Request for Information - Security Analysis Toolset

(U) Request for Information (RFI) -Security Analysis Toolset (U) This Request for Information (RFI) is in accordance with the Federal Acquisition Regulation (FAR) clause 52.215-3 (Request for Information or Solicitation for Planning Purposes - Oct 1997) and is published to obtain information for use by the Air Force Lifecycle Management Center (AFLCMC), Cryptologic and Cyber Systems Division (HNC), Joint Base San Antonio - Lackland AFB, Texas, for market research and planning purposes only. (U) This RFI is NOT a Request for Proposal, Invitation for Bid, or an announcement of a solicitation; it is only intended for information or planning purposes. There is no bid package or solicitation document associated with this announcement. Response to this RFI is strictly voluntary and will not affect any potential offeror's ability to submit an offer if a solicitation is released. Any requests for a solicitation package will be disregarded. The government does not intend to award a contract on

the basis of this RFI or otherwise pay for the information solicited. No entitlement to payment of direct or indirect costs or charges by the government will arise as a result of preparing submissions in response to this RFI and the government's use of such information. (U) Submittals will not be returned to the sender. Respondents to this RFI may be requested to provide additional information/details based on their initial submittals. Program (U) This RFI is in support of multiple programs within the Cryptologic Modernization Branch (AFLCMC/HNCA) Purpose (U) This RFI is NOT a Request for Proposal, Invitation for Bid, or an announcement of a solicitation; it is only intended to seek information from industry. The information provided may be used the program office to develop its acquisition strategy, statement of work and system requirements. Respondents to this RFI may be requested to provide additional information/details based on their initial submittals. Background (U) The Air Force Cryptologic Modernization Branch (AFLCMC/HNCA) is preparing for Cryptographic Modernization 2 (CM2) activities looking for novel ways to address the 6 capability groups and 42 associated gaps to achieve modernization of DoD cryptographic capabilities. (U) ALFCMC/HNCA is submitting this RFI to industry to gather information that may help expedite End Cryptographic Unit (ECU) certification activities allowing for a reduced timelines in fielding cryptographic equipment while maintaining compliance with security requirements (e.g., High Assurance Encryption Device (HAED) Development Environment Security Requirements). Information Sought (U) AFLCMC/HNC requests industry provide information on available or in development solutions in order to develop a comprehensive security analysis toolset to serve as a pivotal resource enabling programs to evaluate vendor code bases for a wide spectrum of security vulnerabilities and flaws that must be addressed to meet stringent high assurance certification standards in line with new NSA software development guidelines. It emphasizes ease of integration into existing development workflows, to adopt a proactive approach without disrupting development timelines. (U) Key features could include: (U) Static Analysis (U) Dynamic Analysis (U) Dependency Checks and Software Bill of Materials (SBOM) (U) Configuration Audits (U) Compliance Mapping (U) For the security analysis toolset, request your company provide information addressing the following: (U) Description of how the security analysis toolset could be used to automate High Assurance certification activities and anticipated schedule reduction. (U) Description of how the security analysis toolset aligns with existing NSA Software Development Guidance, such as the High Assurance Encryption Device (HAED) Development Environment Security Requirements, the High Assurance Software Requirements Guidance, and others. (U) Any other software development process related activities that can help expedite NSA software review and certification activities (e.g., increased collaboration to adjudicate issues, etc.) (U) Any risks for use of the security analysis toolset in support of NSA Certification. (U) For the identified software analysis toolset, provide a Rough Order of Magnitude (ROM) for the development, deployment, and maintenance. This should include any non-recurring engineering (e.g., development, tool integration, etc.) and recurring engineering costs (maintenance, patching, licenses, etc.) (U) Vendors who submit information for review do so with the understanding that U.S. Government personnel as well as their support contractors will review their material and data. Respondents will not be contacted regarding their submission or information gathered as a result of this notice nor the outcome of the Government's review of the solicited information unless the Government desires further information. Submitted information packages will be retained by the Government and not returned to the contractor. Ensure information is marked and sent appropriately if the response is Controlled Unclassified Information (CUI). (U) This initiative is a no incumbent, modernization requirement expected to be competed. (U) All interested, capable and responsible sources that wish to respond to this RFI are required to electronically supply their responses and send to org account: aflcmc.cryptologic.transformation@us.af.mil by COB 14 April 2024. Please include the title, “Security Analysis Toolset.” (U) NOTE: Additional follow-up questions may need to be accomplished over a secure form of communications.