SYNOPSIS: This Sources Sought Announcement is to assist the US Army DEVCOM Soldier Center to identify potential sources to provide Software Development for Fog Tester Instrument Image Analysis software.
The Government requests that responses be submitted electronically to mary.k.prebensen.civ@army.mil and David.p.ziegler.civ@army.mil by July 13, 2026 by 5pm EST.
Background: The Government (DEVCOM Soldier Center) is in need of Fog Tester Instrument Image Analysis Software development to integrate with the existing Fog Tester Instrument control and data acquisition software. The Soldier Center designed 4th Generation Fog Tester currently utilizes a LabVIEW program, named FogTester, running on a Microsoft Windows computer to operate a custom control board that provides 120VAC electrical outlet relay switching, temperature and humidity input and recording, light(s), dual camera video input, and heating circuit temperature control of the video cameras lenses. A separate LabVIEW application, named BarTarget, is then used post-test to analyze the acquired video stills to generate a contrast ratio value of selected regions of interest. The contrast ratio values are then manually plotted by the user in Microsoft Excel and compared to known Haze Standard values.
Description:
The improved BarTarget application should be designed to analyze the post-test acquired video images from both cameras and generate the contrast ratio value per selected region of interest and plot the contrast ratio over the duration time of the test and output a result per designated pass/fail criteria based upon the haze calibration measurements. Additional functions should include Haze Standard calibration image acquisition and the ability to zero the contrast ratio, so each test article is acquired at the same starting point, this will require the application to interact with the FogTester application.
Requirements: The Contractor shall provide services for software development of an improved Fog Tester data analysis application.
a. General Requirements. The contractor's primary focus shall be to:
(1) Develop post-test image analysis sub-program for use with Soldier Center-developed Fog Tester instrument control and data acquisition software. This sub-program will replace the current BarTarget program, and the data plotting performed in Microsoft Excel by the user.
(2) Deliver a sub-program which shall also be able to process calibration tests, analyze the data and deliver a calibrations file for input to the pass/fail criteria.
b. Specific Requirements: The contractor shall:
(1) Develop software code to operate on a Microsoft Windows 11 operating system for image analysis software application that will interact with the FogTester software application in in a local host environment (no internet connection required), have users input test condition parameters (file save location, test duration, camera configuration), perform the test, analyze the data, and compute and output the results per designated pass/fail criteria. Saved output graph and data shall be compatible with Microsoft Word and Excel programs for user reporting purposes.
(2) The software shall be written/developed using any of the following programming languages: LabVIEW, .NET (C#, Visual Basic), Python. Other programming languages may be considered but require approval by the Contracting Officer Representative (COR) and/or Contracting Officer Technical Representative (COTR) before use.
(3) The software shall communicate with the FogTester software via a TCP port.
