Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF MAY 19, 2009 FBO #2731
SOLICITATION NOTICE

D -- Research requirements SPARK/ADA Determination fo Source & Security

Notice Date
5/17/2009
 
Notice Type
Combined Synopsis/Solicitation
 
NAICS
541511 — Custom Computer Programming Services
 
Contracting Office
Department of Commerce, National Institute of Standards and Technology (NIST), Acquisition Management Division, 100 Bureau Drive, Building 301, Room B129, Mail Stop 1640, Gaithersburg, Maryland, 20899-1640
 
ZIP Code
20899-1640
 
Solicitation Number
SB1341-09-RQ-0212
 
Archive Date
6/20/2009
 
Point of Contact
Richard Cordero, Phone: 3019753976
 
E-Mail Address
rcordero@nist.gov
(rcordero@nist.gov)
 
Small Business Set-Aside
N/A
 
Description
THIS IS A COMBINED SYNOPSIS/SOLICITATION FOR COMMERCIAL ITEMS PREPARED IN ACCORDANCE WITH THE FORMAT IN FAR SUBPART 12.6, AS SUPPLEMENTED WITH ADDITIONAL INFORMATION INCLUDED IN THIS NOTICE. FAR PART 13, SIMPLIFIED ACQUISITION PROCEDURES, ARE UTILIZED IN THIS PROCUEREMENT. THIS ANNOUCEMENT CONSTITUTES THE ONLY SOLICITATION; QUOTATIONS ARE BEIGN REQUESTED, AND A WRITTEN SOLICITATION DOCUMENTS WILL NOT BE ISSUED. This solicitation is a request for quotation (RFQ). The solicitation document incorporated provisions and clauses are those in effect through Federal Acquisition Circular (FAC) 2005-32. The associated North American Industrial Classification System (NAICS) code for this procurement is 541511 with a dollar amount of $25 million. This requirement is being competed on an unrestricted full and open competition basis. APPLICABLE PROVISIONS AND CLAUSES: The Following FAR provisions and clauses apply to this solicitation: 52.212-1 52.212-3 52.212-4 52.212-5, including 52.222-50, 52.233-3 and 52.233-4 in paragraph (a) (1) and the following fill-ins in paragraph (b): 52.222-3, 52.222-19, 52.222-21, 52.222-26, 52.222-36, 52.232-33, 52.217-5 52.217-9 OPTION TO EXTEND THE TERM OF THE CONTRACT (MAR 2000) (a) The Government may extend the term of this contract by written notice to the Contractor within thirty (30) days of expiration of the then-current term, provided that the Government gives the Contractor a preliminary written notice of its intent to extend at least 30 days before the contract expires. The preliminary notice does not commit the Government to an extension. (b) If the Government exercises this option, the extended contract shall be considered to include this option clause. (c) The total duration of this contract, including the exercise of any options under this clause, shall not exceed nine (9) months. PERFORMANCE WORK STATEMENT (PWS) I. Background Information The U. S. Department of Commerce, National Institute of Standards and Technology (NIST) Information Technology Laboratory (ITL) is working with the U.S. Department of Homeland Security National Cyber Security Division to improve the state of the practice in software assurance. SAMATE (Software Assurance Metrics and Tool Evaluation) project is dedicated to improving software assurance by developing methods to enable software tools evaluations, measuring the effectiveness of tools and techniques, and identifying gaps in tools and methods. One methodology for evaluating software assurance tools is to develop tool specifications, test plans, and test sets. NIST has completed a specification for a class of tool, called Source Code Security Analyzers. This specification is published as NIST Specification 500-268. A draft test plan for source code security analyzers is published as NIST Special Publication 500-270. For additional background information, see https://samate.nist.gov/ II. Objective of the Procurement The objective of this procurement is to determine which weaknesses identified in the Source Code Security Analyzer specification might occur in the SPARK subset of the ADA programming language, which might occur but can be proven to be absent, and which cannot possibly occur. The weaknesses are identified by its Common Weakness Enumeration (CWE) number and currently appear in the MITRE web site http://cwe.mitre.org/. The deliverable will be the addition in Annex A – Source Code Weaknesses, in the Language(s) column, of “SPARK/ADA” as appropriate and report explaining why each weakness might or might not occur. If a weakness might occur but can be proven not to be present, that should be noted. III. Contractor Tasks The contractor shall provide all labor, supervision, materials, equipment, and facilities (unless otherwise stated herein) to complete the following tasks. The