Request for Information 831914897

This is a Request for Information and Not a Sources Sought  REQUEST FOR INFORMATION (RFI)                                                            RFI Number 831914897 The Defense Information Systems Agency (DISA)/Business Support Office/Defense Information Technology Contracting Organization (PL8311) is seeking information from industry to assist with the development and planning of a potential new requirement. THIS IS A REQUEST FOR INFORMATION (RFI) NOTICE ONLY.  THIS IS NOT A REQUEST FOR PROPOSALS (RFP).  NO SOLICITATION IS AVAILABLE AT THIS TIME. •1.      Overview/Purpose/Description of Procurement:  The purpose of this effort is to establish an Insider Threat program for the deterrence, detection, and mitigation of insider threats, including the safeguarding of classified information from exploitation, compromise, and/or unauthorized disclosure.  One of DISA's efforts in implementing a three pronged comprehensive approach to Executive Order 13587,"Structural Reforms to Improve

the Security of Classified Networks and the Responsible Sharing and Safeguarding of Classified Information," is implementing a User Behavioral Analytic tool, User and Entity Behavior Analytics (UEBA), which can model and identify typical and atypical behavior of humans and machines within a network. •2.      Scope of Effort:  The scope of this effort is to garner information from industry which will assist in identifying and solidifying requirements to maximize actions to prevent, deter, detect and mitigate actions that insiders pose (whether unintentional or malicious).  Insiders can represent a threat to national security through exploitation of DISA's critical systems, assets, and resources.  This would include but is not limited to analyzing, reviewing, testing, identifying and collecting data on users and user behavioral activities in order to reduce the risk that unintentional or malicious insiders can inflict on the government.  The end state is to determine if a UEBA platform can bring value added in detecting insider threats and if the platform is worth the return on investment meeting any DISA Cybersecurity Insider Threat current and future requirements. •3.       Technical Characteristics:  UEBA - correlate and apply sophisticated algorithms to establish behavioral baselines and trigger on anomalous activities.  The Government will accept multiple feeds from a variety of sources to include but not limited to Security Information and Event Management (SIEM), User Activity Monitoring (UAM) and Data Loss Prevention (DLP) solutions. •4.      Requested Information:  See attachment 1 questionnaire. Response Guidelines: Interested parties are requested to provide answers within the Attachment 1 below.  White Papers speaking to capabilities are acceptable in addition to the RFI question responses but cannot exceed two pages, single spaced, 12-point type with at least one-inch margins on 8 1/2" X 11" page size.  White Paper only submissions (without answers to the RFI questions) will not be reviewed.  The responses should not exceed a 5 MB e-mail limit for answers to items associated with the RFI response.  Responses must specifically describe the contractor's capability to meet the requirements outlined in this RFI.  Oral communications are not permissible.  FedBizOpps (FBO) will be the sole repository for all information related to this RFI.  Companies who wish to respond to this RFI should send responses via email no later than June 24, 2019, 2:00 p.m. Central Standard Time to Ellen T. Crain, ellen.t.crain.civ@mail.mil. Industry Discussions: DISA representatives may choose to meet with potential offers' and hold one-on-one discussions.  Such discussions would only be intended to obtain further clarification of potential capability to meet the requirements, including any development and certification risks. Questions: Questions regarding this announcement shall be submitted in writing by e-mail to Ellen Crain, ellen.t.crain.civ@mail.mil.  Verbal questions will NOT be accepted.  Answers to questions will be posted to FBO.  The Government does not guarantee that questions received after June 14, 2019 will be answered.  The Government will not reimburse companies for any costs associated with the submissions of their responses Disclaimer:   This RFI is not a Request for Proposal (RFP) and is not to be construed as a commitment by the Government to issue a solicitation or ultimately award a contract.  Responses will not be considered as proposals nor will any award be made as a result of this synopsis. All information contained in the RFI is preliminary as well as subject to modification and is in no way binding on the Government.  FAR clause 52.215-3, "Request for Information or Solicitation for Planning Purposes", is incorporated by reference in this RFI.  The Government does not intend to pay for information received in response to this RFI.  Responders to this invitation are solely responsible for all expenses associated with responding to this RFI.  This RFI will be the basis for collecting information on capabilities available.  This RFI is issued solely for information and planning purposes.  Proprietary information and trade secrets, if any, must be clearly marked on all materials.  All information received in this RFI that is marked "Proprietary" will be handled accordingly.  Please be advised that all submissions become Government property and will not be returned nor will receipt be confirmed.  In accordance with FAR 15.201(e), responses to this RFI are not offers and cannot be accepted by the Government to form a binding contract.    