Central Attribution Management Portal to fulfill a requirement as part of the Tagging, Reporting and Attribution Configuration Suite (TRACS) for the Department ...

Amendment 2 is provided to extend the reponse deadline to 1 March 2024 at 5PM CST. Amendment 1 to the Request for Information is provided to include an attachment with answers to questions received by the contracting office. The Defense Information Systems Agency (DISA), Acquisition Directorate (ACQ) Endpoint Security Division (ID3) is seeking information from industry to determine if commercially available solutions exist that will meet the Department of Defense’s needs for a central attribution management portal to be deployed and managed as part of the Tagging, Reporting and Attribution Configuration Suite (TRACS). CONTRACTING OFFICE ADDRESS: DISA/Defense Information Technology Contracting Organization (DITCO) 2300 East Drive, Building 3600 Scott AFB, Illinois 62225-5406 THIS IS A REQUEST FOR INFORMATION (RFI) NOTICE ONLY. THIS IS NOT A REQUEST FOR PROPOSALS (RFP). NO SOLICITATION IS AVAILABLE AT THIS TIME. BACKGROUND: The Department of Defense (DOD) currently has recently changed

policies to allow DOD components to acquire and deploy diverse endpoint management security solutions with the caveat that any acquired solution must provide minimum required endpoint security data elements specified in the DOD Chief Information Officer (CIO) “Endpoint Security Minimum Data Standards” Memorandum. However, market research and vendor engagements currently indicate that functionality provided by the Government as part of the Trellix Endpoint Security Solution (ESS) to align devices to appropriate organizations, locations, and system Authorizations to Operate (ATOs) are not commercially available. Due to the proliferation of vendor products potentially being pursued, the Government has determined that is not likely to be cost effective to build or fund Government Off the Shelf (GOTS) or vendor created solutions to integrate these capabilities with each product, similar to work currently and previously conducted with the Trellix and Tenable product suites. Since the need to attribute every device in the Department of Defense Information Networks (DODIN) to its respective owning unit, administration unit, cybersecurity service provider, DODIN Area of Operations, Geolocation, Combatant Command Area of Responsibility, and ATO, DISA is pursuing a strategy of providing a centralized attribution solution that will enable visualization, assignment, correction, and propagation of attribution data to other systems as a single DOD Enterprise tool. Within the context of this RFI, the portal will be referenced as the Central Attribution Management Portal (CAMP). Based on lessons learned maintaining the Operational Attributes Management (OAM) extension to Trellix ePolicy Orchestrator, the previous primary attribution management tool, the CAMP will be designed to meet several operational objectives. Assign every device and (future) identified assessment target (e.g., containers, application instances) each of the attributes designated in the Deputy CIO Operational Attributes Guidebook and any follow-on DOD policy that supplements or replaces it Enable DOD Enterprise and lower echelon abilities to rollup, drilldown, group, filter, and control access using names that are contained in hierarchies where parent/child relationships are maintained. Flexibly respond to changes in DOD asset inventory (additions, removals) as well as changes in DOD organization, location, and system structures Expose attribution data to authorized consuming systems as the primary mission. OBJECTIVE: The DOD desires to achieve near 100% continuously updated attribution of endpoints on the DOD Information Network. The attribution data will be sufficient to provide Situational Awareness (SA) and Command and Control (C2) at all levels of the DOD such that system property custodians, users, and administrators can visualize data for endpoints under their purview and maintain attribution information meaningful to them, but that same data can be used to build SA and C2 capabilities at all higher echelons all the way up to the Secretary of Defense. Data maintained by the system should leverage automation to maximum extent possible during re-organizations, deployments and departures for locations, and system commissioning and decommissioning, leaving humans to only have to enter data when there is no viable automatable method. TECHNICAL CHARACTERISTICS: Solution Characteristics: To meet the stated objectives, the DoD is requesting white papers describing existing commercial products that either fully meet DOD requirements, or that can be quickly, and cost effectively modified to provide required functionality. The solution should have the following characteristics. Integrate seamlessly with the DOD central endpoint security configuration device data repository, currently the Continuous Monitoring and Risk Scoring (CMRS) tool, but be easily integrated with a different repository solution. Provide integrations to receive and expose attribution data about devices with other enterprise and component endpoint security, asset identity, and asset management systems. Provide robust user data entry, visualization, and analysis support to enhance the completeness, accuracy and granularity of attribution data. Provide robust capabilities to enable data submission using manual, semi-automated, and fully automated feeds. Avoid providing duplicate functionality to CMRS and other repositories where possible. Use the Cyber Operational Attribute Management System (COAMS) identifiers, display names, and acronyms as its primary attribution data source, while also providing robust lookup capabilities to correlate COAMS names and identifiers with other systems’ attribution data. Embody robust access control where users are permitted access to device and attribution data where there is a reasonable expectation that the user has a justifiable need to know for at least some of the devices in the population either because the data about the devices originated from a data source known to contain devices the user is responsible for assigning or correcting attribution data, or because the device population is assigned to a more abstract organization, location, or system level that is correct, but not at the required or optimized level of