DISA Call for White Papers
Technologies, and technology-based companies, advance so rapidly that the Department of Defense is finding it difficult to contractually engage, collaborate, and do business with high-tech companies. The traditional procurement process is too slow and based on regulations rather than negotiations. The Government's cost-based pricing system is cumbersome and expensive requiring unique accounting and auditing systems. The Government's standard approach to intellectual property can be overreaching and inflexible. The Defense Information Systems Agency (DISA) is responding to this by exercising its authority under 10 U.S.C. 2371b, Other Transaction Agreements for Prototypes. DISA will periodically post Requests for White Papers inviting companies leading innovation to submit their solutions to the Agency's capability gaps, problem statements, or areas of interest.
Identity, Credential, and Access Management (ICAM)
Due Date (EXTENDED): 14 November, 2019 @ 12:00pm EST
Project Number: DISA-OTA-20-R-ICAM
Section 1. OVERVIEW/DESCRIPTION
This request for White Paper (RWP) is being issued to conduct research, development, and testing activities associated with Identity, Credential, and Access Management (ICAM) activities. This request meets the statutory requirements of Other Transaction Authority (OTA) (10 U.S.C. §2371) for the development and deployment of a DoD Enterprise Identity Service that will create a single user record, consolidating all pertinent data associated with the individual under one account, and automatically deleting such accounts when they are no longer required. The objective will be to establish a federated identity service for DISA, its mission partners, non-CAC holders (such as authorized guests and visitors), and non-person entities that mitigates current inefficiencies, facilitates strong authentication to current state-of-the-art cloud services, provide authorization services with role-base access, and enables audit of users and resources; using non-traditional defense contractor solutions per 10 USC §2302(9), which defines a non-traditional defense contractor as "an entity that is not currently performing and has not performed, for at least one year preceding the solicitation of sources by the DoD for the procurement or transaction, any contract or subcontract for the DoD that is subject to full coverage under the cost accounting standards prescribed pursuant to 41 USC §1502 and the regulations implementing such section."
The project involves technology that exists in the marketplace, but not in the breadth, scope, and bandwidth that would be capable of integrating the entire DoD Enterprise and all of its unique systems and requirements, and ensuring their seamless integration and interoperability in the manner and at the level that this mission-critical federated identity effort requires. In the latter regard, it is very much a prototype.
ICAM capabilities will enhance the security and integrity of DoD information systems that serve and protect warfighters and the military and civilian personnel who support them. ICAM does so proactively rather than reactively, by restricting unauthorized access to systems and information across organizational boundaries, reducing the opportunity for infiltration and violation of DoD enterprise integrity, mitigating inefficiencies and known cyber threats, and maximizing the effectiveness of the ICAM community. Some examples of inefficiencies to be mitigated are the paper DD2875 access request process, ineffective account lifecycle management, lack of visibility into which users have access to what systems, and lack of flexibility to leverage authenticators beyond public key infrastructure (PKI)-based solutions.Identity, Credential, and Access Management (ICAM) Request for White Papers [PDF]
Identity, Credential, and Access Management (ICAM) Request for White Papers Amendment 002 [PDF]
Identity, Credential, and Access Management (ICAM) Request for White Papers Amendment 002 Q&A [PDF]
Identity, Credential, and Access Management (ICAM) Request for White Papers Amendment 003 [PDF]
Identity, Credential, and Access Management (ICAM) Request for White Papers Amendment 004 [PDF]
Identity, Credential, and Access Management (ICAM) Request for White Papers Amendment 004 Q&A Clarification [PDF]
Identity, Credential, and Access Management (ICAM) Request for White Papers Amendment 005 [PDF]
Identity, Credential, and Access Management (ICAM) Request for White Papers Amendment 005 Q&A Clarification [PDF]
Mobility Enablement Prototype
Due Date: August 12, 2019 by 9:00 AM CST
Project Number: DISA-OTA-19-R-MEO
Section 1. Request for White Papers
This request for White Paper (RWP) is being issued to seek vendors capable of fulfilling the technical objectives outlined below related to Mobility Enablement in order to conduct research, development, and testing activities to stand up an environment capable of supporting the development of secure mobile applications (apps) and streamline the security approval process to properly vet the apps for use on Department of Defense (DoD) mobile devices.
1.2 Statement of Need
DISA has made progress over the past few years, delivering a secure solution for mobile communications, DoD Mobility Unclassified Capability (DMUC) and DoD Mobility Classified Capability. To improve device utility, DISA requires a capability to efficiently develop and sustain secure mobile applications. In March 2018, DISA SD3 set out to enhance the mobile end users' experience, explore ways to maximize utilization, and lower the barrier for agile mobile application development by mirroring the commercial experience. An industry survey confirmed that the utility of mobile devices stems from accessibility of native applications. DoD mobile users should have the same tools and services to which they are accustomed on their desktop/laptop computer securely available on the mobile device. The MEO is planning to utilize Other Transaction Authority (OTA) to engage industry and prototype an agile solution. The goal is to stand up an environment capable of supporting the development of secure mobile applications (apps) and streamline the security approval process to properly vet the apps for use on DoD mobile devices.
