Accessibility Information

Users of assistive technologies such as screen readers should use the following link to activate Accessibility Mode before continuing: Learn more and Activate accessibility mode.

Insider Threat Software

Solicitation Number: HSTS03-12-SSN-CIO571
Agency: Department of Homeland Security
Office: Transportation Security Administration
Location: Headquarters TSA
  • Print
Sources Sought
Added: Jun 20, 2012 3:28 pm

 Product, Service or Outcome Needed:
Focused Operations (FO) is in need of a tool to help detect an insider threat. The focus is to monitor at the host level. FO has determined that the best method to monitor and detect insider threats is at the user host level.

 Scope of the Product, Service, or Outcome:
The scope of this procurement is an enterprise insider threat software package. In order to detect an insider threat, technology is required to monitor and obtain visibility into users' actions. TSA Focused Operations requires a tool that can monitor user activities at the user host level.

Capability Requirements

FO is seeking a technology that will focus at the user host level. The following is a list of requirements that the technology must perform:

  1. Ability to monitor user activities through

    1. Keystroke monitoring/logging

    2. Chat monitoring/logging

    3. Email monitoring/logging

    4. Attachment monitoring/logging

    5. Website monitoring/logging

    6. Network activity monitoring/logging

    7. Files transferred monitoring/logging

    8. Document tracking monitoring/logging

    9. Screenshot capture

    10. Program activity monitoring/logging

  2. All activities that are being monitored/logged must call back to a central enterprise command infrastructure and transfer its collected data

    1. If a host is connected to the TSA network, it will communicate with the central command

    2. If a host is not connected to the TSA network, it will continue collecting on the host. Once it connects back to the TSA network, it will then transfer its collected data automatically

  3. The end user must not have the ability to detect this technology.

  4. The end user must not have the ability to kill the process or service.

  5. All communications to and from the host and the central command must be encrypted with FIPS approved algorithms.

  6. Ability to alert based on specific criteria such as a name and/or combination of names

  7. Ability to mine through all the collected data using built-in or third party tools

  8. The configurations must be customizable to eliminate operational impact to the end user

  9. Ability to monitor Windows based systems.

  10. Potentially have the ability to monitor MacOSX

  11. The technology must be able to comply with FISMA requirements.

  12. Ability to transfer licenses from one host to another. Due to the limited budget surrounding this initiative, the technology must be able to automatically transfer licenses from one host to another.

 Additionally, the offeror must provide formal training of their proposed technology.

All interested vendors may submit the capability statement to the TSA Office of Acquisition (OA).  Submissions shall not exceed ten (10) pages in length.   A proposed price is not required or requested under this Sources Sought Notice. Vendors must identify their business size status in the capability statement.  If small business, please identify the type of small business.  Capability statements are required to be received electronically via email to Subject:  EAS Refresh Sources Sought Notice, no later than Friday, June 29, 2012, 2:00 p.m. EST. Responses received after this deadline will not be reviewed.

 TSA's primary point of contact is the Contract Specialist, Mr. Anthony Dennis, who can be reached via e-mail at  Any questions regarding this notice shall be directed to both Mr. Dennis  in writing, via email by Tuesday, June 26, 2012, 4:00pm EST.  While any and all questions must be directed to the Government points of contact identified in this announcement, answers to those questions, as well as any and all clarifications, extensions, or changes will be posted to and will only be available at prior to the closing date and time of the this notice.

Vendors responding to this Sources Sought Notice are responsible for all expenses associated with responding to this Sources Sought Notice. (Note: TSA will not pay any costs associated with this effort).

 The TSA is not seeking or accepting unsolicited proposals.  Since this is for information and planning purposes, no evaluation letters or results will be issued to respondents. 

601 S. 12th Street
TSA-25, 10th Floor
Arlington, Virginia 20598
United States
Anthony L Dennis
Phone: 571-227-2627
Kristin S Fuller
Phone: 571-227-2740