SOLICITATION NOTICE
70 -- Support for Voting System Security Testing and Certification - 1
- Notice Date
- 9/2/2011
- Notice Type
- Combined Synopsis/Solicitation
- NAICS
- 541512
— Computer Systems Design Services
- Contracting Office
- Department of Commerce, National Institute of Standards and Technology (NIST), Acquisition Management Division, 100 Bureau Drive, Building 301, Room B129, Mail Stop 1640, Gaithersburg, Maryland, 20899-1640
- ZIP Code
- 20899-1640
- Solicitation Number
- NB773010-11-02323-1
- Archive Date
- 10/31/2011
- Point of Contact
- Willie W. Lu, Phone: 3019758259, Chon S. Son, Phone: 301-975-8567
- E-Mail Address
-
willie.lu@nist.gov, chon.son@nist.gov
(willie.lu@nist.gov, chon.son@nist.gov)
- Small Business Set-Aside
- N/A
- Description
- Combined Synopsis CLASSIFICATION CODE: R- Other Scientific and Technical Consulting Services TITLE: Support for Voting System Security Testing and Certification SOLICITATION NUMBER: NB773010-11-02323 RESPONSE DATE: September 13, 2011 CONTACT POINTS: Willie Lu, Contract Specialist, (301) 975-8259 Chon Son, Contracting Officer, (301) 975-8567 DESCRIPTION: The National Institute of Standards and Technology (NIST) has a requirement for Support for Voting System Security Testing and Certification. THIS IS A COMBINED SYNOPSIS/SOLICITATION FOR COMMERCIAL ITEMS PREPARED IN ACCORDANCE WITH THE FORMAT IN FAR SUBPART 12.6-STREAMLINED PROCEDURES FOR EVALUATION AND SOLICITATION FOR COMMERCIAL ITEMS-AS SUPPLEMENTED WITH ADDITIONAL INFORMATION INCLUDED IN THIS NOTICE. THIS ANNOUNCEMENT CONSTITUTES THE ONLY SOLICITATION; QUOTATIONS ARE BEING REQUESTED, AND A SEPARATE WRITTEN SOLICITATION DOCUMENT WILL NOT BE ISSUED. THE SOLICITATION IS BEING ISSUED USING SIMPLIFIED ACQUISITION PROCEDURES. This solicitation is a Request for Quotation (RFQ). The solicitation document and incorporated provisions and clauses are those in effect through Federal Acquisition Circular (FAC) 2005-48. The associated North American Industrial Classification System (NAICS) code for this procurement is 541512. This acquisition is being procured using full and open competition. 1352.215-72 INQUIRIES (APR 2010) Offerors must submit all questions concerning this solicitation via email to Willie Lu. Questions should be received no later than 2:00PM on September 7, 2011. Any responses to questions will be made in writing, without identification of the questioner, and will be included in an amendment to the solicitation. Even if provided in other form, only the question responses included in the amendment to the solicitation will govern performance of the contract. (End of Provision) All offerors shall provide a quotation for the following line items: Line Item 0001: One (1) Professional Services-Voting System Security (period of 18 months) Line Item 0002: One (1) Travel STATEMENT OF WORK: I. BACKGROUND The National Institute of Standards and Technology (NIST) has been working with the Election Assistance Commission (EAC) for several years in support of the Help America Vote Act (HAVA). As part of NIST's voting efforts, the Computer Security Division (CSD) is maintaining test suites for security requirements in the Voluntary Voting System Guidelines (VVSG) and developing and maintaining support testing and certification materials, including proficiency tests and test artifacts that will be used to accredit Voting System Test Laboratories (VSTLs). II. SCOPE OF WORK The Contractor will develop and maintain (1) test suites for the security requirements in the VVSG, (2) proficiency tests and test artifacts for VSTL accreditation, and (3) a method of cataloging vulnerabilities and weaknesses in existing voting systems to support future development of security requirements and test suites. The Contractor will assist NIST staff in integrating existing test suites into the EAC's testing and certification program. This includes validating the test suites before they will be used by VSTLs. The Contractor will update the test suite based on issues identified during the validation process. The Contractor will also maintain the test suites for the duration of the contract by updating test methods as security requirements change. The Contractor will conduct research and develop recommendations for including a penetration testing component to the voting system certification program. The Contractor will maintain proficiency test material and associated artifacts that support VSTL accreditation. This includes modifying these materials as necessary to integrate them with the National Voluntary Laboratory Accreditation Program (NVLAP), and updating them based on changes to