Accessibility Information

Users of assistive technologies such as screen readers should use the following link to activate Accessibility Mode before continuing: Learn more and Activate accessibility mode.

NB773030-12-03877 Android Security Testing

Solicitation Number: NB773030-12-03877
Agency: Department of Commerce
Office: National Institute of Standards and Technology (NIST)
Location: Acquisition Management Division
  • Print


There have been modifications to this notice. You are currently viewing the original synopsis. To view the most recent modification/amendment, click here
Combined Synopsis/Solicitation
Added: Aug 16, 2012 9:20 am

This solicitation is a Request for Quotation (RFQ). The solicitation document and incorporated provisions and clauses are those in effect through Federal Acquisition Regulation (FAR), Federal Acquisition Circular 2005-59

The associated North American Industrial Classification System (NAICS) code for this procurement is 541511 with a small business size standard of $25M.

This acquisition is being procured as a Service-Disabled, Veteran -Owned Small Business set-aside.

The DARPA Transformative Apps program is a research program that strives to place the right mobile software applications ("apps") into the hands of warfighters as the apps are needed. As a result of this program, a diverse array of apps of national security relevance will be realized using an innovative new development and acquisition process. A military apps marketplace will be created to enable rapid innovation to meet user needs based on a direct collaboration between a vibrant and highly competitive development community and involved communities of end¬ users. The program will address all the challenges -technical, business, and operational -faced to make the new capabilities available for use in the field. The end objective is to transition the resulting systems to the end users in the Services, and to foster a new model for rapidly and effectively acquiring, introducing, maintaining, and enhancing software. In order to achieve these goals, the Transformative Apps program requires support from NIST's Computer Security Division to provide software assurance for TIGR and Tactical Application Software and perform a Security Requirements and Architecture Review. DARPA has funded NIST to develop new testing tools and methodologies that are not presently available in the commercial market. NIST is seeking the support of technical staff with demonstrated experience in developing software testing tools for the Android platform.

Contractor Requirements

The contractor will develop software testing tools that will be able to scan, annotate, modify, and instrument Android mobile application software. The code instrumentation that is necessary will expose potential security vulnerabilities through fault injection (testing) and enforce pre-specified access policies by code-rewriting of the binary itself or of the Dalvik APIs that the application is trying to invoke. The software testing tools will be used to test for and evaluate security vulnerabilities in mobile application software.

The proposed software testing tools shall be developed for Android mobile application software. The software testing tool must operate on source code and Android Java Byte Code.

The contractor shall have demonstrated experience developing security testing software for Android mobile devices. The contractor must have demonstrated experience in operating system/kernel development, fluency in C/C++ programming languages, cryptography, malware, and embedded systems.

The Contractor shall deliver to NIST:

(a) a software tool, and (b) documentation including installation instructions and operations manual for the tool. The tool should have the capability to scan, annotate, modify, and instrument Android mobile application software. The code instrumentation that is necessary will expose potential security vulnerabilities through fault injection (testing) and enforce pre-specified access policies by code-rewriting of the binary itself or of the Dalvik APIs that the application is trying to invoke. The project requires proven experience in large scale application testing and in-depth knowledge of both the Google Android Dalvik Engine and the Android Linux Kernel.

The vendor's tool should be able to:

1) Operate on both source code and Android Java byte code (Android Binaries).

2) Be capable of analyzing any third-party libraries invoked by the instrumented Android program.
3) Perform the scanning without altering or adversely affecting the functionality of the Android application beyond the requested security modifications as specified by the security posture.
4) Be implemented in thousands of Lines of Code (LoC)

Task 1. Develop software to scan, annotate, modify, and instrument Android mobile application software.
Task 2. Develop test cases to exercise the software tool and demonstrate that it can detect, log, and report software vulnerabilities.
Task 3. Develop reporting tool that will help software analyst identify and remediate software vulnerabilities detected by the tool.
Task 4. Develop documentation to support the code maintenance and code use.

Period of Performance

12 month after award

Place of Performance

The majority of the work will be performed at the contractor's facilities with occasional meeting at the NIST Gaithersburg campus.


Prospective Contractors must submit the following via electronic quotation to Willie Lu at no later than Friday, August 24, 2012 at 2:00 pm EST.

Volume I - TECHNICAL Volume

There shall be no pricing information or labor rates included in the Technical Volume. The Offeror shall submit the following as parts of Volume I:

A. Technical Approach-
The Offeror shall submit a detailed technical approach for this requirement that demonstrates a sound and feasible approach to completing the tasks detailed in the Statement of Work, as well as a sufficient understanding of the tasks and deliverables required by the Statement of Work, and the purpose of the requirement.
B. Key Personnel Information-
The Offeror shall submit a list of the proposed key personnel candidate(s) for the tasks detailed in the Statement of Work. It is expected that this requirement will require the work of at least one key personnel contractor employee. In addition, the Offeror shall submit the resume(s) for each proposed key personnel to demonstrate the extent to which the key personnel meet the minimum qualifications detailed in the evaluation factors for award.
C. Experience -
The Offeror shall describe its past experience in performing work for other organizations (private or public organizations) that is similar in size and scope to the work detailed in the Statement of Work. The work described in this section must have been performed within the past three years. The relevancy of the Offeror's past experience to this requirement shall be clearly demonstrated.

