REQUEST FOR INFORMATION - 832366638

The Defense Information Systems Agency (DISA), Digital Capabilities and Security Center (DCSC) Endpoint Division (ID3) is seeking information for software or architectural solutions to meet a Comply-to-Connect (C2C) framework and business processes with the capability of orchestration.

THIS IS A REQUEST FOR INFORMATION (RFI) NOTICE ONLY. THIS IS NOT A REQUEST FOR PROPOSALS (RFP). NO SOLICITATION IS AVAILABLE AT THIS TIME.

BACKGROUND:

The C2C framework is a comprehensive cybersecurity framework of tools and technologies designed to increase cybersecurity efficiency across DoD’s current and emerging operational environments consisting of multiple capabilities orchestrated to meet the technical characteristics listed below. These imperatives create a significantly greater level of compliance, automation, situational awareness, and result in a superior network understanding, thus dramatically improving the Department’s cybersecurity posture.

The DoD Chief Information Officer (CIO) Deputy for Cybersecurity (DCIO/CS) directed DISA to create a program office to seek standardization of the capability with DCIO/CS and United States Cyber Command (USCYBERCOM) oversight. Since 2021, The DISA C2C Program Management Office (PMO) has provided Forescout licensing for the DoD Enterprise as the solution to meet DoD CIO objectives.

OBJECTIVE:

C2C is a framework of managing access to the network and its information resources by restricting access for those devices that do not comply with established standards and configurations. The DISA ID3 C2C PMO is seeking information for potential solutions for the Comply-to-Connect (C2C) Program. C2C enables the ability to conduct defensive cyber operations (DCO) in response to detected and nascent threats by providing critical enabling information for the development of a common operating picture (COP).

The specific areas of focus, referred to as the DoD CIO C2C Steps, are:

Step 1: Discover and Identify

Step 2: Interrogate

Step 3: Auto Remediate

Step 4: Authorize Connection

Step 5: Situational Awareness and Enforcement.

The C2C solution will allow continuously updated visibility of all IP endpoint, network infrastructure, and internet of things (IOT) device connections. By identifying the non-compliant and previously unidentified devices, DoD will be able to limit the access of these assets and mitigate risk in an automated fashion, which will significantly increase the security posture of the DoDIN. In addition, C2C will support segmentation of compliant devices based on device type, operational/functional impact, sensitivity, and security risk. This segmentation will restrict an adversary’s ability to traverse the network, protect access to sensitive data, and allow easier remediation upon discovery, providing an automation solution that is reliable, timely, and allows for comprehensive reporting on critical cyber security metrics.

The anticipated Place of Performance for most of the work is the contractor’s facility. A portion of the work may require contractor physical presence at the DISA Headquarters facilities at Ft. Meade, MD.

TECHNICAL CHARACTERISTICS:

1. The proposed C2C solution shall discover, identify, categorize, classify, and profile all devices connecting to networks comprising the DoDIN, to include devices from every USCYBERCOM defined endpoint category (i.e., physical and virtual workstations, physical and virtual servers, networked user support devices and peripherals, mobile devices, network infrastructure devices, platform information technology devices, and Internet of Things (IoT) devices) using the widest variety of both passive and active network-based and host-based discovery methodologies. Describe how the proposed solution would meet the requirement.
2. The proposed C2C solution shall authenticate all connecting devices utilizing 802.1x or equivalent standards, or through known attribute checking in accordance with applicable DoD CIO Memoranda with or without an agent and, based on device profile, assess the device compliance with administrator imported from DoD authoritative source (such as the C2C PMO or higher headquarters) or locally established required compliance baselines. Describe how the proposed solution would meet the requirement.
3. The proposed C2C solution shall have the ability to automatically remediate deviations from established required compliance baselines including deploy/configure/start operation of required endpoint agents, executing configuration modifications, cue malware signature/definition updates and alerts, and triggering software (operating system and application) updates. Describe how the proposed solution would meet the requirement.
4. The proposed C2C solution shall have the ability to perform or orchestrate network segmentation actions at one or more policy enforcement points in the network (e.g., host, access switch, wireless access point, network firewall) in order to block access of devices determined to be unauthenticated, quarantine non-compliant devices for additional inspection and remediation, and once compliant, segregate devices by typefunction to limit access to only mission necessary network segments (automating least-privilege operations), without requiring the use of an endpoint agent. Describe how the proposed solution would meet the requirement.
5. The proposed C2C solution shall be capable of operating both in and out of band, have the ability for delivery of user notifications web-redirection or desktop pop-ups, have the ability to centrally/regionally administer and control C2C devices, and continuously/periodically feed C2C collected information to management and situational awareness dashboards and databases to highlight system compliance and enable further analysis as operationally required utilizing external data feeds that provide per-connection and count level metrics showing the tool is successfully executing functions in each of the discovery, interrogation, remediation, orchestration, and reporting steps. Describe how the proposed solution would meet the requirement.