the security test suites. III. CONTRACTOR QUALIFICATIONS The Contractor shall have: - Knowledge of voting system guidelines and standards, including the Draft Voluntary Voting System Guidelines- Version 1.1 (VVSG 1.1), and the Voluntary Voting System Guidelines-Next Iteration (VVSG-NI) (See: http://www.eac.gov/files/vvsg/Final-TGDC-VVSG-08312007.pdf). - Knowledge of the existing security test suites for the VVSG-NI. - Experience in requirements based security test development. - Experience in penetration testing techniques. - Knowledge of NIST CSD computer security publications. - Experience in security validation and conformance testing such as the Cryptographic Module Validation Program (CMVP). - Knowledge of the ISO 17025 laboratory accreditation process (e.g., National Voluntary Laboratory Accreditation Program (NVLAP)). - Experience developing artifacts for security testing. - Knowledge of existing cataloging methods for security vulnerabilities and weaknesses, including Common Vulnerability and Exposures (CVE) and Common Weakness Enumeration. IV. SPECIFIC TASKS The tasks covered in this contract support NIST's voting efforts related to voting system security testing and certification. These tasks are: 1. Validate and maintain voting system security test suites for the VVSG 1.1 and the VVSG-NI (see http://vote.nist.gov/SystemTesting/reviewer-notes-security.htm). a. The Contractor shall validate security test suites on two or more voting systems. b. The Contractor shall update test suites based on issues identified during the security test suite validation process. c. The Contractor shall maintain and update test suites as security requirements in the VVSG 1.1 and the VVSG-NI are modified, providing drafts to NIST at regular intervals. 2. Conduct research and develop recommendations for including a penetration testing component to the voting system certification program. a. The Contractor shall use their expertise in penetration testing and security validation and conformance testing to research methodologies for including penetration testing in the voting system certification program. The contractor shall prepare a briefing of the research results. b. The Contractor shall draft a lab handbook intended for VSTLs and penetration testers, providing incremental drafts to NIST at regular intervals. c. The Contractor shall provide documentation for the penetration testing material developed, providing drafts to NIST at regular intervals. d. The Contractor shall draft responses to comments on the penetration testing materials for NIST review. e. The Contractor shall update the penetration testing material based on the comment resolution as requested by NIST. 3. Maintain proficiency test material and associated artifacts that support VSTL accreditation. a. The Contractor shall work with NIST CSD and NVLAP staff to integrate proficiency test materials and associated artifacts with the laboratory accreditation program. The Contractor shall update proficiency test materials and artifacts as issued are identified during the integration process, providing status updates to NIST at regular intervals. b. The Contractor shall update proficiency test materials and associated artifacts as security requirements and test suites are updated, providing drafts to NIST staff at regular intervals. c. The Contractor shall maintain documentation for the test material and artifacts, providing updated drafts to NIST at regular intervals. 4. Development of a method for cataloging security weaknesses and vulnerabilities. a. The Contractor shall research existing methods for cataloging security weaknesses and vulnerabilities, including the use of CVE and CWE. The Contractor shall prepare a briefing summarizing the results of this research. b. The Contractor shall develop a whitepaper proposing a method for cataloging security vulnerabilities and weaknesses. c. The Contactor shall collect information regarding known vulnerabilities or security weaknesses in existing voting systems. Collected materials shall be submitted to NIST staff. d. The Contractor shall catalog known vulnerabilities and weaknesses using the method described in their whitepaper. V. PERIOD OF PERFORMANCE AND DELIVERABLES The performance period for this contract extends 18 months from the date of the contract award. Test suite Validation and Maintenance: 1. Documentation of security test suite validation: Due 4 months after contract award. 2. Updated draft of security test suites based on issues identified during validation process: Due 5 months after contract award. 