Accessibility Information

Users of assistive technologies such as screen readers should use the following link to activate Accessibility Mode before continuing: Learn more and Activate accessibility mode.

host-based monitoring and digital forensics software

Solicitation Number: 2113203RFICIO575
Agency: Department of Homeland Security
Office: Transportation Security Administration
Location: Headquarters TSA
  • Print
Sources Sought
Added: Nov 16, 2012 9:29 am
SECTION I: Purpose

Product, Service or Outcome Needed:
Focused Operations (FO) is in need of a tool to monitor and conduct digital forensics at the host-based level. Networked monitoring solutions are not the purpose of this procurement.

Scope of the Product, Service, or Outcome:

The scope of this procurement is an enterprise solution to host-based monitoring and the collection of digital forensics information.

SECTION II: Background

The Information Assurance & Cyber Security Division (IAD)/Focused Operations (FO) Branch supports areas of cyber threats and digital forensics. FO is seeking an enterprise technology that will automate enterprise-wide host-based monitoring. TSA has approximately 25,000 host nodes in its enterprise.

SECTION III: Technical Requirements/Tasks/Outcomes

FO is seeking a technology that will focus at the user host level. The following is a list of requirements that the technology must perform:
1. Ability to monitor activities through
a. Keystroke monitoring/logging
b. Chat monitoring/logging
c. Email monitoring/logging
d. Attachment monitoring/logging
e. Website monitoring/logging
f. Network activity monitoring/logging
g. Files transferred monitoring/logging
h. Document tracking monitoring/logging
i. Screenshot capture
j. Program activity monitoring/logging
2. All activities that are being monitored/logged must call back to a central enterprise command infrastructure and transfer its collected data
a. If a host is connected to the TSA network, it will communicate with the central command
b. If a host is not connected to the TSA network, it will continue collecting on the host. Once it connects back to the TSA network, it will then transfer its collected data automatically
3. The end user must not have the ability to detect this technology.
4. The end user must not have the ability to kill the process or service.
5. All communications to and from the host and the central command must be encrypted with FIPS approved algorithms.
6. Ability to alert based on specific criteria such as a name and/or combination of names
7. Ability to mine through all the collected data using built-in or third party tools
8. The configurations must be customizable to eliminate operational impact to the end user
9. Ability to monitor Windows based systems at the host and retrieved via network connection.
10. Potentially have the ability to monitor MacOSX at the host and retrieved via network connection.
11. The technology must be able to comply with FISMA requirements.
12. Ability to transfer licenses from one host to another. Due to the limited budget surrounding this initiative, the technology must be able to automatically transfer licenses from one host to another.

Additionally, the offeror must provide formal training of their proposed technology.

SECTION IV: Submission instructions

Submissions shall not exceed 5 pages, single sided, in length. Submissions should include detailed information that communicates the products(s) ability to meet the requirements described in the Section III of this RFI.


601 S. 12th Street
TSA-25, 10th Floor
Arlington, Virginia 20598
United States
701 S. 12th ST
Arlington, Virginia 20598-6011
United States
Douglas W Gerard,
Contract Specialist
Phone: 571-227-5202
Kristin S Fuller,
Contracting Officer
Phone: 571-227-2740