JSP Insider Threat
SOURCES SOUGHT ANNOUNCEMENT
The Defense Information Systems Agency (DISA) is seeking sources for the Joint Service Provider's (JSP) Insider Threat User Activity Monitoring requirement.
CONTRACTING OFFICE ADDRESS:
2300 East Drive, Building 3600
Scott Air Force Base, Illinois 62225-5406
INTRODUCTION:
This is a SOURCES SOUGHT TECHNICAL DESCRIPTION to determine the availability and technical capability of small businesses (including the following subsets, Small Disadvantaged Businesses, HUBZone Firms; Certified 8(a), Service-Disabled Veteran-Owned Small Businesses and Woman Owned Small Business) to provide the required products and/or services.
The JSP is seeking information for potential sources for a commercial off-the-shelf system (including software, hardware, support, training, and travel) to monitor and log anomalous user behavior accessing network and computer systems managed by the JSP. The source should have insider threat cybersecurity solutions that proactively identifies and supports investigations of user violations to allow government network administrators and security personnel to proactively manage insider threat incidents. A total of approximately 80,000 end devices will be configured across multiple networks supporting the Pentagon and National Capital Region (NCR) in a phased implementation approach, although some implementations may occur simultaneously. The solution should contain privacy protection to ensure JSP Customers can detect events and individuals that put the enterprise at risk, while providing protection for everyone else. It should contain investigative tools to enable targeting, review, and investigation of events that happened before, during, and after a violation occurs to facilitate root cause analysis of the problem.
DISCLAIMER:
THIS SOURCES SOUGHT IS FOR INFORMATIONAL PURPOSES ONLY. THIS IS NOT A REQUEST FOR PROPOSAL. IT DOES NOT CONSTITUTE A SOLICITATION AND SHALL NOT BE CONSTRUED AS A COMMITMENT BY THE GOVERNMENT. RESPONSES IN ANY FORM ARE NOT OFFERS AND THE GOVERNMENT IS UNDER NO OBLIGATION TO AWARD A CONTRACT AS A RESULT OF THIS ANNOUNCEMENT. NO FUNDS ARE AVAILABLE TO PAY FOR PREPARATION OF RESPONSES TO THIS ANNOUNCEMENT. ANY INFORMATION SUBMITTED BY RESPONDENTS TO THIS TECHNICAL DESCRIPTION IS STRICTLY VOLUNTARY.
CONTRACT/PROGRAM BACKGROUND: New Requirement, no previous contracts have been in place related to this requirement.
REQUIRED CAPABILITIES:
General UAM Requirements
•1. Insider Threat endpoint auditing solution shall not adversely affect the end user experience.
•2. Data shall be available for analysis and processing in near real‐time.
•3. Apply software logic while collecting data to identify activity of interest or concern most commonly referred to as alerts, policies, algorithms, or triggers.
•4. Alert thresholds should be tailorable and categorized based on importance or severity of activity.
•5. The ability to create alerts based on a configurable number and type of event occurring within a configurable time frame.
•6. Data must be protected from unauthorized access, modification, destruction, and support investigative practices with an inherent capability to ensure chain of custody.
•7. The endpoint shall have the capability to be persistent and immune from user or normal privileged user shutdown or alteration.
•8. Data shall be able to retain for a minimum of 5 years to support detection of behavioral patterns and relationships.
•9. The UAM will capability support and scale to manage 80,000 endpoints.
•10. The UAM endpoint will run on Unix, Windows, and Virtual environments, thin client, traditional thick windows environments and multilevel security platforms.
•11. The UAM management capability will work in a centralized or regionalized manner.
•12. The UAM solution can manage multiple security domains or customer bases from one manager/dashboard/event manager.
•13. The UAM solution is operationally integrated with a Unified Cross‐Domain Management Office certified solution to move data across different classification boundaries and security domains such as JWICS, SIPRNET and NATO secret networks.
•14. The UAM solution has an existing approval to operate on DoD networks (NIPRNet, SIPRNet and JWICs).
•15. The UAM capability must be interoperable with existing COTS/GOTS information assurance tools such as HBSS, Splunk, Arc Sight.
•16. The UAM has the capability support data aggregation to other systems or can it acts as an aggregator to receive information from other sources? (e.g. HR systems, access control systems, personnel security, phone logs).
•17. The system supports two‐person controls for administrative actions, operation and configuration?
Critical performance requirements which the service must meet:
1. Monitor user desktop computers for anomalous activity including, but not limited to:
•a. Detect user log-in activities
•b. The movement data on or between networks
•2. Monitor/log/record all user application activity including, but not limited to:
•a. Keystrokes
•b. Chat programs
•c. Electronic mail
•d. Website browsing
•e. Social media usage
•f. Clipboard actions (cut, paste, etc.)