Attachment 1                                    Vendor:  Product Name:  Point of Contact:  Phone:Email:Government QuestionsAnswerDoes the UEBA solution have an existing authority to operate (ATO) on Department of Defense (DoD) networks (Unclassified, Classified and Top Secret)?  If yes, can you provide the DoD agency and Government point of contact (POC)? Does the tool have the ability to support up to Top Secret information? Does the UEBA solution have an approval to operate on any other Federal Government Agency other than the DoD?  If so, list the name of the agency and Government POC and their contact information. What is the cost model and licensing structure?  Is it modeled by number of end points/users or by the amount of data ingested? Training - Is training available for the application to: interface (dashboards, reports), policy and or rule development to include tuning, queries, etc.?  This includes all operational aspects of the application. Training - Is training available for System Administration of the core-operating environment? Is the tool a stand-alone, embedded, or "bolt on/module" solution? Can a demonstration be provided? UsabilityAnswerVisualizations: Techniques available to display information to the analyst, executives, and create and export reports.  This can include raw data, graphs, single entities/users, and other visual imagery.  Includes the ability to display and export information in aggregated, correlated and/or groups through dashboards and reports.Does the tool require dedicated vendor Subject Matter Experts to create, modify, delete, and maintain rules, policies, visualizations, dashboards and reports? Does the tool provide the ability to create reports by user/entity with options for the amount and type of data to be included? Does the tool provide for the customization of a report templates that analysts can apply to selected user/entity to easily export in a pre-determined format?   Are the visualizations "drillable" meaning, can the analyst click on an area within a visualization and obtain detail information on just that data (i.e. "One-click" capabilities that automatically filters)? FunctionalityAnswerBaseline and Tuning:  The ability to capture and calculate a user's/entity's standard host level behavior and filter standard non-threatening system generated host traffic in order to maximize exactly what the user is doing.Does the tool provide baselining of behaviors? Does the tool create profiles of user behaviors? How are baselines derived?  (e.g., each individual user, peer groups, work schedules, etc. What is the recommended baselining and tuning period for a worldwide network? What is the optimal suggested baseline period for the tool to learn what is consider "normal activity" within a customer's environment? Can multiple baselines be derived based on network, location, Virtual Private Networks, etc.? Peer GroupingAnswerGrouping data according to like characteristics.Does the tool perform peer grouping? Does the tool rely upon Lightweight Directory Access Protocol/Active Directory to perform peer grouping? Does peer grouping happen automatically and dynamically?  Or does it require analyst intervention? Data Ingest/CollectionAnswerThe ability to ingest data and logs from multiple sources into the tool.List the SIEM platforms that the tool is compatible with: List the UAM platforms that the tool is compatible with: Does the tool ingest data natively and/or from a data repository?  Does the tool require third party "bolt on" support to ingest non-native data sources? Can the tool ingest data from Windows event logs? Does the tool act on content as well as meta-data collected? Does the tool provide for a forensic audit trail? Does the tool have the ability to operate across multiple data domains Non-classified Internet Protocol Router Network (NIPRNet) to Secure Internet Protocol Router Network (SIPRNET)? How does the tool collect data?  Is a dedicated agent required?   ScalabilityAnswerThe ability and ease to dynamically expand to a large volume of user accounts and entities.How does the tool scale? Are there any dependencies to the scalability? What is the largest sized users' base the tool has been successfully deployed to?   AnalyticsAnswerThe discovery, interpretation, and communication of meaningful patterns in data; applying those patterns towards effective decision making.What approach is used for the Analytics Engine?  (Artificial Intelligence/machine learning (predictive and adaptive), rule/signature based, etc.) Are the tools analytics models "Open" or "Closed"? What data sources are recommend and required to gain the best value from the tool? Explain how anomalous behavior is captured and displayed: Does the tool compile user/entity risk scoring?  In addition, what is required to properly define the risk scoring? Are there "out of the box" standard rules/policies for the tool?  If so please list top ten: Can the tool trigger an alert on specific risk scores or events?  Please explain how alerts can be prioritized: InfrastructureAnswerHardware: The ability of the tool to operate on premises or within cloud environment.Does the tool support Commercial-Cloud, Government-Cloud, and on-premises deployments? StorageAnswerThe ability of the tool to efficiently maximize storage capacity.What is the average storage capacity in a 10,000 user account and entity environment? Network OverheadAnswerThe ability of the tool to minimally impact network traffic from data sources.What is the network average overhead in Megabyte (Mb) from data sources to the tool? How often does the tool collect information?  Can the frequency of communication be customized?