Thin Client RFPs – Application Containment & Endpoint Detection

RFPs we see. Both of these on SAM as of Feb 2020

=================================

SOURCES SOUGHT ANNOUNCEMENT

PL84110008

The Defense Information Systems Agency (DISA) is seeking sources for Application Containment

CONTRACTING OFFICE ADDRESS:

IT CONTRACTING DIVISION

BUILDING 3600

2300 EAST DRIVE

Scott AFB IL 62225-5406 US

For the purposes of this Sources Sought, endpoints are described as follows: t * Thick Client Network clients running on fully-capable systems – Local storage and processing capability; can operate independently if not connected to a network. t * Thin Client Network client running on minimally-capable system – Minimal local storage and processing capability. t * Zero Client Client with no capability outside of network context. t * Server Respond to client requests; provide enterprise services (typically in data centers). Users are System Administrators. t * Virtual Client Client running virtually on a host platform; no physical resources. The target is an endpoint (excluding devices like phones and tablets) security and management solution that mitigates prevalent adversary attack vectors, tactics, and techniques used to compromise a system. The proposed solution must automatically isolate the execution of high risk applications interacting with untrusted content from more trusted portions of the endpoint (e.g. host operating system); and/or the solution must facilitate incident detection, investigation, response and threat hunting. Any proposed solution must continue to be effective in disconnected, virtual, intermittent, and low bandwidth network conditions without a dependence upon regularly recurring (e.g. daily, weekly, monthly) content updates. The proposed solution must be capable of scaling to millions of endpoints and provide information in near real-time. Any proposed solution must be ready for testing and subsequent deployment. In order for the Government to evaluate the technical merits of the vendors solution(s), the solution(s) shall be capable of meeting the following technical requirements: Application Containment t 1. The solution shall automatically isolate applications interacting with untrusted content (e.g., internet web pages, email, removable media, and office documents) from more trusted portions of the device outside the container. t 2. The solution shall automatically detect potentially malicious code behavior executing within the isolation container. t 3. The solution shall automatically capture necessary details (e.g., ports and protocols in use, running executables and services, browser plugins in use, etc.) of events (e.g., malicious activity) occurring within the isolation container to support retrospective post-event analysis, threat analysis, and situational awareness. t 4. The solution shall automatically constrain potentially malicious activity to within the isolation container. t 5. The solution shall be configurable to control the ability of applications running within the isolation container to access only specified system resources (e.g., storage devices, network resources, human interface devices, etc.). t 6. The solution shall automatically eliminate and report all isolation container artifacts of compromise and intrusion remnants to the common management server in support of rapid remediation and investigation. t 7. The solution shall automatically restore access to a potentially compromised application within 60 seconds post-compromise, unless configured to allow malware to run for the purpose of analysis. t 8. All components shall be protected against unauthorized/malicious access and modification. This applies to executable code, data, and component settings. t 9. The solution shall provide continual verification of the integrity of the isolation container to ensure there is no unauthorized/malicious access or persistent modification. t 10. Solution components shall not impair authorized system operations (e.g., patching, scanning, business software usage, information assurance tools/initiatives (Secure Host Baseline, Assured Compliance Assessment Solution, etc.) nor shall they degrade managed system performance in any way, which may adversely impact a system s primary business/mission functions. t 11. The solution shall provide automatic time stamping of all collected data and events based on a single time standard (e.g., Coordinated Universal Time). t 12. The solution shall support the Department’s currently mandated means of authentication (e.g., Public Key Infrastructure (PKI)). t 13. The solution shall securely store and transmit data in a manner that ensures the confidentiality, integrity, availability, and source authenticity of the data. t 14. The solution shall automatically report operating status and configuration to its common management system, based on a pre-defined schedule, to ensure the capability is operating and configured as expected. t 15. The solution shall interoperate with event monitoring and correlation systems (e.g. SIEMs) to facilitate aggregated situational awareness. t 16. The solution shall allow for patching and update of containerized applications through a means of automated verification (e.g., integration with automated patch management infrastructure/processes). t 17. The solution shall encrypt all data in transit or data at rest with Federal Information Processing Standards (FIPS) 140-2 compliant cryptographic modules. t 18. The solution shall support open standards for automated threat information sharing. t 19. The solution shall protect managed endpoints operating in Connected, Disconnected, Intermittent, and Limited (DIL) bandwidth networked and standalone environments. t 20. The solution shall report to the Common Management Server all potentially malicious events encountered while the managed endpoint was without network connectivity. t 21. The solution shall provide configurable alerting based upon administrator defined criteria. t 22. The solution shall send alerts at administrator-definable intervals. t 23. The solution shall, at a minimum, operate on the most common vendor supported operating systems approved for use in the DoD environment (e.g., Microsoft Windows 8.1, Windows 10 (including Secure Host Baseline), and Exchange Server 2016, Linux). t 24. The solution shall provide the ability for designated administrators, authenticated according to DoD standards, to configure the solution in accordance with applicable DoD policies. t 25. The solution shall automatically report potentially malicious events detected within the isolation container to a common management server and provide actionable information in a non-proprietary, standard format (e.g. Structured Threat Information expression (STIX)). t 26. The isolation container shall ensure that destructive malware within the container is unable to negatively impact user data or the integrity of the host system. t 27. The solution shall, where possible, inspect and/or sanitize active or potentially malicious untrusted content passing out of the container to the underlying more-trusted host. Examples include copy-paste, printing, file saving, and synchronization of configuration, and user data such as cookies and bookmarks. Sanitization should re-encode content in such a way as to minimize the likelihood of malicious exploitation when content is processed. t 28. The solution should be capable of containing operating system kernel-level vulnerability exploitation. t 29. The solution shall have the capability to be tuned/configured to reduce alerts resulting from false positives. t 30. The solution’s uninstall capability shall ensure no artifacts are left behind following execution of the uninstall processes. t 31. All solution components shall have the ability to be automatically deployed and configured based on predefined configurations. SPECIAL REQUIREMENTS Must have Secret Facility Clearance. Please provide your current Facility Clearance level. SOURCES SOUGHT: The North American Industry Classification System Code (NAICS) for this requirement is 511210, with the corresponding size standard of $41.5 million. To assist DISA in making a determination regarding the level of participation by small business in any subsequent procurement that may result from this Sources Sought, you are also encouraged to provide information regarding your plans to use joint venturing (JV) or partnering. Please outline how you would envision your company’s areas of expertise and those of any proposed JV/partner would be combined to meet the specific requirements contained in this announcement. In order to make a determination for a small business set-aside, two or more qualified and capable small businesses must submit responses that demonstrate their qualifications. Responses must demonstrate the company s ability to perform in accordance with the Limitations on Subcontracting clause (FAR 52.219-14). SUBMISSION DETAILS: Responses should include: t 1. Business name and address; t 2. Name of company representative and their business title; t 3. Type of Small Business; t 4. CAGE Code; t 5. Your contract vehicles that would be available to the Government for the procurement of the product and/or service, to include ENCORE III, SETI, NIH, NASA SEWP, General Service Administration (GSA): OASIS, ALLIANT II, VETS, STARS II, Federal Supply Schedules (FSS) (including applicable SIN(s)), or any other Government Agency contract vehicle that allows for decentralized ordering. (This information is for market research only and does not preclude your company from responding to this notice.) t tVendors who wish to respond to this should send responses via email NLT 4:00 PM Eastern Daylight Time (EDT) on February 17, 2020 to Taylor Rakers, [email protected] and Cody Seelhoefer, [email protected]. If you feel your company has a solution that meets the requirements above, submit a brief capabilities package (no more than ten pages) demonstrating that ability. t tProprietary information and trade secrets, if any, must be clearly marked on all materials. All information received that is marked Proprietary will be handled accordingly. Please be advised that all submissions become Government property and will not be returned. All government and contractor personnel reviewing submitted responses will have signed non-disclosure agreements and understand their responsibility for proper use and protection from unauthorized disclosure of proprietary information as described 41 USC 423. The Government shall not be held liable for any damages incurred if proprietary information is not properly identified. SCOTT AFB, IL 62225

