The Transportation Security Administration (TSA) is seeking potential sources to supply hardware in support of a unidirectional network for Transportation Security equipment (TSE). The prospective hardware would perform as a data diode for communications between TSE and the TSA Information Technology infrastructure. The potential hardware would be required to operate within the existing Security Technology Interface Protocol (STIP). Primary hardware suppliers, systems integrators and IT technology resellers may all respond to this "sources sought" market research notice. Please note, this notice is not a solicitation, i.e. request for quotation, request for proposal or invitation for bid. Responses to this "sources sought" notice will be reviewed to gauge market interest, survey potential technology offerings, and develop a future acquisition strategy for a potential solicitation. Responses to this market research request will not be evaluated as part of any selection process. Responses to this market research request will not be eligible for reimbursement of any type to include business development or other preparation costs. Responses to this market research request should be considered by potential vendors as marketing information to be supplied to a prospective buyer. Respondents may provide their contact information and their marketing information to the Contracting Officer. If the TSA elects to solicit for a future requirement, a notice will be posted at the applicable Government Point of Entry for the acquisition vehicle selected. The solicitation notice may or may not be posted at sam.gov / fbo. Respondents to this notice will not be guaranteed a direct notice of any future postings. Responses may be provided to the Contracting Officer via email using the contact information listed in this notice. Attachments provided in response to this source sought notice should be in .pdf format.
Potential sources for this prospective requirement would preferably have the following 4 major areas of functionality, a unidirectional network hardware solution, removable media scanning, web proxy gateway and vpn tunneling:
TSE (STIP Client) Connectivity to Data Center-1 STIP Servers Requirements
Unidirectional network hardware solution:
1 Commercial Off the Shelf Product data diode hardware technology that allows for secure, one-way (or one-way in each direction) data transfer. Absolute network segmentation must be achieved. Malware and control system override protection must be provided.
2 Rack mountable (into a standard 19 inch rack)
3 Copper TBaseT10/100/1000 interfaces (Ethernet ports)
4 Up to GigE (1000 Mbps) throughput
5 Configurable Bi-directional diode data flow control
6 Network Protocols supported: UDP, TCP SNMP, SMTP, FTP over IPv4
7 Secure one-way transfer of screen content from the dark side pushed through to visible side to enable operators and administrators in different networks.
8 Centralized monitoring and management configurable to enable and disable the hardware product. Monitoring capabilities must provide performance and operating information i.e. log files, alarms, etc. from both the send and receive sides of the data diode(s).
9 Software layer device management. The software layer device management will enforce security and provide network and contol data flow interactions.
10 The solution uses a secure operating system meeting either NSA, DISA STIG or equivalent cybersecurity hardening and protections.
11 Provide a Secure Hypertext Transfer Protocol (HTTPS) software interface for the solution that proxies HTTP and HTTPS requests for secure transfer.
12 Break and Inspect HTPPS to allow for examination of the data packets and still allow end to end HTTPS Send to Receive tcp/ip communications.
13 Provides a secure, automated method for the collection of performance data from the data diode(s). The performance information generated by any data diode products is captured from both the Send and Receive sides and is transmitted to a remote server for use with a monitoring and management tool like CDM Dashboards, Splunk, or other third party tools like SolarWinds or HP's Openview.
14 Allows real-time data to be collected from industrial controls and TSA TSE systems within an identified location and securely transfer it across the data diode to a different identified location using an IPv4 based network.
15 Provides real-time data, monitoring of alarms and events, and historical data which can be accessed using the Open Platform Communications (OPC) standard interface. The prospective hardware solution then transfers the data across the network security boundary to business users on the IT networks.
16 Network protocol application designed as a secure file transfer application. The application would provide encryption and scanning of transferred data.
17 Supports IEC 60870-5-104 (IEC 104) many-to-one remote monitoring communication industrial protocol.
18 Support Distributed Network Protocol 3 (DNP3) many-to-one remote monitoring communication industrial protocol.
19 Provide ability to combine pre and post processing into the same rack mounted solution. Provide the capability to break and inspect HTTPS traffic. Must be able to establish HTPPS sessions on both the send and receive sides of the hardware solution. Checksum data confirmation in HTTPS JSON packet format or equivalent. Potential solution must not interfere with the configurations of TSA TSE STIP server and client applications.
20 Local Admin control with VGA monitor and USB keyboard and mouse.
Removable Media Scanning
1 Integrated hardware/software package that inspects and cleans files on portable media of malware and other malicious content.
2 Available in desktop and/or laptop-based kiosk form factors
3 Supported Media Types:
USB Flash Drives
CD/DVD
SD Cards
Portable Hard Drives & SSDs
Encrypted USB Flash Drives
Compact Flash
Floppy Disk
4 Content Support:
Microsoft Office 2007-2016 (Word, Excel, PowerPoint)
Adobe PDF Files (PDF)
Image Files (GIF, PNG, JPEG, BMP, TIFF, WWMF, EMF)
Archive and Compressed Files (ZIP, GZIP, BZIP, TAR)
XML Files (Schema validation)
5 Utilize multiple antivirus scanners to detect known malware
6 Transfers files that pass sanitization to securely erased destination media
7 Detects and warns the user of unusual behavior by portable device firmware
8 Hardened out-of-the-box
against attacks from media-borne
malware and does not require additional
hardening by the customer to meet NEI
or government requirements.
9 Preference to include:
Meets Department of Defense's
JTF-GNO CTO-10-004A requirements
for Removable Flash Media
Device Implementation
Adheres to Nuclear Energy Institute
(NEI) 08-09 guidance for secure
data transfer using portable media
10 Provide coverage for:
ZERO DAY THREATS
DEVICE
MALWARE
STEGANOGRAPHY
BLACKLIST TERMS
UNKNOWN FILE TYPES
METADATA
EMBEDDED OBJECTS
UNRECOGNIZED DATA
MACROS
OBFUSCATED TEXT
Web Proxy Gateway
1 Must be fully functional on-Prem with no Internet access on a private network
2 Copper TBaseT10/100/1000 interfaces (Ethernet ports)
3 Hardware device sending all web traffic to the Web Proxy, which is sitting between TSE Endpoints and/or STIP Server
4 Provide capability to allow administrators to define
protection policies once and distribute them to all web traffic that is forwarded from their configured devices,
for connecting locally via the LAN or connecting directing from afar at the data center.
5 Provide visibility into web traffic behaviors as well as deep insights into malicious web activity.
6 Provide web proxy, the gateway terminates and proxies
Internal IP web traffic, and addresses that traffic through security checks including URL filtering, sandboxing, data loss
prevention, anti-virus scanning.
7 Provide access to detailed and granular logs of user web transaction and email activity so you can take steps to mitigate vulnerabilities.
8 Provide easily readable information, analyze, and share raw data through visual charts, CSV format exports, and seamless
integration with existing solutions.
9 Include predefined, commonly used queries, in addition to the ability to customize queries.
10 Must sanitize HTTP and HTTPS traffic and remove hidden link and malicious code.
Layer Two Over Layer Three AES Encrypted VPN Tunneling
1 Provide Hardware AES VPN with AES encrypted Layer Two over Layer Three tunneling
2 Provide bridging technology to route tunneled traffic between devices
3 Provide configure and forget technology
4 Use Block Chain for hands free Key Management
5 Allow configuration to provide a one to one, one to many and many to many tunneling configuration over any IPv4 network
6 Copper TBaseT10/100/1000 interfaces (Ethernet ports)
7 Use Secure Operting System that is hardened out of the box