3. Updated draft of security test suites based on new or modified security requirements: Due 1 month after being provided with updated requirements. Penetration Testing Research and Recommendations: 1. Briefing of penetration testing research: Due 3 months after contract award 2. Complete initial draft of penetration testing handbook: Due 9 months after contract award. 3. Final draft of penetration testing handbook: Due 12 months after contract award. 4. Updated handbook based on comments: Due at end of contract period Maintain Proficiency Test Materials and Artifacts: 1. Update proficiency test materials and artifacts based on comments from NIST CSD and NVLAP staff: Due 1 month after being provided comments. 2. Update proficiency test materials and artifacts based on new or modified test suites: Due 2 month after being provided with new or modified tests. Development of Security Vulnerability/Weakness Catalog: 1. Briefing on existing cataloging methods: Due 2 months after contract award. 2. Whitepaper proposing a voting-specific cataloging method: Due 4 months after contract award. 3. Collection of known security vulnerabilities and weaknesses: Due 9 months after contract award. 4. Catalog known security vulnerabilities and weaknesses: Due at end of contract period. VI. GOVERNMENT-FURNISHED PROPERTY, DATA AND INFORMATION This PWS does not obligate the Government to provide any property or data during the performance of this contract. VII. TRAVEL Travel is authorized under this contract with NIST approval. VIII. EXHIBITS AD ATTACHEMENTS There are no additional attachments or exhibits as part of this PWS. IX. PERFORMANCE REQUIREMENT SUMMARY Desired Output Required Service Performance Standard Monitoring Method Updated security test suites for voting system testing and certification. Validate existing security test suite. The documentation describing the validation process shall be complete and consistent with industry-accepted validation processes. The NIST COTR/POC will review the documentation for completeness and technical accuracy. Update security test suite based on issues identified during validation. The updated security tests shall be technically accurate and cover all known issues identified during the validation process. The NIST COTR/POC will review the updated security tests for completeness and technical accuracy. Update security test suite based on new or modified requirements. The updated security tests shall be technically accurate and cover all new or modified requirements. The NIST COTR/POC will review the updated test suite for completeness and technical accuracy. Penetration Testing Research and Recommendations: Preparing a brief documenting penetration testing methodologies. The briefing shall cover all industry-standard penetration procedures. The NIST COTR/POC will receive the briefing. Complete draft of penetration testing handbook The handbook shall be technically accurate and consistent with the EAC's testing and certification procedures. The NIST COTR/POC will review the handbook for completeness and technical accuracy. Update handbook based on comments. The updated handbook shall remediate all issues previously identified by public and internal comments. The NIST COTR/POC will review the updated guidance document for completeness and technical accuracy based on resolution of internal and public comments. Up-to-date Proficiency Test Materials and Artifacts Update proficiency test materials and artifacts based on comments from NIST CSD and NVLAP staff. The test material shall be capable of supporting laboratory accreditation and be technically accurate. The NIST COTR/POC will review drafts of the test material for completeness and technical accuracy. Update proficiency test materials and artifacts based on new or modified test suites. The updated test materials shall be technically accurate and deal with all necessary changes to the security test suite. The NIST COTR/POC will review the updated test material for completeness and technical accuracy. A catalog of voting system security vulnerabilities and weaknesses. Prepare briefing on existing cataloging methods. The briefing shall cover all industry-standard methods of cataloging security vulnerabilities/weaknesses, including CWE and CVE. The NIST COTR/POC will receive the briefing. Proposed a voting-specific cataloging method. The method shall be capable of cataloging all known security vulnerabilities and weaknesses in voting systems. The NIST COTR/POC will review the proposed method to ensure it is complete and flexible enough to catalog known vulnerabilities/weaknesses. Collect known voting system security vulnerabilities and weaknesses. The