Volume II - PRICING Volume

The Offeror shall submit the following as part of Volume II:

The Offeror shall provide a total firm fixed price for the requirement detailed in the Statement of Work. As supporting information to the total firm fixed price proposed, the pricing volume shall also show the following:
a. The total number of hours being proposed for the performance of the work by each key personnel proposed.
b. The fully burdened hourly labor rate proposed for each key personnel contractor employee proposed.
c. A proposed payment schedule for the requirements. The Statement of Work details certain due dates for certain deliverables that should be noted in the Offeror's payment schedule.


Award shall be made to the Contractor whose quote offers the best value to the Government, price and other factors considered. The Government will evaluate quotations based on the following evaluation criteria: 1) Technical Capability factor "Meeting or Exceeding the Requirement", 2) Past Performance, and 3) Price. Technical capability and past performance, when combined, shall be approximately equal to price. If Technical Capability and Past Performance are equivalent, price shall be the determining factor.

A) Technical Capability:

Evaluation of Technical Capability shall be based on the information provided in the quotation. NIST will evaluate whether the offeror has demonstrated that its proposed equipment meets or exceeds all requirements. Quotations that do not demonstrate that the proposed equipment meets all requirements will not be considered further for award. Quoters shall also include product literature which addresses all specifications & clearly documents that the product offered meets or exceeds the specifications identified herein.

B) Past Performance:

Past Performance will be evaluated to determine the overall quality of the services provided and the Contractor's history of meeting delivery schedules for prior deliverables. Evaluation of Past Performance shall be based on the references provided and/or the quoters recent and relevant procurement history. Offerors should provide a list of 3-5 references to whom the same or similar services has been provided within the past 3 years. Past performance references must include the company/organizations name, contact person, phone number, and e-mail address.

Past Performance and Price shall not be evaluated on quotes that are determined technically unacceptable in accordance with the Technical Capability Evaluation factor.

All responses shall be sent to the National Institute of Standards and Technology, Acquisition Management Division, Attn: Willie Lu, via email at

***Submission must be received by 2:00 p.m. eastern time on Friday, August 24, 2011***FAXED QUOTES WILL NOT BE ACCEPTED.

The following Federal Acquisition Regulation (FAR) provisions apply to this acquisition: 52.212-1 Instructions to Offerors-Commercial Items; and 52.212-3 Offeror Representations and Certifications-Commercial Items. The following FAR clauses apply to this acquisition: 52.212-4 Contract Terms and Conditions-Commercial Items; 52.212-5 Contract Terms and Conditions Required to Implement Statutes or Executive Orders-Commercial Items including subparagraphs: (1) 5.203-6 Restrictions on Subcontractor Sales to the Government; (8) Utilization of Small Business Concerns; (16) 52.219-28 Post Award Small Business program Rerepresentation; (17) 52.222-3 Convict Labor; (18) 52.222-19 Child Labor - Cooperation with Authorities and Remedies; (19) 52.222-21, Prohibition of Segregated Facilities; (20) 52.222-26, Equal Opportunity; (21) 52.222-35, Equal Opportunity for Special Disabled Veterans, Veterans of the Vietnam Era, and Other Eligible Veterans (38 U.SC. 4212); (22) 52.222-36, Affirmative Action for Workers with Disabilities; (23) 52.222-37, Employment Reports on Special Disabled Veterans, Veterans of the Vietnam Era, and Other Eligible Veterans (38 U.S.C. 4212); (and (30) 52.232-33, Payment by Electronic Funds Transfer-Other Than Central Contractor Registration. 52.227-17 Rights in Data - Special Works. The following Department of Commerce (CAR) clauses Department of Commerce Clauses apply to this acquisition: 1352.201-70 Contracting Officer's Authority; 1352.201-72 Contracting Officer's Technical Representative (COTR); 1352.209-70 Organizational Conflict of Interest; 1352.209-72 Restrictions Against Disclosure; 1352.209-73 Compliance with the Laws; 1352.231-71 Duplication of Effort; 1352.233-70 Agency Protests; and 1352.227-70 Rights in Data, Assignment of Copyright.



100 Bureau Drive, Building 301, Room B129, Mail Stop 1640
Gaithersburg, Maryland 20899-1640
United States
At Contractor location, and/or

100 Bureau Dr.
Gaithersburg, Maryland 20899
United States
Willie W. Lu
Phone: 3019758259
Chon S. Son,
Contracting Officer
Phone: 301-975-8567