days will be held 1-5 August 2005 in Cryptographic Systems Group (CPSG) facilities located in San Antonio, TX. Due to time and facility limitations, participation in these days will be by invitation only. Invitations will be sent out by 22 July 05. No more than three representatives from each invitee should attend. Responders to this invitation are solely responsible for all expenses associated with responding to this RFI. DISCLAIMER: The government does not intend to award a contract on the basis of this RFI or to otherwise pay for information received in response to this RFI. The government will not pay for any expenses for the COTS/GOTS demonstration. This RFI will be the basis for collecting information on products available. This RFI is issued solely for information and planning purpose only and does not constitute a solicitation. All information received in this RFI that is marked “proprietary” will be handled accordingly. Responses to the RFI will not be returned nor will receipt be confirmed. In accordance with FAR 15.201(e), responses to this RFI are not offers and cannot be accepted by the Government to form a binding contract. Again, responders are solely responsible for all expenses associated with responding to this RFI. SUBMISSION INSTRUCTIONS: How to submit: Submission by email; email should be time stamped no later than the due date. Email should not exceed 5 Megabytes (MB). Email to Capt. Dany Strakos at dany.strakos@lackland.af.mil Due Date: Friday, 08 July 2005 5:00 PM Eastern Daylight Time (EDT) (GMT – 4). CONTACT INFORMATION: The three Point of Contacts (POCs) for questions on this RFI, obtaining copies of the attachments, information regarding the information exchange meeting and the COTS/GOTS demonstration day are as follows: Capt. Dany Strakos Phone: 210-925-3455 DSN: 925-3455 E-mail: dany.strakos@lackland.af.mil MAJ Jack Mast Acquisition Manager (703) 882-1634 jack.mast@disa.mil Mr. Donald Parker Asst. Acquisition Manager (703) 882-0164 Donald.Parker1@disa.mil NOTE: THIS NOTICE MAY HAVE POSTED ON WWW.FEDBIZOPPS.GOV ON THE DATE INDICATED IN THE NOTICE ITSELF (01-JUN-2005). IT ACTUALLY APPEARED OR REAPPEARED ON THE FEDBIZOPPS SYSTEM ON 06-JUL-2005, BUT REAPPEARED IN THE FTP FEED FOR THIS POSTING DATE. PLEASE CONTACT fbo.support@gsa.gov REGARDING THIS ISSUE.
 
Web Link
Link to FedBizOpps document.
(http://www.eps.gov/spg/DISA/D4AD/DITCO/RFI326/listing.html)
 
Record
SN00842581-F 20050708/050706213106 (fbodaily.com)
 
Source
FedBizOpps.gov Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.