•3. Monitor/log/record all user file activity including, but not limited to:
•a. File access
•b. File modification
•c. File deletion
•4. Monitor/log/record all removable media activity - Writes/Downloads to Removable Media Devices (Compact Disk (CD), Digital Video Disk (DVD), and Universal Serial Bus (USB), etc.)
•5. Authentication and Account Anomaly Events (Logon/Logoff events; failed logins; attempts to use expired , disabled, default, or service accounts).
•6. Account Change Events (assignment of administrative rights, attempts to escalate privileges, creating new user or groups, creation of domain accounts, changing back and forth between user accounts.
•7. File and Object Events (Access, Create, Delete, Modify, change permissions, change owner).
•8. Excessive or Abnormal Activity ( after‐hours use, remote administrative actions, large scale print activity, large download activity).
•9. Uploads from Removable Media Devices (CD, DVD, USB).
•10. User/Group Management Events (Add, Delete, Modify, Lock, Suspend).
•11. Privilege Access/Use (Security/Audit/Configuration Changes or disable, elevate privilege, load unauthorized software, access web, access e‐mail).
•12. Root/Administrator Access.
•13. Print Events (Print to Device, Print to File, print to multiple devices).
•14. Application Initialization (attempts to use administrative programs, application whitelisting abilities).
•15. Data encryption/use of unauthorized certificates/encryption levels by user or system.
•16. Email events (excessive Blind copies of BCC, e‐mail sent to foreign addresses, commercial e‐mail excessive use, suspicious attachments).
•17. Unauthorized access to shared folders (attempts, success, mapping network drives).
•18. Unauthorized data access or transfer.
•19. Database accesses and searches.
•20. Add/remove of system devices (internal and external).
•21. Browsing history (attempts to clear, private browsing mode).
•22. Attempts to use any computer ports (USB, Serial, other).
•23. Attempts to disable or bypass security devices/applications (including Anti‐Virus (AV), Host Intrusion.
•24. Detection Systems (HIDS), and Host Intrusion Prevention Systems (HIPS), etc.).
•25. System Reboot, Restart, Shutdown.
•26. Export of Information (upload software to websites, social network uploads, attempts to copy files to System Configuration Changes ( modification to registry, start or stopping services, modification to system or application files, modification to user home directory configurations).
•27. Malware Activity (anti‐virus software disabled, out of date signatures, unable to remove malware).
•28. Print Activity escalation attributed to particular user.
•29. Any attempts to alter, delete, modify, edit audit configuration data or stop auditing processes.
•30. Able to detect simultaneous logins from different computers and geographic locations.
•31. Able to baseline a system or user to establish normal activity/pattern.
•32. Provide baseline anomaly detection (adding or executing unauthorized scripts, failure to change default passwords, allowing non‐CAC logon, unauthorized software programs).
•33. Provide network traffic anomaly detection (network scans, high network traffic, excessive firewall blocks, non‐user activity communication to an outside network).
•34. Capture and playback of a user's actions before, during and after suspicious activity is discovered in order to discern user intent. This screen-capture playback capability must have the ability to reveal the user's actions by displaying a replay of the user's desktop before, during, and after suspicious activity.
•35. Attribute all captured data to a user.
•36. Provide on-demand, configurable, highly focused observation of an individual.
•37. Run in an unobtrusive manner injecting no perceptible lag time that would degrade the user's experience.
•38. Be configurable to collect specific data points or monitor specific users as needed.
•39. Automate alerting and send as configured to specific auditors based on established preferences.
•40. Collect data in compliance with U.S. Department of Justice evidentiary procedures to support criminal prosecution.
•41. Upon installation and configuration, collect data without having to install additional software or hardware on the target computer.
•42. Be configurable to support variable alert levels based on operator configuration.
•43. Detect changes to configuration or system files and notify the auditor as needed.
•44. Notify auditor once a policy set has been triggered and based on configuration,
•a. Begin to collect additional information.
•b. Wait for the Government operator to direct additional information collection.
•45. Aggregate all activity to a centralized monitoring infrastructure.
•46. Must not be detected by the end user.
•47. Must not be able to be terminated or altered by the end user.
•48. Encrypt all communications between the end devices and the centralized system with FIPS approved algorithms.
•49. Be able to monitor Windows Operating Systems.
•50. Be able to monitor multiple Operating Systems.
•51. Be capable of being managed in a cross-domain environment.
•52. Must comply with the FISMA of 2002, as amended by the FISMA of 2014.
•53. Analyze and process captured data in near-real time.
•54. Monitor files and transmissions before encryption, so malicious acts cannot hide behind encryption.