collected materials shall be a complete set of known problems from credible sources. The NIST COTR/POC will receive and review the materials for completeness and credibility. Catalog known security vulnerabilities and weaknesses Catalog one or more collected materials using the proposed method. The NIST COTR/POC will review the catalog to ensure it properly reflects the original source of vulnerability/weakness information. INSTRUCTIONS: Central Contractor Registration In accordance with FAR 52.204-7, the awardee must be registered in the Central Contractor Registration (www.ccr.gov) prior to award. Refusal to register shall forfeit award. Due Date for Quotations Offerors shall submit their quotations so that NIST receives them not later than 2:00 p.m. Eastern Time on September 13, 2011. FAX quotations shall not be accepted. E-mail quotations shall be accepted at willie.lu@nist.gov and shall not be deemed received until the quotation is entered in the e-mail inbox of Willie Lu at willie.lu@nist.gov Any questions or concerns regarding this solicitation must be forwarded in writing via e-mail to Willie Lu, Contract Specialist, at willie.lu@nist.gov Addendum to FAR 52.212-1, Quotation Preparation Instructions 1) Price Quotation: The offeror shall submit an original and four copies of the completed price schedule. If the quotation is submitted electronically, additional copies are not required. The pricing quotation shall be separate from any other portion of the quotation. The offeror shall propose a firm-fixed-price, for each CLIN. Price quotations shall remain valid for a period of 90 days from the date quotations are due. 2) Technical Quotation: The offeror shall submit an original and four copies of the technical quotation. If the quotation is submitted electronically, additional copies are not required. The technical quotation shall address the following: Technical Approach: Provide a technical approach to complete the each task found in the Statement of Work. The approach should balance effective security testing with the cost of testing. The approach should demonstrate an understanding of the goals and objectives of the Voluntary Voting System Guidelines (VVSG). The approach should demonstrate an understanding of how proficiency test material and artifacts are used to support laboratory accreditation. The approach should demonstrate an understanding of how cataloging security vulnerabilities and weaknesses are used to support laboratory testing. Key Personnel: Proposed key personnel should have: 1. Knowledge of the Voluntary Voting System Guidelines - Version 1.1 (VVSG 1.1), and the Voluntary Voting System Guidelines-Next Iteration (VVSG-NI) (See: http://www.eac.gov/files/vvsg/Final-TGDC-VVSG-08312007.pdf) 2. Knowledge of the existing security test suite for the VVSG-NI 3. Knowledge of NIST computer security publications 4. Knowledge of existing cataloging methods for security vulnerabilities and weaknesses, including Common Vulnerability and Exposures (CVE) and Common Weakness Enumeration. 5. Experience developing and implementing security testing approaches and techniques 6. Experience developing security tests based on security requirements 7. Experience implementing penetration testing approaches and techniques Past Performance: The Offeror shall provide past performance information regarding relevant contracts over the past five (5) years with Federal, state, or local governments, or commercial customers. If the Offeror intends to subcontract with another firm(s) for part of this requirement, that firm's past performance information shall also be provided. If the Offeror has no relevant past performance, it may include a statement to that effect in its quotation. The government reserves the right to consider data obtained from sources other than those described by the Offeror in its quotation. It is recommended that approximately 3 to 5 contracts be referenced. Acceptance of Terms and Conditions: This is an open-market solicitation for equipment as defined herein. The Government intends to award a Purchase Order as a result of this solicitation that will include the clauses set forth herein. The quotation should include one of the following statements: "The terms and conditions in the solicitation are acceptable to be included in the award document without modification, deletion, or addition." OR "The terms and conditions in the solicitation are acceptable to be included in the award document with the exception, deletion, or addition of the following: Offeror shall list exception(s) and rationale for the exception(s) Note: This procurement is not