c. Software Assurance (SwA) Requirements
2.c. Software Assurance. The software developed under this effort is categorized as Non-Critical, Untethered, Government-purpose developed software intended for installation on a standalone (disconnected) laboratory information system with no internet connectivity. The Contractor shall implement Software Assurance to the maximum extent practicable in accordance with AR 25-2, the HQDA DCS G-6 Software Assurance Implementation Planning Guidance (IPG), DA PAM 25-2-5, and DoDI 8510.01 RMF / NIST SP 800-53 Control SA-11. [Ref: SwA IPG 1.3; DA PAM 25-2-5 Ch.3; DoD SwA Contract Language 2.2] [1][2][3]
2.c.(1) Secure Coding Practices. The Contractor shall enforce secure coding practices throughout the Software Development Lifecycle, including input validation of all data received from the FogTester application and TCP interface, adherence to the principle of least privilege, and elimination of compiler warnings at the highest available warning level. The Contractor shall apply these practices to all custom-developed code and any reused, open-source, or generated code. [Ref: DA PAM 25-2-5 4-1b and 4-3a; DoD SwA Contract Language Notional SOO] [2][3]
2.c.(2) Static Application Security Testing (SAST). The Contractor shall perform Static Application Security Testing (Static Code Analysis) on the complete source code (LabVIEW, .NET/C#/VB, and/or Python as applicable) using at least one automated SAST tool providing coverage for the language(s) employed, with a target of no less than 80% code coverage. SAST satisfies RMF Control SA-11(1) and is the minimum required SwA activity at the Army Readiness Level. Findings shall be reported using Common Weakness Enumeration (CWE) identifiers. [Ref: SwA IPG Annex A 1.3, Annex B 2.1; SA-11(1); DoD SwA Contract Language SA-11(1)] [1][3]
2.c.(3) Software Composition Analysis (SCA) and Software Bill of Materials (SBOM). The Contractor shall perform Software Composition Analysis on all third-party libraries, frameworks, and code dependencies to identify known vulnerabilities and out-of-date components, satisfying RMF Control SI-2. The Contractor shall deliver a Software Bill of Materials (SBOM) in CycloneDX or SPDX format describing the provenance and pedigree of all delivered software, including all open-source and third-party components, as required by Executive Order 14028 and the ASA(ALT) SBOM Playbook. Known vulnerabilities shall be reported using Common Vulnerabilities and Exposures (CVE) identifiers, and the Contractor shall confirm that delivered component versions contain no publicly known unmitigated vulnerabilities. [Ref: SwA IPG Annex B 2.5, EO 14028; DoD SwA Contract Language 2.2 / 2.2.1] [1][3]
2.c.(4) Application Security and Development (ASD) STIG. The Contractor shall assess the software against the current DISA Application Security and Development (ASD) STIG and deliver a completed STIG Checklist. The Contractor shall incorporate applicable ASD STIG requirements into the software design and implementation. [Ref: SwA IPG Annex B 2.6; DoD SwA Contract Language SA-4] [1][3]
2.c.(5) Flaw Remediation. The Contractor shall implement a flaw remediation process to identify, track, and remediate all software weaknesses and vulnerabilities based on risk severity (Critical, High, Medium, Low), satisfying RMF Control SI-2. All findings shall be consolidated into a single Plan of Action and Milestones (POA&M). The Contractor shall correct all Critical and High severity findings prior to final delivery, or otherwise document and obtain Government acceptance of any residual risk. [Ref: SwA IPG Annex B 3.1; DA PAM 25-2-5 3-2; SI-2; DoD SwA Contract Language SI-2] [1][2][3]
2.c.(6) Software Confidence Baseline. The Contractor shall provide the artifacts necessary for the Government to establish the Software Confidence Baseline, consisting at a minimum of: (a) SAST results [SA-11(1)], (b) SCA results, (c) the SBOM, and (d) the ASD STIG Checklist. Because the system is disconnected/standalone and non-critical, the baseline shall be reviewed at a minimum annually, and immediately upon any significant change or upon discovery/announcement of a relevant cyber vulnerability. [Ref: SwA IPG Annex A 1.3 and Table 2 "Non-Critical Untethered Software: Annually" / disconnected] [1]
2.c.(7) Government Data Rights for SwA Validation. Consistent with the source code deliverable required in Section 9, the Contractor shall grant the Government Government Purpose Rights to all delivered non-commercial source code and provide all source code, incorporated code, dependencies, and build/make instructions necessary for the Government to independently rebuild and assess the software. [Ref: SwA IPG 2.1.1 and Annex D 3; DoD SwA Contract Language SA-4(2)] [1][3]
2.c.(8) Software Assurance Plan (SwA Plan). The Contractor shall develop and deliver a Software Assurance Plan within thirty (30) calendar days after contract award, and shall update it at each major review. The SwA Plan shall be delivered as a tailored section of the Software Development Plan (DI-IPSC-81427) or as a standalone Plan (DI-MGMT-81024). Government approval of the SwA Plan is a prerequisite (entry criterion) to the mid-point technical review. [Ref: DoD SwA Contract Language 2.3.1; SwA IPG Annex A] [1][3]
Period of Performance: The estimated period of performance is up to 1 year from the contract award.
