EVALUATION OF CYBER/IoT VULNERABILITIES OF DOD CRITICAL INFRASTRUCTURE (ExCITe)

1.0 INTRODUCTION
This publication constitutes a Request for Information (RFI) as defined in Federal Acquisition Regulation (FAR) 15.201(e), "Exchanges with Industry before receipt of Proposals, Request for Information".
Respondents should note that no funding has been specifically reserved for this announcement. We are soliciting Requests for Information abstracts only. Do not submit a white paper or proposal at this time.
2.0 FEDERAL AGENCY NAME
Department of Air Force, Air Force Materiel Command, AFRL - Rome Research Site, AFRL/Information Directorate
AFRL/RIED
RFI-AFRL-RIK-20-01
26 Electronic Parkway
Rome, NY, 13441-4514
3.0 REQUEST FOR INFORMATION (RFI)
The RFI seeks to obtain technical concepts, approaches, and merits of the ideas of work pertaining to the automatic identification, mapping, and security analysis of various base control systems. For the scope of this RFI, base control systems consist of industrial control systems/supervisory

control and data acquisition (ICS/SCADA), building automation, life safety, utility monitoring, and airfield control systems
. Further, it seeks to obtain information about pricing, delivery, and other market information or capabilities for possible use in a future Broad Agency Announcement (BAA). This announcement is not a request for proposals; therefore, responses to the RFI are not considered offers and cannot be accepted by the Government to form a binding contract. Refer to Section 6 of this announcement for instructions on submitting an RFI abstract. All submissions must be unclassified.
3.1 RFI ABSTRACTS
To help guide the RFI process the following questions would be appropriate and should be considered when responding to this request.
1. What are you trying to do?
2. How is it done today?
3. What is new or innovative in your approach?
4. If you are successful, what difference will it make?
5. What are the risks and payoffs?
6. How much will it cost? How long will it take?
7. What are the midterm and final "exams" to check for success?
Abstracts should contain, in sufficient detail, information to enable the Government to determine whether the technical concept and/or capabilities should be reflected in a future BAA.
3.2 RFI SUBMISSIONS
Submission of an abstract is voluntary and is not required to propose to subsequent Broad Agency Announcements (if any) on this topic. Respondents are advised that AFRL is under no obligation to provide feedback with respect to any information submitted under this RFI.
RFI abstract due date is 31 January 2020.
4.0 TECHNICAL REQUIREMENTS:
The Air Force is interested in novel methods to automatically identify and map USAF base control systems and infrastructure devices, perform analytics to identify critical dependencies and threats, and support ad hoc reporting.
 
4.1 EVALUATION OF CYBER/IoT VULNERABILITIES OF DOD CRITICAL INFRASTRUCTURE (ExCITe):
Control systems technology extends across a broad array of Air Force functions and facilities. Control systems enable both automation and information exchange. Ensuring organizational awareness and obtaining a comprehensive understanding of threats and risks to control systems is integral to ensuring Air Force mission success. In response to these needs, the Air Force seeks to establish a real-time situational awareness platform capable of determining a base’s overall cyber threat surface in terms of control systems technology. A key factor in determining the overall cyber threat surface is an accurate inventory of control systems devices connected through both internet protocol (IP), serial, and other connections.

Base control systems of interest include, but are not limited to, supervisory control and data acquisition (SCADA) systems, building automation, life safety, utility monitoring, and airfield control systems
.
 
Specific data acquisition capabilities of interest include:

Passive network packet capture and protocol decoding to support continuous monitoring
Selective active scanning for appropriate systems
Protocol inspection and analysis (e.g., BACNet, LonWorks, Modbus, ZigBee)
Analytics and data integration capabilities of interest include:

Ad hoc reporting, dashboarding, alerts (visualization and interaction)
Storage, indexing, processing (analysis and algorithms)
Determination of a  base’s overall risk / threat posture
Generation of alerts for events of interest
Existing Application Program Interfaces (APIs) to support enterprise integration
Additional consideration for: 

Comparing device configuration and software component versions with NIST and other vulnerability databases
Out of the box connectivity with data historians, vertical databases and management systems
Familiarity with USAF Civil Engineering functions
 
5.0 TECHNICAL CONSIDERATIONS:
There are several technical objectives that must be balanced to support the evaluation of cyber/IoT vulnerabilities of DOD critical infrastructure:

Technology stack must be applicable to numerous USAF bases
Significant variation in terms of geography and age for bases, buildings, and devices
Ability to test, validate, and verify solution on ranges
Classification concerns due to aggregation of data
The Air Force is currently not interested in service providers for this effort. The intent of this RFI is to explore potential platforms that address the stated capabilities above.
6.0 REQUEST FOR INFORMATION (RFI) ABSTRACTS
6.1 CONTENT
All abstracts shall state that they are submitted in response to this announcement.
RFI responses shall include the company name, address and the title, telephone number, mail and e-mail addresses of the point of contact having the authority and knowledge to discuss the RFI submission.
The Government is assessing the current state-of-the-art and future IoT analytics. The RFI responses should describe the product solution proposed, addressed coverage of the requirements stated in this RFI by the proposed solution, explain the potential advantage to the Air Force, and provide a rough order of magnitude for the cost of the proposed solution.
6.2 SPECIAL CONSIDERATIONS
Multiple abstracts within the purview of this RFI announcement may be submitted by each responder.
6.3 SUBMISSION
RFI abstract due date is 31 January 2020.
6.4 FORMAT
The abstracts will be formatted as follows:
Section A: Title, Technical Area, Period of Performance (if applicable), Estimated Cost, Name/Address of Company, Technical and Contracting Points of Contact (phone, fax, and email) (This section is Not included in the page count.)
Section B: Technical Summary.
The abstracts shall be limited to 8 pages. All abstracts shall be double spaced in no smaller than 12 font size. All submissions must be unclassified. All responses to this announcement must be addressed to the Technical POC listed in Section 7 of this announcement.
Respondents are required to submit at least one electronic copy to the Government technical point of contact (TPOC) in Microsoft Office Word. AFRL/RI is not responsible for undelivered emails. Please confirm receipt of all submission with the TPOC.
7.0 AGENCY CONTACTS
Verification of government receipt or questions of a technical nature can also be directed to the cognizant TPOCs.
Primary TPOC:
Philip Morrone
Telephone: 315-330-2237
Email: philip.morrone.6@us.af.mil

Secondary TPOC:
Alexander Aved
Telephone: 315-330-3957
Email: alexander.aved@us.af.mil

Questions of a contractual/business nature shall be directed to the cognizant Contracting Officer, as specified below:

Amber Buckley
Telephone: (315) 330-3605
Email: amber.buckley@us.af.mil

                                                  Amendment No. 1 to RFI-AFRL-RIK-20-01

The following changes are made:

Sections 3.0-3.2 reference a potential future Broad Agency Announcement (BAA). However, any possible future procurement on this topic would utilize a different procurement vehicle, not a BAA.
Section 3.2 and 6.3, the RFI abstract due date is extended to
14 FEB 2020.
Section 7.0, the phone number for Alexander Aved is updated to 315-330-4320.
                                                   No other changes are made.

Product Service Code:-
NAICS Code:- 541715 - Research and Development in the Physical, Engineering, and Life Sciences (except Nanotechnology and Biotechnology)
Primary point of contact:- Philip Morrone  
philip.morrone.6@us.af.mil  
Phone Number 315-330-2237
Secondary point of contact:- Amber Buckley  
amber.buckley@us.af.mil  
Phone Number 315-330-3605