---

The Defense Information Systems Agency (DISA) is seeking sources for Endpoint Detection and Response (EDR)

CONTRACTING OFFICE ADDRESS:

IT CONTRACTING DIVISION

BUILDING 3600

2300 EAST DRIVE

Scott AFB IL 62225-5406 US

INTRODUCTION:

This is a SOURCES SOUGHT ANNOUNCEMENT to determine the availability and technical capability of small businesses (including the following subsets, Small Disadvantaged Businesses, Certified 8(a), Service-Disabled Veteran-Owned Small Businesses, HUBZone Small Businesses and Woman Owned Small Businesses) to provide the required products and/or services.

The Endpoint Security Portfolio is seeking information for potential sources for Endpoint Detection and Response (EDR) capability allowing cyber defenders to quickly detect and investigate security incidents and automatically detect malicious system activities and behaviors. EDR capabilities continuously record significant events occurring on managed systems for the purpose of identifying, reporting, and investigating malicious activity; thereby reducing and adversary s dwell time on DoD networks. Recorded data accessible through a management console query interface. The EDR capability complements other endpoint security measures and capabilities; the ability to restrict execution of high-risk applications and computer processing.

DISCLAIMER:

THIS SOURCES SOUGHT ANNOUNCEMENT IS FOR INFORMATIONAL PURPOSES ONLY. THIS IS NOT A REQUEST FOR PROPOSAL. IT DOES NOT CONSTITUTE A SOLICITATION AND SHALL NOT BE CONSTRUED AS A COMMITMENT BY THE GOVERNMENT. RESPONSES IN ANY FORM ARE NOT OFFERS AND THE GOVERNMENT IS UNDER NO OBLIGATION TO AWARD A CONTRACT AS A RESULT OF THIS ANNOUNCEMENT. NO FUNDS ARE AVAILABLE TO PAY FOR PREPARATION OF RESPONSES TO THIS ANNOUNCEMENT. ANY INFORMATION SUBMITTED BY RESPONDENTS TO THIS SOURCES SOUGHT ANNOUNCEMENT IS STRICTLY VOLUNTARY.

REQUIRED CAPABILITIES:

For the purposes of this Sources Sought, endpoints are described as follows:

• t
• Thick Client Network clients running on fully-capable systems – Local storage and processing capability; can operate independently if not connected to a network.
• t
• Thin Client Network client running on minimally-capable system – Minimal local storage and processing capability.
• t
• Zero Client Client with no capability outside of network context.
• t
• Server Respond to client requests; provide enterprise services (typically in data centers). Users are System Administrators.
• t
• Virtual Client Client running virtually on a host platform; no physical resources.

The target is an endpoint (excluding devices like phones and tablets) security and management solution that mitigates prevalent adversary attack vectors, tactics, and techniques used to compromise a system. The proposed solution must automatically isolate the execution of high risk applications interacting with untrusted content from more trusted portions of the endpoint (e.g. host operating system); and/or the solution must facilitate incident detection, investigation, response and threat hunting. Any proposed solution must continue to be effective in disconnected, virtual, intermittent, and low bandwidth network conditions without a dependence upon regularly recurring (e.g. daily, weekly, monthly) content updates. The proposed solution must be capable of scaling to millions of endpoints and provide information in near real-time. Any proposed solution must be ready for testing and subsequent deployment.

In order for the Government to evaluate the technical merits of the vendors solution(s), the solution(s) shall be capable of meeting the following technical requirements:

EDR

1. t
2. The solution shall provide the ability to automatically capture, record and analyze a user-selectable range of endpoint parameters and events in order to assess system operations, support risk management and enable hunt and forensic activities. Examples of data the solution shall be capable of capturing include: – Windows Registry – Changes to Keys (and their associated processes; including auto-run keys), Access Control Lists (ACLs), license keys, ownership, and administrative rights.
   t
   t- User Activity – Authentication and privileged user activities.
   t- Network Activity – File transfers, connections opened and closed, destination (Uniform Resource Locator, Internet Protocols, type of traffic and encryption method (e.g., File Transfer Protocol, Secure File Transfer Protocol, Server Message Block, Transport Layer Security, and Secure Sockets Layer.
   t – Processes and Services – Automatic and manual starts and stops. Process parent and child relationships. Loaded and unloaded Dynamic Link Libraries, and record of their associated processes and files on the file system.
   t – Software Changes Operating System, driver and program installation, uninstall, patching, and modification information (e.g., software versions, software identification tags, patch information and mutex data).
   t – Peripheral Connections – Wired and wireless connections to peripheral devices.