being conducted under the GSA Federal Supply Schedule (FSS) program or another Government-Wide Area Contract (GWAC). If an offeror submits a quotation based upon an FSS or GWAC contract, the Government will accept the quoted price. However, the terms and conditions stated herein will be included in any resultant Purchase Order, not the terms and conditions of the offeror's FSS or GWAC contract, and the statement required above shall be included in the quotation. QUOTATION EVALUATION: Evaluation Factors Award Basis Award will be made to the Offeror who complies with the terms and conditions of this request and whose proposal contains the combination of those criteria offering the best overall value to the Government. This will be determined by comparing differences in the evaluation of technical approach, experience, and past performance with differences in cost/price to the Government. All non-price factors, when combined, shall be approximately equal to price. The Government will evaluate quotations based on the following evaluation criteria: A. Technical Approach B. Experience C. Past Performance D. Price A. Technical Approach The proposed technical approach shall be evaluated to determine overall feasibility and likelihood for success. The Contractor's proposed methodology shall be evaluated to determine its ability to complete the project successfully. B. Key Personnel The Contractor's proposed key personnel plan shall be evaluated to determine the degree of knowledge and experience the Contractor possesses performing similar work. C. Past Performance The Government will evaluate the Offeror's past performance information and, if appropriate, its proposed subcontractors' past performance to determine its relevance to the current requirement and the extent to which it demonstrates that the Offeror has successfully completed relevant contracts in the past five years. In assessing the Offeror's past performance information, NIST will evaluate the quality, timeliness, and ability to control cost and schedule of the past work. The Government will evaluate past performance information by contacting appropriate references, including NIST references, if applicable. The Government may also consider other available information in evaluating the Offeror's past performance. The Government will assign a neutral rating if the Offeror has no relevant past performance information. D. Price Upon completion of the evaluation of the technical approach, key personnel, and past performance, a price analysis will be conducted on each technically acceptable proposal to determine the fairness and reasonableness of the proposed prices. Experience, Past Performance and Price shall not be evaluated on quotes that are determined technically unacceptable under the Technical Approach factor. PROVISIONS AND CLAUSES: The following provisions and clauses apply to this acquisition and are hereby incorporated by reference. All FAR clauses may be viewed at http://acquisition.gov/comp/far/index.html. Provisions 52.212-1, Instructions to Offerors-Commercial Items 52.212-3 Offeror Representations and Certifications-Commercial Items Offerors shall complete annual representations and certifications on-line at http://orca.bpn.gov in accordance with FAR 52.212-3 Offerors Representations and Certifications- Commercial Items. If paragraph (j) of the provision is applicable, a written submission is required. Clauses 52.212-4 Contract Terms and Conditions-Commercial Items 52.212-5 Contract Terms and Conditions Required to Implement Statutes or Executive Orders-Commercial Items (MAY 2009) 52.219-28, Post award Small Business Program Representation 52.222-3, Convict Labor; 52.222-19 Child Labor - Cooperation With Authorities And Remedies; 52.222-21, Prohibition of Segregated Facilities; 52-222-26, Equal Opportunity; 52.222-36, Affirmative Action for Workers with Disabilities; 52.223-18, Contractor Policy to Ban Text Messaging While Driving 52.225-3, Buy American Act - NAFTA Alternate II. 52.225-13 Restriction on Certain Foreign Purchases; 52.232-33 Payment by Electronic Funds Transfer-Central Contractor Registration. NIST Local Clause_04 Billing Instructions
- Web Link
-
FBO.gov Permalink
(https://www.fbo.gov/spg/DOC/NIST/AcAsD/NB773010-11-02323-1/listing.html)
- Place of Performance
- Address: 100 Bureau Dr., Gaithersburg, Maryland, 20899, United States
- Zip Code: 20899
- Zip Code: 20899
- Record
- SN02561689-W 20110904/110902235620-414da40475ee2f9488cd6ca8d897d842 (fbodaily.com)
- Source
-
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
| FSG Index | This Issue's Index | Today's FBO Daily Index Page |