Accessibility Information

Users of assistive technologies such as screen readers should use the following link to activate Accessibility Mode before continuing: Learn more and Activate accessibility mode.


Solicitation Number: RFI418
Agency: Defense Information Systems Agency
Office: Procurement Directorate
Location: DITCO-Scott
  • Print
Sources Sought
Added: June 1, 2006


This document is a Request for Information (RFI) for an Insider Threat user-focused observation tool that could be deployed on selected host-machines across the DoD. Traditional efforts to secure Department of Defense (DoD) networks have been focused on placing defenses at the network boundary with less emphasis on end-point or host-based security. While such defenses as network firewalls and network intrusion detection systems (NIDS) have proven effective at countering identifiable threats originating from outside the network boundary, there is an equally damaging threat posed by those who have access to information systems and networks and operate from within. The activity of the ‘insiders’ would not normally be detected by the security measures in place. The Insider Threat Focused Observation Tool solution will provide the functional capabilities for more insider aggressive data gathering and analysis technology not normally a part of network management or security.

For the purposes of this RFI, an ‘insider’ is defined as anyone who uses authorized credentials to access a DoD computer and/or network; regardless of whether or not those credentials were acquired through legal channels.

The types of insider activities include: exceeding permissions, conducting malicious activities, providing unapproved access, circumventing security controls, unintentionally damaging resources, and accessing or removing data without authorization or in an inappropriate manner (also referred to as exfiltration).

Under the Insider Threat Focused Observation Tool, solution security products are selectively installed directly on network end-points. In general, this means installing agent-based tools on targeted host machines (e.g., workstations, laptops, servers). In order to be effective across enterprise networks, host-based capabilities must be centrally managed to support installation, monitoring, updating, and configuration. For this RFI, the following descriptions will be used:

Central Manager: The portion of the solution that provides the central management functionality is called the central manager. The central manager provides centralized installation, management, monitoring, and configuration of the host agent. This central manager will reside within the local enclave.

Host Agent: Those tools (or portions of tools), which actually perform the tasks associated with gathering user and system information on host machines. The local host capability to communicate with the central manager referred as the host-based agent or just agent. The capabilities could be provided by either a single agent with multiple modules, the use of multiple agents/modules, or a combination of the two.


The Defense Information Systems Agency (DISA), in support of the Computer Network Defense (CND) mission assigned to the United States Strategic Command (USSTRATCOM), is seeking information from industry, academia, and government that will assist in the acquisition of Insider Threat focused observation capabilities to enhance the CND posture of the DoD computer network systems.


This section describes the desired capabilities for the Insider Threat Focused Observation Tool. A solution with multiple products under a single manager is acceptable for the purpose of this RFI. Individual products with a subset of these capabilities are also of interest, and vendors and/or government organizations with these solutions are encouraged to respond to this RFI.

The tool will operate in a controlled environment with access restrictions applied to the data gathered, the tools operation, and the tool’s software elements. Some of the features include the ability to ensure Confidentiality and Integrity of the software elements through self-protection mechanisms and access controls to limit the users to an identifiable select group. Additionally, the tool will protect the gathered information from unauthorized access and control its availability to select groups. All communications will be encrypted.

The tool needs to be scalable to the target community with an expected maximum of deployment, management, and information gathering capability of 250 simultaneous hosts from a single manager.

The collected data includes host, and user information. The information includes descriptive data such as: local/network account users and groups; operating systems; time reference; user ID; and the specific type of activity and the users actions during the monitored period.

The tool will provide for self-preservation to include a capability to self-report, to self or operator restart/reinstall for all portions of the system.

The tool will create, maintain, and archive customizable audit logs for all activities to include user, network, system, and tool actions. Typical collected data includes elements such as: user ID, type of activity, timestamp, unique device ID, process ID, thread ID, and workstation ID.

The tool will provide for customizable alarm generation and notification to the operator.

The user analysis is expected to be based on configurable thresholds, indicators, and pre-defined templates of user-based anomalies and create subject behavior profiles using defined behavior patterns.

The tool will provide for host machine screen captures and replay those screen captures in a video or movie format.

For follow-on investigation purposes the tool needs the capability to capture, via industry approved methods, forensic data.