•55. Monitor user activity based on a configurable policy control.
•56. Meet DoD STIG requirements for servers and software endpoints.
•57. Be deliverable via a government-supervised system/process or similar IT process.
•58. Be updated and/or patched via a government supervised process for patching and updating systems person integrity.
•59. Be DoD certified and compliant with applicable CIO policies (DoD and CCMD).
•60. Support DoD endpoint security agents (currently HBSS) on all servers and software endpoints.
•61. Support third party analysis tools.
•62. Alert Events logged with Date and Time.
•63. Alert Events logged with Type of Event (Logon, Logoff, Print, etc.)
•64. Alert Events logged with Source Identifier (User Identifier (UID), System Identifier (SID), Process Identifier (PID), etc.).
•65. Alert Events logged with Object Details (Document Identifier (DID), Location, etc.).
•66. Alert Events logged with Outcome (Success/Failure)
•67. Alert Events logged with Print File Description.
•68. Audit Data shall be safeguarded at rest, in transit, and during presentation
•69. Audit Data shall be protected from unauthorized access, modification, or destruction.
•70. Audit Data shall be encrypted utilizing Federal Information Processing Standard (FIPS) 140‐2 validated encryption modules
SPECIAL REQUIREMENTS
The solution must be compliant with all DoD and Intelligence Community (IC) information assurance requirements to obtain and preserve the system's Authority to Operate. The solution will be interoperable with existing UAMs, CND tools, SIEMs, and will have the ability to transfer data into the DoD central hub for further evaluation.
The system (servers and endpoints) must comply with System Technical Implementation Guidance (STIG) and support DoD endpoint security agents, currently Host Based Security System (HBSS). The system must be DoD certified and compliant with applicable DoD CIO policies and Director of National Intelligence Directives. All communications to and from the host and the Command specific Hub must be encrypted with Federal Information Processing Standards (FIPS) approved algorithms. The technology must be able to comply with the requirements of the Federal Information Security Management Act (FISMA) of 2002 as amended by FISMA of 2014.
SOURCES SOUGHT:
The anticipated North American Industry Classification System Code (NAICS) for this requirement is 541512, Computer Systems Design Services, with the corresponding size standard of $27.5M. This Sources Sought Synopsis is requesting responses to the following criteria ONLY from small businesses that can provide the required services under the NAICS Code.
To assist DISA in making a determination regarding the level of participation by small business in any subsequent procurement that may result from this Sources Sought, you are also encouraged to provide information regarding your plans to use joint venturing (JV) or partnering to meet each of the requirements areas contained herein. This includes responses from qualified and capable Small Businesses, Small Disadvantaged Businesses, Service Disabled-Veteran Owned Small Businesses, Women-owned Small Businesses, HUBZone Small Businesses, and 8(a) companies. You should provide information on how you would envision your company's areas of expertise and those of any proposed JV/partner would be combined to meet the specific requirements contained in this announcement.
In order to make a determination for a small business set-aside, two or more qualified and capable small businesses must submit responses that demonstrate their qualifications. Responses must demonstrate the company's ability to perform in accordance with the Limitations on Subcontracting clause (FAR 52.219-14).
SUBMISSION DETAILS:
Responses should include:
•1) Business name and address;
•2) Name of company representative and their business title;
•3) Type of Small Business;
•4) Cage Code;
•5) Contract vehicles that would be available to the Government for the procurement of the product and service, to include ENCORE II, General Service Administration, GSA MOBIS, NIH, NASA SEWP, Federal Supply Schedules, or any other Government Agency contract vehicle. (This information is for market research only and does not preclude your company from responding to this notice.)
Vendors who wish to respond to this should send responses via email NLT 2/3/2017, 4:00pm EDT to vanesa.c.sorto.civ@mail.mil. ; Interested businesses should submit a brief capabilities statement package (no more than ten pages) that details the abilities of their off-the-shelf User Activity Monitoring solution for each of the capabilities listed in this Technical Description.
Proprietary information and trade secrets, if any, must be clearly marked on all materials. All information received that is marked Proprietary will be handled accordingly. Please be advised that all submissions become Government property and will not be returned. All government and contractor personal reviewing responses will have signed non-disclosure agreements and understand their responsibility for proper use and protection from unauthorized disclosure of proprietary information as described 41 USC 423. The Government shall not be held liable for any damages incurred if proprietary information is not properly identified.
Danette L Wesselmann, Phone 618-229-9273, Fax 618-229-9177, Email danette.l.wesselmann.civ@mail.mil - Cody R. Seelhoefer, Contract Specialist, Phone (618) 229-9348, Email cody.r.seelhoefer.civ@mail.mil
