The purpose of this Sources Sought Announcement is for market research to make appropriate acquisition decisions and to gain knowledge of potential qualified Businesses interested and capable of providing the services described below. Documentation of technical expertise must be presented in sufficient detail for the Government to determine that your company possesses the necessary functional area expertise and experience to compete for this acquisition.
THIS IS A SOURCES SOUGHT NOTICE ONLY. THIS IS NOT A REQUEST FOR PROPOSALS (RFP).
The Department of the Air Force Red Team (DAF Red Team) is seeking information regarding potential sources qualified to conduct a cyber vulnerability assessment of a custom Government Off-the-Shelf (GOTS) secure microprocessor.
2. SCOPE OF EFFORT:
Secure microprocessors are used to provide a hardware root of trust that enables confidentiality, integrity, and/or availability in technology systems. The DAF Red Team would like to assess the level of security provided by a GOTS solution to secure processing.
The assessment will consist of a comprehensive vulnerability analysis of the hardware and software that constitutes the secure microprocessor being assessed. For this assessment, the performers will be fully informed by all available hardware and software design and configuration documentation, as well as all available source code, compiled software, and other development/test resources for the secure microprocessor under assessment. In addition, the government will provide direct access to the engineers of the secure microprocessor, and additional subject matter experts, in order to provide the performer with complete information, technical oversight, and administrative support to ensure a thorough assessment.
The duration of the assessment should not exceed 2 years. At a minimum, the performer will provide the government with quarterly status updates, as well as a final report that extensively details all findings of the assessment. The quarterly status updates will be “interactive” opportunities for the contractor and Government subject matter experts to critically analyze the current state and findings of the assessment, providing constructive feedback to improve the final assessment.
3. REQUESTED INFORMATION:
The following questions are intended to help identify potential performers that are well-qualified to conduct the work described above. Responses to this announcement should address all topics below as best as possible.
a. Overview: Provide a brief overview of the company’s mission, background, and capability
b. Experience and capability: Please describe any prior experience and capability relevant to assessing microprocessor hardware and software security, including, but not limited to:
(1) Experience assessing vulnerabilities in secure microprocessors
(2) Experience with software vulnerability analysis such as: static code analysis, dynamic code analysis, or fuzzing
(3) Experience with reverse engineering of microprocessor hardware or software in embedded systems
(4) Experience designing or engineering secure microprocessor hardware or software
c. Be as detailed as possible in these descriptions, including information such as:
(1) What commercial or open-source hardware and software tools do you have experience using for these applications?
(2) Does your company maintain active licenses to any described commercial tools that could be applied to this assessment?
(3) What unique hardware or software capabilities does your company have available for these applications?
(4) What types of vulnerabilities have any of your previous efforts identified?
(5) What was the scope and result of any previous vulnerability analysis efforts? Did your efforts include recommending any mitigating actions? Were any such recommendations actionable by the customer to secure their system?
(6) What was the approximate level of resourcing and time allocated to previous efforts? How many people were on the team, and how long did the effort last?
(7) Were there any additional resources or capabilities that would have made previous efforts more successful had they been available?
d. Additional Questions:
(1) Does the company have a preferred type of contract vehicle for this type of work?
(2) What is the state of your corporate security infrastructure and accreditation for classified networks?
i. What classification levels can you support (collateral, SAR, SCI) for discussions, storage, or processing?
(3) Is the company willing to enter into a separate ACA or legal agreement with the GOTS device prime contractor to mutually protect each other’s IP?
4. RESPONSE GUIDELINES:
Interested parties are requested to respond to this announcement with a white paper. Submissions should be single spaced, 12-point type with at least one-inch margins on 8 1/2" X 11" page size. The response should not exceed a 5 MB e-mail limit for all items associated with the response. Oral communications are not permissible. The System for Award Management (https://beta.sam.gov/SAM will be the sole repository for all information related to this announcement. No hard copy proposals will be accepted.
Companies who wish to respond to this RFI should send responses via email to the Primary and Secondary Points of Contact IAW the Response Date and Time.
Responses to this notice should include the following:
a. Business name and address
b. Name of company representative, contact phone number, and email address
c. DUNS number, if applicable
d. Cage Code, if applicable
e. Socioeconomic status (e.g., Services Disabled Veteran Owned , Veteran-owned, 8(a), HUB Zone, Women Owned, Small disadvantaged, Other than Small Business (large business), etc.)
f. A capability statement that addresses the organization’s qualifications and ability to perform as a Contractor for the work described above.
5. INDUSTRY DISCUSSIONS:
DAF Red Team representatives may choose to meet with potential offerors and hold one-on-one discussions. Such discussions would only be intended to obtain further clarification of potential capability to meet the requirements, including any development and certification risks.
Questions regarding this announcement should be submitted in writing by e-mail to the Primary and Secondary Points of Contact no later than two weeks prior to the announcement Response Date. Verbal questions will NOT be accepted. The Government will not reimburse companies for any costs associated with the submissions of their responses.
In accordance with FAR 15.201(e), responses to this announcement are not offers and cannot be accepted by the Government to form a binding contract. This announcement is not a Request for Proposal (RFP) and is not to be construed as a commitment by the Government to issue a solicitation or ultimately award a contract. Responses will not be considered as proposals nor will any award be made as a result of this synopsis. This announcement is issued solely for information and planning purposes.
All information contained in this announcement is preliminary as well as subject to modification and is in no way binding on the Government. The Government does not intend to pay for information received in response to this announcement. Responders to this invitation are solely responsible for all expenses associated with responding to this announcement.
Proprietary information and trade secrets, if any, must be clearly marked on all materials. All information received in this announcement that is marked "Proprietary" will be handled accordingly. The Government will not be held liable for any damages incurred if proprietary information is not properly identified. Please be advised that all submissions become Government property and will not be returned, nor will receipt be confirmed.