The Console Requirements apply to the collector, correlator, and analysis engine or machine used to convert the collected user data into actionable information on specific user activities.

The Console is the central display and interaction point for the gathered data. The Console requires an operator-friendly display method that facilitates the decision process, provides real-time actionable information, alerts on behavior activities, and controls the interaction (refresh rate, bandwidth, etc…) between all components.

During information gathering the Console is required to gather, display, and alert the operator based on parameters and templates that consist of both pre-defined and operator-configured actions.

The console will correlate and normalize the gathered data allowing attribution of activities to specific users.

The console will make available operator configured, filtered, decision information for electronic interaction (i.e. data mining and keyword searches), electronic exchange (import/export) through industry standards (CSV, OBDC, XML, etc…), as well as through customized and template reports and alerts.

The solution requirements section applies to the mechanism used to gather the system, network, and user data. There are three requirements categories used to describe the solution: General; Host; and Device Monitoring.

The General Requirements describe the desired information and operation characteristics of the environment.

The solution will need to be capable of supporting a large number of operating systems employed by DoD. Among the systems are: Windows 2000, Windows XP, Windows 2003, Windows NT4 (SP6a), SOLARIS, HP-UX, Linux, and other UNIX variants.

The solution must be compatible with and not interfere with other approved CND tools (i.e. Anti-Virus, Anti-Spyware, and Host-Based Security System (HBSS)).

The solution will identify and associate the data with the user account information.

The operational characteristics of the solution include the ability to install and operate without the user's knowledge or being flagged by existing host-based CND tools (i.e. Anti-Virus, Anti-Spyware, and Host-Based Security System (HBSS)). At a minimum, it must “hide” indications of its presence from the user.

The solution’s operational impact to the users system, in terms of input-output performance, system usability, and functionality, must be negligible.

Information and data must be protected and preserved using industry standard and business best practices to ensure the security and traceability of the user's actions.

The Host Monitoring capability describes some of the specific activities and data requirements for the DoD environment.

The host sensor monitors and reports all available system data on software and hardware activities associated with system configuration changes, installation, modification, and removal.

The host sensor gathers user account data that identifies and tracks specific user's actions. The type of data includes local user account modification information, user name, and the user's activities.

The host sensor captures and reports on the underlying Operating System actions associated with inherent features such as cut/copy and paste, drag-and-drop, and Command Line sessions

For all web and Internet connections, the sensor gathers data, and is capable of replaying the activities, for potential misuse through mobile code, such as Java and ActiveX and web browser window actions. The collected data will be sufficient to rebuild the session to include the associated URL of any visited web page(s).

The host sensor is required to analyze encrypted sessions before encryption or after decryption.

The host sensor needs to distinguish and capture traffic associated with numerous data on services, ports, and protocol use. Some examples are Voice-Over-IP, TLS, SSL, Rlogin, Xwindows, NNTP exchanges, SNMP exchanges, DNS exchanges, RPC Peer-To-Peer, IMAP, POP, SMTP exchanges, IRC sessions, Instant Messaging, Telnet and FTP.

The Device Monitoring capability refers to capturing specific hardware information and activities typically generated through user interaction with the host.

The solution needs to capture the use of removable, writeable media, regardless of the Operating System format. Additionally that information will be transferred to a repository (log) and contain specific information associating the media with the information placed on or removed from that media.

The solution needs to capture the transmission of files and messages through network connections. The network connections, at a minimum, include dial-up modems, Ethernet, and wireless.

For any file operation the solution will record associated file attributes and user actions.

The solution needs to capture the use of detachable devices such as, fire-wire (IEEE 1394) devices (e.g. PDA, printers, etc.), infrared devices, EVDO, WiFI, Bluetooth, parallel port devices, serial port devices, and USB media and devices (e.g. thumb drives, PDA, digital camera, MP3 players).

The solutions monitor and capture actions associated with the use of input/output devices commonly attached to hosts (i.e. keyboard strokes and mouse movements).

The solution will be able to monitor printer activity to include such information as Printer Name, Job ID, printer location, printed document name, source machine information and printed data information, such as text and graphics.


This outline is intended to minimize the effort of the respondent and structure the responses for ease of analysis by the government. Respondents are free to develop their response accordingly, but should answer the fundamental questions provided.