Government Furnished Property (Equipment/Materials/Information/Computer Utilization): The Government shall provide the Fog Tester operation flow-chart diagram, example test and calibration data, and access to currently operated LabVIEW software or a Python simulation of the interface, as the LabVIEW software requires hardware to run. Upon request, the Government may also provide loan of a Fog Tester system to be returned to Soldier Center once the contract is completed.
Interested parties are invited to submit a response to this Sources Sought Announcement. THIS IS A SOURCES SOUGHT ANNOUNCEMENT ONLY
This Sources Sought Announcement is issued solely for information and planning purposes and to identify interested sources. THIS IS NOT A SOLICITATION. No contract will be awarded from this announcement. This Sources Sought does not constitute a Request for Proposal (RFP) or a promise to issue an RFP in the future. It is subject to change and is not binding on the Government. Further, unsolicited proposals will not be accepted. Funding is not available at this time. The United States Army has not made a commitment to procure any of the items/services discussed, and release of this Sources Sought Announcement should not be construed as such a commitment or as authorization to incur cost for which reimbursement would be required or sought. Response to this Sources Sought Announcement is voluntary and no reimbursement will be made for any costs associated with providing information in response to this and any follow-on information requests. All submissions become Government property and will not be returned.
Not responding to this Sources Sought Announcement does not preclude participation in any future RFP if any is issued. If a solicitation is released, it will be synopsized in the SAM.gov website. It is the responsibility of the potential responders to monitor this site for additional information pertaining to this subject.
RESPONSES:
Interested parties may identify their interest and capability by sending responses regarding this requirement to DEVCOM Soldier Center via e-mail ONLY to mary.k.prebensen.civ@army.mil and David.p.ziegler.civ@army.mil no later than July 13, 2026 by 5:00 p.m. EST. The U.S. Government will not pay for any information or administrative cost incurred in response to this Notice. All costs associated with responding to this Notice will be solely at the expense of the interested party.
Please provide business size (indicate your socioeconomic status), applicable NAICS code, and CAGE code. If you hold a GSA Federal Supply Schedule contract, please identify your contract number.
The Offeror shall submit a Software Assurance Technical Approach not to exceed eight (8) pages, addressing how it will satisfy the SwA requirements of SOW paragraph 2.c for software deployed to a disconnected standalone laboratory information system. At a minimum, the Offeror shall:
1. Describe its secure coding practices for the proposed language(s) (LabVIEW, .NET, and/or Python), including input validation of FogTester/TCP-sourced data. [SOW 2.c.(1)]
2. Identify the SAST tool(s) to be used, demonstrate language coverage, and state the achievable code-coverage percentage and CWE-based reporting method. [SOW 2.c.(2)]
3. Identify the SCA tool and SBOM format (CycloneDX/SPDX), and describe how known-vulnerable/out-of-date components will be identified and reported via CVE. [SOW 2.c.(3)]
4. Describe its approach to the ASD STIG assessment and checklist delivery. [SOW 2.c.(4)]
5. Describe its flaw remediation/POA&M process and severity-based remediation thresholds. [SOW 2.c.(5)]
6. Identify the SwA artifacts it will deliver to establish the Software Confidence Baseline and confirm acceptance of the annual review cadence for disconnected systems. [SOW 2.c.(6)]
7. Confirm provision of source code, dependencies, and build instructions sufficient for Government independent rebuild/assessment. [SOW 2.c.(7)]
QUESTIONS:
Any questions for clarification may be emailed to mary.k.prebensen.civ@army.mil and David.p.ziegler.civ@army.mil no later than July 9, 2026 by 5:00 p.m. EST. Verbal questions will NOT be accepted. Questions shall NOT contain proprietary or classified information. An unattributed list of questions and answers will be published at the same web location of this Sources Sought Announcement.