contractor shall: BASE PERIOD – CONTRACTOR TASKS Task 1: Determine if the following weaknesses occur in the SPARK subset of the ADA programming language for CWE 89 and CWE 121. -Meet with NIST Point of Contact/Order Contact (P/OC) to discuss project plan before starting work. -Review and become knowledgeable of the SAMATE source code security analyzer specification particularly the associated weaknesses listed in Annex A. -Review and become knowledgeable with the current SPARK subset of the ADA programming language. -Determine if the following weaknesses occur in the SPARK subset of the ADA programming language. - CWE 89: SQL injection - CWE 121: Stack-based buffer overflow Task 2: Determine if the following weaknesses occur in the SPARK subset of the ADA programming language for the following: -CWE 122: Heap-based buffer overflow -CWE 134: Uncontrolled format string -CWE 170: Improper null termination -CWE 244: Heap inspection -CWE 251: Often misused string management -CWE 401: Memory leak -CWE 415: Double free -CWE 416: Use after free -CWE 468: Incorrect pointer scaling -CWE 476: Null pointer dereference Task 3: Determine if the following weaknesses occur in the SPARK subset of the ADA programming language for the following: -CWE 80: Basic XSS -CWE 99: Resource injection -CWE 78: OS Command injection -CWE 259: Hard-coded password -CWE 367: Time-of-check Time-of-use (TOCTOU) race condition -CWE 391: Unchecked error condition -CWE 412: Unrestricted lock on critical resource -CWE 457:se of uninitialized variable -CWE 489: Leftover debug code OPTION PERIOD ONE CONTRACTOR TASKS: Task 4: The Contractor shall provide code examples in SPARK/ADA showing the problem for every weakness identified in Tasks 1 through 3. OPTION PERIOD TWO CONTRACTOR TASKS: Task 5: The contractor shall produce the similar analysis (Task 1 – 4) with an addition 25 weaknesses provided by NIST. IV. Deliverables and Reports 1. Determine if weaknesses could occur in the SPARK subset of ADA using Table entries in Annex A of the NIST Special Publication 500-268, in the Languages(s) column. 2. A written report on Task 1 to be delivered via email to the COTR no later than 30 days from the initial meeting with NIST. The report shall include step-by-step explanation including a justification of the conclusion. 3.A written report on Task 2 and Task 3 to be delivered via email to the COTR no later than 90 days after contract award. The report shall include step-by-step explanation including a justification of the conclusion. 4.The contractor shall report progress in the form of monthly summary reports, pending delivery of the complete task reports. Option Period One – Deliverable: 1.Provide a written report on Task 4 to be delivered via email to the P/OC no later than 30 days after effective day for option period. The report shall include code examples in SPARK/ADA showing the problem for every weakness mentioned in Tasks 1 to 3. Option Period Two – Deliverable: 1. Provide a written report to be delivered via email to the TIC no later than 30 days after effective day for option period. The report shall include similar analysis (Tasks 1 to 5) with an additional 25 weaknesses as specified by NIST. V. Performance a.Period of Performance •Base Period: Six months, beginning on date of Contractor acceptance of the purchase order. •Option Period 1: Six weeks, beginning on day after expiration of Base Period. •Option Period 2: Six weeks, beginning on day after expiration of Option Period 1. b.Place of Performance •All work shall be performed at the Contractor’s facility. VI. Quotationl Page Limitation for Technical Approach a.The Technical Approach portion of the quotation shall not exceed four pages. ADENDUM TO PROVISION 52.212-1 - QUOTATION SUBMISSION INSTRUCTIONS This addendum replaces applicable paragraphs in provision 52.212-1. (b) Submission of quotations. Submit signed and dated quotations to the office specified in this solicitation at or before the exact time specified in this solicitation. Quotations may be submitted on the SF 1449, letterhead stationery, or as otherwise specified in the solicitation. As a minimum, quotations must include— (1) The solicitation number; (2) The name, address, and telephone number of the offeror; (3) A detailed written technical approach for how the offeror proposes to satisfy the requirements of the Performance Work Statement in this solicitation. This technical approach should be clear, concise and complete in describing how the offeror would satisfy each PWS requirements; (4) Resume for each person