   t – Other File Activity – Files created, opened, closed, saved, modified, moved, or deleted.
   t – In-memory Activities – In-memory activities associated with potentially malicious activity; including mutexes and named pipes associated with processes.
   t – Hardware Changes – Peripheral device detection, removal, or modification.
   t
3. t
4. The solution shall not impair authorized system operations (e.g., patching, scanning, business software usage, information assurance tools/initiatives (secure host baseline, assured compliance assessment solution, etc.) nor shall it degrade managed system performance in any way, which may adversely impact a system s primary business/mission functions.
5. t
6. The solution shall encrypt all data in transit or data at rest with FIPS 140-2 compliant cryptographic modules.
7. t
8. The solution shall, at a minimum, operate on the most common vendor supported operating systems approved for use in the DoD environment (e.g., Microsoft Windows 8.1, Windows 10 (including secure host baseline) and Exchange Server 2016).
9. t
10. The solution shall support automated/scheduled transfer of endpoint data to Government approved data archives (e.g., commercial cloud, DoD-owned, federal data center, etc.)
11. t
12. The solution shall provide time stamping of all collected data and events based on a single time standard (e.g., coordinated universal time).
13. t
14. The solution shall securely store and transmit data in a manner that ensures the confidentiality, integrity, availability, and source authenticity of the data.
15. t
16. The solution shall provide the ability to automatically discover and alert on previously unknown external and/or internal hardware/peripheral devices (such as storage) connected to endpoints for the purpose of retrospective/post-event analysis.
17. t
18. The solution shall provide integrated and customizable search with, at minimum, the ability to, from the central management server or other authorized consoles, search data from all systems for information relevant to an incident investigation or risk analysis.
19. t
20. The solution shall have the ability to execute manual and scheduled scans of specified systems for indicators derived from threat intelligence or other sources.
21. t
22. The solution shall provide integrated analytics (including visualization) and support the creation of custom analytics, in order to identify anomalous endpoint behaviors, support incident investigation, and perform event analysis.
23. t
24. The solution shall have the ability to pull locally stored data from specified endpoints in near real time to support high priority hunt and forensic operations.
25. t
26. The solution shall provide automatic hardware-level, operating system-level, and application-level monitoring.
27. t
28. The solution shall allow administrative functions to be delegated to users based on roles/permissions and or groupings of endpoints they are responsible for managing.
29. t
30. The solution shall provide automated analysis and visualization of an attack; including production of an event timeline and initial assessment of severity/impact.
31. t
32. The solution shall support delegation (i.e., user-specified) of who can access/view collected endpoint data.
33. t
34. The management and analytic components of the solution shall scale to support an endpoint client load of at least 500,000 endpoints.
35. t
36. The solution shall support the Department’s currently mandated means of authentication (e.g., PKI).
37. t
38. The solution shall automatically report detection of potentially malicious events to a common management server and provide actionable information in non-proprietary, standard formats (e.g. STIX).
39. t
40. The solution shall generate reports based on pre-saved user-defined formats and datasets to facilitate rapid analysis, decision making, and follow-up actions following events.
41. t
42. The solution shall, through a central management server, provide options for configurable automated or manual remediation actions in response to detected potentially malicious events.
43. t
44. The solution’s uninstall capability shall ensure no artifacts are left behind following execution of the uninstall processes.
45. t
46. The solution shall support the rapid push (objective: within 30 seconds) of configuration changes from the management server to all installed agents.
47. t
48. The solution shall protect managed endpoints operating in Connected, DIL bandwidth networked, and standalone environments.
49. t
50. All solution components shall have the ability to be automatically deployed and configured based on predefined configurations.
51. t
52. The solution shall report to the common management server all potentially malicious events encountered while the managed endpoint was without network connectivity.
53. t
54. All components shall be protected against unauthorized/malicious access and modification. This applies to executable code, data, and component settings.