Section 1 - Product (5-7 pages):

Describe a working product as a possible solution to the Insider Threat Focused Observation Tool requirement. Discuss the product and its capability to currently meet one or more of the requirements. Please discuss working or developmental functionality. (This should be five to seven pages, including description and diagrams.)

Please address the following issues:

Specify if the product solution comprises hardware (e.g., an appliance), software, or both. Include minimum and optimum hardware requirements, descriptions of any fail-over capabilities, and database requirements.

Describe the type of functions performed by the product solution.

List the OSs the product(s) supports to include patch and service pack levels.

Describe how the central manager will manage the host-based capabilities.

Describe the recommended deployment architecture and strategy to include installation and maintenance.

Describe the scalability of the product(s) in terms of the number of hosts each central manager can support.

Describe any testing that has been or will be conducted for compliance, such as the Common Criteria for Information Technology (IT) Security Evaluation and/or the Cryptographic Module Validation Program (CMVP) described in the National Institute of Standards and Technology (NIST) Federal Information Processing Standard (FIPS) 140-2.

Provide descriptions and certification of software security assurance practices used.

Provide information on existing and planned IPv6 compatibility.

Section 2 - Feasibility Assessment (2 pages):

Describe the feasibility of deploying the solution described in Section 1 on a minimum of 250 simultaneous host machines per single central manager. Include data on the amount of network traffic generated between agent and central manager.

Describe the estimated amount of manpower required to manage the solution.

Section 3 - Cost and Schedule Estimates (2-3 pages):

Provide a cost estimate in describing licensing agreement, support, and maintenance for non-recurring and annual recurring costs.

Section 4 - Corporate Experience:

Briefly describe your company, your products and services, history, ownership, financial information, and other information you deem relevant.

Describe any projects you have been involved in that are similar in concept to what is described in this RFI, including management and operations approach, requirements, processes, and any relevant lessons learned (1-2 pages per project). List government and commercial clients. If for any reason clients cannot be discussed, describe the number of seats deployed for each client.

Section 5 - Additional Materials:

Provide any other materials, suggestions, and discussion you deem appropriate.

DISCLAIMER: THIS RFI IS NOT A REQUEST FOR PROPOSAL (RFP) AND IS NOT TO BE CONSTRUED AS A COMMITMENT BY THE GOVERNMENT TO ISSUE A SOLICIATION OR ULTIMATELY AWARD A CONTRACT. RESPONSES WILL NOT BE CONSIDERED AS PROPOSALS NOR WILL ANY AWARD BE MADE AS A RESULT OF THIS SYNOPSIS. All information contained in the RFI is preliminary as well as subject to modification and is in no way binding on the Government. FAR clause 52.215-3, Request for Information or Solicitation for Planning Purposes is incorporated by reference into this RFI. The government does not intend to pay for information received in response to this RFI. Responders to this invitation are solely responsible for all expenses associated with responding to this RFI. This RFI will be the basis for collecting information on products available. This RFI is issued solely for information and planning purposes only and does not constitute a solicitation. All information received in this RFI that is marked “proprietary” will be handled accordingly. Responses to the RFI will not be returned nor will receipt be confirmed. In accordance with FAR 15.201(e), responses to this RFI are not offers and cannot be accepted by the Government to form a binding contract. Again, responders are solely responsible for all expenses associated with responding to this RFI.


How to submit: Submission by email; email should be time stamped no later than the due date. Email should not exceed 5 Megabytes (MB). Email to and

Due Date: 5 July 2006 5:00PM Eastern Daylight Time (EDT).


The two Point of Contacts (POCs) for questions on this RFI are:

Mr. John Scimone

Asst. Acquisition Manager

(703) 882-1782

Mr. Dan Commons

Acquisition Manager

(703) 882-1869

Defense Information Systems Agency, Procurement and Logistics, DITCO-Scott, 2300 East Dr. Building 3600, Scott AFB, IL, 62225-5406
Anne Keller, Contract Specialist, Phone 618-229-9504, Fax 618-229-9440, Email - Anne Keller, Contract Specialist, Phone 618-229-9504, Fax 618-229-9440, Email