Loren Data's SAM Daily™

 fbodaily.com
Home Today's SAM Search Archives Numbered Notes CBD Archives Subscribe
FBO DAILY ISSUE OF JULY 03, 2009 FBO #2776
SOURCES SOUGHT

D -- software protection

Notice Date
7/1/2009
 
Notice Type
Sources Sought
 
NAICS
511210 — Software Publishers
 
Contracting Office
Department of Homeland Security, Customs and Border Protection, Procurement Directorate - DC, 1300 Pennsylvania Avenue, N.W., Room 1310 NP, Washington, District of Columbia, 20229, United States
 
ZIP Code
20229
 
Solicitation Number
20049442
 
Archive Date
8/6/2009
 
Point of Contact
Ryland C. Marbray, Phone: 202-344-2459
 
E-Mail Address
ryland.marbray@dhs.gov
(ryland.marbray@dhs.gov)
 
Small Business Set-Aside
N/A
 
Description
This Request for Information (RFI) is issued solely for informational and planning purposes and does not constitute an Invitation for Bids, Request for Proposal, or Request for Quotes. In accordance with FAR 15.202(e), responses to this notice are not offers and cannot be accepted by the Government to form a binding contract. Additionally, the U.S. Government will not provide reimbursement for any information that may be submitted in response to this RFI. Respondents are solely responsible for all expenses associated with responding to this RFI. Background U.S. Customs and Border Protection’s (CBP’s) mission is to facilitate the legitimate flow of people and cargo into and out of this country while denying entry to persons or cargo that would be dangerous to this country or which for any of a number of reasons may be denied entry. CBP is a front-line agency in the war on terrorism and collects more revenue than any US agency other than the Internal Revenue Service. CBP identifies persons who would pose a danger were they allowed entry in the United States (e.g., the individual was on the terrorist watch list, have a medical condition that would pose a threat to the US population, or have prohibited agricultural materials etc.) and collects tariffs and duties on imported goods. CBP operates a wide range of automated information system including legacy mainframe systems, modernized applications, and various standalone applications. These systems are written to operate under a variety of Operating Systems including Windows, Linux, Solaris, AIX, and zOS, using languages ranging from Cobol to Java and C# and use DBMS’ ranging from DataComDB to Oracle, DB2, and SQL Server. CBP is also moving to a Service Oriented Architecture (SOA) not just for communicating with external parties, but also as the basis for its modernized applications. CBP currently uses both Eclipse and Microsoft based IDEs. In addition to its own systems, CBP also operates large applications for other related agencies such as Immigration and Customs Enforcement (ICE) which runs on the same systems and infrastructure as CBP and will host services developed by DHS organizations. Statement of the Problem Although CBP uses state of the art physical security mechanisms such as multiple firewalls and encryption, CBP believes that, much like any other software, there may be vulnerabilities in the software it develops and the COTS / GOTS software and open source software that it uses. As CBP moves to an SOA, CBP developers become more dependent on software developed by other organizations, both within CBP and throughout DHS and is thus also concerned with the vulnerabilities in software services provided by other entities. In addition, CBP allows other DHS organizations to host services on its enterprise service bus (ESB) and needs to assure that vulnerabilities are detected and removed in this externally developed software before utilization on the CBP ESB and in CBP applications. Some issues like memory leak, port vulnerabilities, etc. can only be detected at runtime. Compilation time detection will miss many potential issues especially when java reflection and Spring bean configuration are used. Products identified in response to this Request For Information (RFI) should support vulnerability and bug testing at runtime. CBP is looking for a solution that imposes the minimum impact on CBP development personnel and can be used with the widest range of contractor development methodologies. CBP is also looking for a solution that provides the highest degree of vulnerability remediation with the least amount of impact at runtime. CBP is using this RFI to identify products, processes, and / or procedures that CBP might use to make its software less vulnerable to attack due to coding errors and/or design flaws. CBP intention is to identify vulnerabilities in the software that it develops and uses, train its developers to avoid those vulnerabilities, and to examine its code base to identify and remediate occurrences of those vulnerabilities. The examination of CBP code should include an analysis of code throughout the software development life cycle and analysis of code running on CBP production systems. CBP is looking for proven, off the shelf solutions suitable for deployment in a mission critical production environment and is not looking to sponsor a research project or serve as a beta test for any product or approach. Responding to this RFI Information provided in response to this RFI must be submitted no later than fifteen (15) calendar days from the date of posting, in the form of a “white paper.” Responses should be limited to not more than ten (10) single spaced pages. Please note that the collection of this data does not obligate the U.S. Government to the incorporation of the solicited comments in any future procurement action nor does it obligate the Government to the procurement of any services or products related to this RFI. Proprietary information should not be included in the RFI response. Responses to this RFI will not be returned. Interested parties shall provide the following information when responding to this RFI: 1.Concept – What is the private sector’s perception of the viability of this initiative? Is there interest in providing this capability? 2.Identification and Remediation of Software Vulnerabilities – What is the respondent’s approach to both the identification and remediation of software vulnerabilities? 3.Nature of the Solution – What approach or mix of approaches (e.g., products, tools, processes, and services) does the respondent believe most appropriate for providing the capability that CBP is requesting. 4.Vendor Experience – Please describe the vendor’s experience implementing the solution described above. In addition to the vendor’s experience implementing the solution described above, please describe results that customers have obtained in terms of the vulnerabilities that have been discovered and remedied. 5.Remediation Training – What training could the respondent make available to CBP personnel in both the use of the product AND the avoidance of software vulnerabilities. Describe vendor recommendations for how to accomplish training of large numbers of CBP personnel – primarily contractors? 6.Other – What other information and ideas does the private sector offer for pursuing this initiative?
 
Web Link
FBO.gov Permalink
(https://www.fbo.gov/spg/DHS/USCS/PDDC20229/20049442/listing.html)
 
Record
SN01863968-W 20090703/090702003832-6d17c6d9f7b3a0e331218e1c90fe8f89 (fbodaily.com)
 
Source
FedBizOpps Link to This Notice
(may not be valid after Archive Date)
FSG Index  |  This Issue's Index  |  Today's FBO Daily Index Page |
ECGrid: EDI VAN Interconnect ECGridOS: EDI Web Services Interconnect API Government Data Publications CBDDisk Subscribers
 Privacy Policy  © 1994-2020, Loren Data Corp.