REQUESTED INFORMATION:

Based on the information provided in the previous sections, interested vendors should provide the following in response to the RFI:

1. Provide responses that describe how the proposed software or technical solution would meet the requirements in the previous section.
2. Complete the attached C2C Requirements spreadsheet marking requirements as Green (Meets), Yellow (Partially Meets) or Red (Does Not Meet). If a requirement is assessed as Yellow, please explain in detail how the software or technical solution only partially meets.
3. Discuss your solution or company offering for training on the software.
4. Describe the pricing to include the costs of software and training. Please provide separate annual pricing for support of 2 million, 4 million and 7 million licenses.
5. Status as a reseller of maintenance and software for all the software titles proposed.

Please include the following non-technical information:

1. Business name and address;
2. Name of company representative and their business title;
3. Type of Small Business;
4. CAGE Code;
5. Your contract vehicles that would be available to the Government for the procurement of the product and/or service, to include ENCORE III, SETI, NIH, NASA SEWP V, DoD ESI, General Service Administration (GSA): OASIS, ALLIANT II, VETS II, STARS III, Federal Supply Schedules (FSS) (including applicable SIN(s)), or any other Government Agency contract vehicle that allows for decentralized ordering. (This information is for market research only and does not preclude your company from responding to this notice.)

Proprietary information and trade secrets, if any, must be clearly marked on all materials. All information received that is marked Proprietary will be handled accordingly. Please be advised that all submissions become Government property and will not be returned. All government and contractor personnel reviewing submitted responses will have signed non-disclosure agreements and understand their responsibility for proper use and protection from unauthorized disclosure of proprietary information as described 41 USC 423. The Government shall not be held liable for any damages incurred if proprietary information is not properly identified.

Response Guidelines:

Interested parties are requested to respond to this RFI with a white paper. Submissions cannot exceed 10 pages, single spaced, 12-point type with at least one-inch margins on 8 1/2” X 11” page size. The response should not exceed a 5 MB e-mail limit for all items associated with the RFI response. Responses must specifically describe the contractor’s capability to meet the requirements outlined in this RFI. Oral communications are not permissible. Sam.gov will be the sole repository for all information related to this RFI.

Companies who wish to respond to this RFI should send responses via email no later than May 05, 2023 at 12:00 PM CST to J.C. Wilson, Jason.c.wilson66.civ@mail.mil, Danni Schwend, danielle.m.schwend.civ@mail.mil, and Joshua High, joshua.j.high.civ@mail.mil

Industry Discussions:

DISA representatives may choose to meet with potential offerors and hold one-on-one discussions. Such discussions would only be intended to obtain further clarification of potential capability to meet the requirements, including any development and certification risks.

Questions:

Questions regarding this announcement shall be submitted in writing by e-mail to J.C. Wilson, Jason.c.wilson66.civ@mail.mil, Danni Schwend, danielle.m.schwend.civ@mail.mil, and Joshua High, joshua.j.high.civ@mail.mil . Verbal questions will NOT be accepted. Answers to questions will be posted to Sam.gov. The Government does not guarantee that questions received after May 05, 2023 at 12:00 PM will be answered. The Government will not reimburse companies for any costs associated with the submissions of their responses.

Disclaimer:

This RFI is not a Request for Proposal (RFP) and is not to be construed as a commitment by the Government to issue a solicitation or ultimately award a contract. Responses will not be considered as proposals nor will any award be made as a result of this synopsis.

All information contained in the RFI is preliminary as well as subject to modification and is in no way binding on the Government. FAR clause 52.215-3, “Request for Information or Solicitation for Planning Purposes”, is incorporated by reference in this RFI. The Government does not intend to pay for information received in response to this RFI. Responders to this invitation are solely responsible for all expenses associated with responding to this RFI. This RFI will be the basis for collecting information on capabilities available. This RFI is issued solely for information and planning purposes. Proprietary information and trade secrets, if any, must be clearly marked on all materials. All information received in this RFI that is marked “Proprietary” will be handled accordingly. Please be advised that all submissions become Government property and will not be returned nor will receipt be confirmed. In accordance with FAR 15.201(e), responses to this RFI are not offers and cannot be accepted by the Government to form a binding contract.

Attachments/Links