granularity (e.g. the device is attributed to DISA, but would more accurately attributed to DISA ID33) and the user has the necessary information to make corrections, or the charter to ensure that attribution has been completed for the appropriate device population Implement robust logging to enable identification of users who may be maliciously or ignorantly assigning incorrect attribution data. Enable automation so that attribution data can be assigned based on device properties, such as IP ranges, host name text, originating sensor, or other attributes in an automated bulk or continuous process. Provide robust adaptability using Application Programming Interfaces (APIs), available Software Development Kit (SDK), mapping tables, analytics, and intuitive, flexible user interfaces. Provide interfaces or existing capabilities to “brand” or “tattoo” attribution data onto devices where viable (either directly, or using endpoint management tools (e.g. Tanium, Intune, MECM) and to ingest data recovered from branded devices to update attribution data in the portal system. Also provide configurable conflict resolution logic assignment to choose whether to use endpoint attribution data, portal data, and whether to update either or both the endpoint branding and portal data. REQUESTED INFORMATION: Based on the information provided in the previous sections, interested vendors should provide the following in response to the RFI: Provide responses that describe the proposed CAMP solution, to include product functionality, compliance with technical characteristics, and assessments of development timelines, scope, and cost to enhance the solution to fully meet DOD requirements. Describe the interfaces supported by the tool that can be leveraged by other users and tools to perform data submission and extraction. Describe the maturity and existing deployments of the CAMP solution, along with existing vendor integrations supported in the off-the-shelf versions of the software. Describe any controls a proposed CAMP solution implements to provide confidentiality and access control to enable users to view populations of endpoints that can be reasonably expected to contain endpoints which are either already attributed to their respective organizations, locations, or systems, or which contain endpoints they need to assign that attribution data too. Describe the pricing methods for the suggested solution to include the costs of software, training, and operational support. If Subject Matter Expert support will be included or proposed, describe this information. (Enterprise/Subscription license solution or phased implementation). Describe if the solution/vendor can meet National Information Assurance Partnership (NIAP), Security Technical Implementation Guides (STIGs), Assessment and Authorization, 508, Federal Information Processing Standard (FIPS) 140-2, and other relevant DOD and Federal policy requirements. Discuss your solution or company offering for training on the software. Describe how your product is licensed or purchased. Describe what existing vehicles the Government can procure the solution, if any. Please also submit the following non-technical information: Company Name CAGE/DUNS Number under which the company is registered in sam.gov Company Address Technical and Contracts Points of contact information Are you a small business under an NAICS 541519 size standard $27.5M? If a small business, what type of small business are you (e.g. SDVOSB, SDB, etc.)? Status as a reseller of maintenance and software for all the software titles proposed. Response Guidelines: Interested parties are requested to respond to this RFI with a white paper. Submissions cannot exceed 10 pages, single spaced, 12-point type with at least one-inch margins on 8 1/2” X 11” page size. The response should not exceed a 5 MB e-mail limit for all items associated with the RFI response. Responses must specifically describe the contractor’s capability to meet the requirements outlined in this RFI. Oral communications are not permissible. Sam.gov will be the sole repository for all information related to this RFI. Companies who wish to respond to this RFI should send responses via email no later than March 1, 2024, at 5:00 PM CST. Industry Discussions: DISA representatives may choose to meet with potential offerors and hold one-on-one discussions. Such discussions would only be intended to obtain further clarification of potential capability to meet the requirements, including any development and certification risks. Questions: Questions regarding this announcement shall be submitted in writing by e-mail to Kristen Abbott (kristen.m.abbott2.civ@mail.mil), Terri Rollins (terri.l.rollins.civ@mail.mil), and Curtis Robinson (curtis.a.robinson.civ@mail.mil). Verbal questions will NOT be accepted. Answers to questions will be posted to sam.gov. The Government does not guarantee that questions received after 12:00 PM CST February 20, 2024, will be answered. The Government will not reimburse companies for any costs associated with the submissions of their responses. Disclaimer: This RFI is not a Request for Proposal (RFP) and is not to be construed as a commitment by the Government to issue a solicitation or ultimately award a contract. Responses will not be considered as proposals, nor will any award be made as a result of this synopsis. All information contained in the RFI is preliminary as well as subject to modification and is in no way binding on the Government. FAR clause 52.215-3, “Request for Information or Solicitation for Planning Purposes”, is incorporated by reference in this RFI. The Government does not intend to pay for information received in response to this RFI. Responders to this invitation are solely responsible for all expenses associated with responding to this RFI. This RFI will be the basis for collecting information on capabilities available. This RFI is issued solely for information and planning purposes. Proprietary information and trade secrets, if any, must be clearly marked on all materials. All information received in this RFI that is marked “Proprietary” will be handled accordingly. Please be advised that all submissions become Government property and will not be returned nor will receipt be confirmed. In accordance with FAR 15.201(e), responses to this RFI are not offers and cannot be accepted by the Government to form a binding contract.