The DoD does not currently have a means to efficiently build approved applications for a DoD mobile environment with security requirements incorporated into the development process. DISA requires a capability similar to what exists in industry to adopt mature processes for mobile application development and sustainment. There is an immediate need to mirror industry's agile approach while simultaneously including the required DoD security elements into that process. The project's objective is to prototype a web-based software development environment for creating secure mobile applications suitable for the DMUC capability and streamline the security approval process to properly vet the apps for use on DMUC devices. The development environment will be accessible from anywhere and by any qualified and authorized mobile applications developer. The prototype will minimally include an environment for iPhone Operating System (iOS) and Android applications development and include an automated means for ensuring compliance with the National Information Assurance Partnership (NIAP) criteria, the DoD Security Requirements Guide (SRG), the DoD Security Technical Implementation Guides (STIGs), and any other approved security measures. The prototype will also include tools for continuous integration, code repository, issue tracking, source control, and documentation.Download the Mobility Enablement Prototype Request for White Papers [PDF]
Download the Mobility Enablement Prototype Request for White Papers Amendment 0001 [PDF] Download the Mobility Enablement Prototype Request for White Papers Amendment 0002 [PDF] Download the Mobility Enablement Prototype Request Q&A Responses [PDF]
Quantum-Resistance Cryptography Prototype
Due Date: June 14, 2019 by 9:00 AM CST
Project Number: DISA-OTA19-R-Quantum
The Defense Information Systems Agency (DISA), Emerging Technology (EM) Directorate through the DISA Procurement Services Directorate (PSD) is seeking information from Industry to evaluate the use of quantum-safe algorithms and cryptographic solutions that can defend Department of Defense (DoD) Information Technology (IT) infrastructure from malicious cyber activities.
SECTION 1 OVERVIEW/DESCRIPTION
One of the immediate concerns facing DoD has to do with public key cryptography data encryption and authentication. Theoretically, adversaries could utilize quantum computers to attack the cryptographic algorithms that are widely used for secure online transactions and communications. Certain algorithms currently utilized across the DoD on various systems are vulnerable to attacks from large-scale quantum computers. The exact time of the arrival of the quantum-computing era is unknown; however, DoD must begin now to prepare its information security systems to be able to resist attacks from large-scale quantum computers.
This request for White Paper (RWP) is being issued to conduct research, development, and testing activities associated with evaluating Quantum-Resistant algorithms, and cryptographic solutions that can be used to enable quantum-encrypted information transfer using symmetric encryption.
1.2 STATEMENT OF NEED
Arrival of the quantum-computing era is inevitable, though its timing is unknown. DoD must begin now to prepare its information security systems to protect against quantum computing attacks. One of the immediate concerns facing DoD has to do with Public key cryptography data encryption.
Due to growing concerns related to quantum computers-machines, DISA has begun to investigate quantum-resistant or quantum-safe cryptography algorithms and solutions. The goal of this prototype Other Transaction Authority (OTA) is to research, evaluate, test, and deliver a prototype utilizing cryptographic algorithms and solutions that would secure DoD IT systems against both quantum and classical computers.
The Quantum-Resistant Cryptography prototype will support the following:
- Future improvements, technical feasibility, and optional challenges associated with implementing new algorithms and solutions on the current DoD PKI/PKE components, technology, and processes;
- Time to generate Public Key, Ciphertext, and Signature Size (i.e., key size) locally on DoD devices;
- The hardware and software efficiency of the public key (encryption, encapsulation, and signature verification) and private key (decryption, decapsulation, and signing) operations dealing with traffic volume;
- Decryption/decapsulation failures associated with application utilization and identify interactive protocols that establish key failures;
- Analysis of bandwidth requirements and the ability of solutions to support systems operating in constrained environments.
- Migration options to enable a smooth transition to new algorithms and archetectures.
- Performance test results to contribute to the national discussion and build a case to recommend an algorithms and possible solutions to use as the industry standard.
The Defense Information Systems Agency, known as the Defense Communications Agency until 1991, is a United States Department of Defense combat support agency composed of military, federal civilians, and contractors. DISA's mission is to conduct DODIN operations for the joint warfighter to enable lethality across all warfighting domains in defense of our Nation. DISA is the trusted provider to connect and protect the warfighter in cyberspace. Visit https://www.disa.mil to learn more.