proposed to work as a direct charge on this contract, to include their name, their education, their experience, and the company name of their current employer and their current country of citizenship. If the person is a foreign national, also include a copy of their current Visa documentation; (5) Firm-fixed-price for each task and related deliverable in the PWS for the Base Period, Option Period 1 and Option Period 2, and any discount terms for those prices (note: pricing shall be in a separate document from rest of quotation); (6) Acknowledgment of Solicitation Amendments, if any; (7) Past performance information for the offeror, to include recent and relevant contracts for the same or similar items and other references (including contract numbers, points of contact with telephone numbers and other relevant information); and (8) If the quotation is not submitted on the SF 1449, include a statement specifying the extent of agreement with all terms, conditions, and provisions included in the solicitation. Quotations that fail to furnish required representations or information, or reject the terms and conditions of the solicitation may be excluded from consideration. All quotes shall be received not later than 3:00 PM Eastern Time on May 26, 2009 at the National Institute of Standard & Technology, Acquisition Management Division, 100 Bureau Drive, Building 301, Room B129, Mail Stop 1640 Gaithersburg, MD 20899-3571. Attn: Ricardo Cordero. Because of heightened security, FED-EX, UPS, or similar delivery methods are the preferred method of delivery of quotes. If quotes area hand delivers, deliver shall be made to the Contracts Office at 301-975-3976. NIST is no responsible for late delivery due to the added security measures. In addition, offerors/quoters who do not provide 24-hour notification in order to coordinate entrance to the NIST campus shall assume the risk of not being able to deliver offers/quotes on time. The government is not responsible for the amount of time required to clear unannounced visitors, visitors without proper identification and without complete information that would allow delivery (i.e. point of contact, telephone, POC, bldg., room number, etc.). If 24-hours notification was not provided, it is suggested your company representative or your courier service arrive at NIST 90 minutes prior to closing time in order to process entry to the campus through the visitor center and complete delivery. Notice shall include the company name, name of the individual making the delivery, and the country of citizenship of the individual. For non-US citizens, the following additional information will be required: title, employer/sponsor, and address. Please ensure that the individual making the delivery brings photo identification, or will be denied access to the facility. E-mailed quotes are acceptable if submitted directly to Ricardo.cordero@nist.gov. Faxed quotes will be not be accepted. EVALUATION FACTORS FOR AWARD The government will evaluate quotations based on the following evaluation criteria: 1) Soundness and feasibility of proposed technical approach for performing the requirements of the Performance Work Statement (PWS); 2) Past Performance Information; 3) Qualifications of Proposed Key Personnel based on the content of the resumes provided in the quotation 4) Experience in SPARK subset of ADA programming language, security vulnerabilities in code, source code security analyzers and software development using ADA programming language; and 5) Price. Non-price factors 1) through 4) above are approximately equal in importance and, when combined, are significantly more important than price Past performance information will be evaluated to determine the overall quality of the product and service provided by the offeror on similar contracts completed by the offeror within the past three years or on contracts that are currently ongoing. In addition to references provided by the Offeror, NIST may also obtain past performance information for the offeror from other sources. In the event of no relevant past performance information, the offeror will receive a neutral rating for past performance information.
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/DOC/NIST/AcAsD/SB1341-09-RQ-0212/listing.html)
 
Place of Performance
Address: All work shall be performed at the Contractor Facility, United States
 
Record
SN01820699-W 20090519/090517233044-b8e847adeb5aaa4fdfa41404bc2ae794 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  Jenny in Wanderland!  © 1994-2024, Loren Data Corp.