SPECIAL REQUIREMENTS

Must have Secret Facility Clearance. Please provide your current Facility Clearance level.

SOURCES SOUGHT:

The North American Industry Classification System Code (NAICS) for this requirement is 511210, with the corresponding size standard of $41.5 million.

To assist DISA in making a determination regarding the level of participation by small business in any subsequent procurement that may result from this Sources Sought, you are also encouraged to provide information regarding your plans to use joint venturing (JV) or partnering. Please outline how you would envision your company’s areas of expertise and those of any proposed JV/partner would be combined to meet the specific requirements contained in this announcement.

In order to make a determination for a small business set-aside, two or more qualified and capable small businesses must submit responses that demonstrate their qualifications. Responses must demonstrate the company s ability to perform in accordance with the Limitations on Subcontracting clause (FAR 52.219-14).

SUBMISSION DETAILS:

Responses should include:

Business name and address;

1. t
2. Name of company representative and their business title;
3. t
4. Type of Small Business;
5. t
6. CAGE Code;
7. t
8. Your contract vehicles that would be available to the Government for the procurement of the product and/or service, to include ENCORE III, SETI, NIH, NASA SEWP, General Service Administration (GSA): OASIS, ALLIANT II, VETS, STARS II, Federal Supply Schedules (FSS) (including applicable SIN(s)), or any other Government Agency contract vehicle that allows for decentralized ordering. (This information is for market research only and does not preclude your company from responding to this notice.)
   t
   tVendors who wish to respond to this should send responses via email NLT 4:00 PM Eastern Daylight Time (EDT) on February 17, 2020 to Taylor Rakers, [email protected] and Cody Seelhoefer, [email protected]. If you feel your company has a solution that meets the requirements above, submit a brief capabilities package (no more than ten pages) demonstrating that ability.
   t
   tProprietary information and trade secrets, if any, must be clearly marked on all materials. All information received that is marked Proprietary will be handled accordingly. Please be advised that all submissions become Government property and will not be returned. All government and contractor personnel reviewing submitted responses will have signed non-disclosure agreements and understand their responsibility for proper use and protection from unauthorized disclosure of proprietary information as described 41 USC 423. The Government shall not be held liable for any damages incurred if proprietary information is not properly identified.