What we recommend you include when you submit a solution brief.

View Instructions

Work With Us - Open Solicitations - Commercial

Submit your commercial solutions to solve national security challenges with the help from DIU.

Modular Spectrum Characterization


Responses Due By

2024-06-11 23:59:59 US/Eastern Time

Problem Statement


Traditional methods of Electromagnetic Spectrum signature gathering are constrained by a number of factors including: 


  • Inability to capture wideband, high bandwidth signatures;
  • Existing software solutions are not easily configurable, autonomous, or have limited to no data parsing utilities, or are not interoperable with a variety of different software defined radios (SDRs).
  • Size, weight and power (SWaP) constraints make solutions difficult to transport and/or limit use cases due to lack of portability/ability to deploy in the field.


Desired Solution Attributes


The Department of Defense(DoD) seeks autonomous solutions capable of passively detecting and gathering data primarily against wideband, high bandwidth, electromagnetic spectrum while also storing this data securely. The initial prototype will be built to gather radio frequency (RF) signatures with interest in gathering other phenomena (such as acoustic signatures) in future iterations. All proposed solutions must be able to operate autonomously and incorporate multiple configurable “triggering” methods such as options for user-based activation, geofence boundary activation, and time-based scheduling activation at a minimum. The solution must also be able to record both Power Spectral Density (PSD) and raw in-phase and quadrature (I/Q) data to on-board and/or attached storage media. 


Final technology solutions should comprise the smallest form factor achievable using commercial off the shelf (COTS) components while arranging said components to support a wide array of sizing permutations. The solution should make every effort to minimize power draw during idle operation and consist of non-emitting COTS components/devices. Some versions will need to be capable of sustaining operation under MILSPEC electromagnetic interference (EMI) conditions or device(s) configurable to a non-emitting state. Future versions may also require incorporation into any number of platforms (e.g. unmanned systems (UXS), manned vehicles, Android tactical assault kit (ATAK), etc.).


The technology needs to be able to be packaged and operable when enclosed within an array of small form factor enclosures and withstand rudimentary physical inspection without drawing attention or causing alarm; it should also be secure against undesired examination (at a minimum leverage AES-256 encryption of data/configuration at rest, secure boot, hardware fuses, anti-tamper, etc.). Once in use, the solution must be secure against a wide spectrum of environmental conditions.


The technology should be capable of supporting add-on peripherals through protocols such as USB, GPIO, i2c, etc., and provide support for additions such as up/down frequency converters, field swappable data drives, and options for portable configuration upload media.


The initial prototype will require that data remain encrypted until recovered and decrypted by authorized personnel. Upon retrieval, data needs to be exportable, or natively stored in non proprietary file formats and support conversion to the DoD standard file formats to be provided at a later time. Future prototypes may require data to be offloaded via remote connection.


Demonstrations:

  • Commercial solution(s) should be ready for full-scale system testing, demonstration, and evaluation within 8 months from project start date.
  • Vendors will provide on-site and remote support during the on-base system testing, demonstration, and evaluation period (US-bases), where prototypes will undergo a range of environmental and electromagnetic testing, including but not limited to: MIL-STD-810H, MIL-STD-461G, and MIL-STD-464C.

Eligibility Requirements

Awarding Instrument

  • This Area of Interest solicitation will be awarded in accordance with the Commercial Solutions Opening (CSO) process detailed within HQ0845-20-S-C001 (DIU CSO), posted to https://SAM.gov in March 2020. 

Follow-on Production

  • This project qualifies as a prototype project and meets the definition. A prototype project, as defined in the July 2023 Other Transactions Guide, is “a proof of concept, model, reverse engineering to address obsolescence, pilot, novel application of commercial technologies for defense purposes, agile development activity, creation, design, development, demonstration of technical or operational utility, or combinations of the foregoing. A process, including a business process, may be the subject of a prototype project.”


  • The prototyping project is also directly relevant to enhancing mission effectiveness of military personnel and the supporting platforms, systems, components, or materials to be acquired or developed by the DoD, or to improvement of platforms, systems, components, or materials in use by the armed forces. The July 2023 “Other Transactions Guide” imparts guidance that is directly relevant, “focuses on the agency determination of the direct relationship of the prototype project (as opposed to a tangential association) with the DoD mission.” 


  • Companies are advised that any prototype Other Transaction (OT) agreement awarded in response to this Area of Interest may result in the award of a follow-on production contract or transaction without the use of further competitive procedures. The follow-on production contract or transaction will be available for use by one or more organizations in the Department of Defense and, as a result, the magnitude of the follow-on production contract or agreement could be significantly larger than that of the prototype OT. As such, any prototype OT will include the following statement relative to the potential for follow-on production: "In accordance with 10 U.S.C. 4022(f), and upon a determination that the prototype project for this transaction has been successfully completed, this competitively awarded prototype OTA may result in the award of a follow-on production contract or transaction without the use of competitive procedures.”



  • The follow-on production agreement will potentially have operational testing which goes beyond network testing, but also includes testing of the open architecture and interfaces, data collection, processing, fusion, and analysis, as well as workflow testing on effectiveness of the decision support and triage capabilities.

Biosurveillance


Responses Due By

2024-06-07 23:59:59 US/Eastern Time

Problem Statement

The DoD needs to provide biosurveillance analysts with the data science capabilities to promptly address crucial biosurveillance inquiries for decision-makers. This is complicated by the dynamic nature of emerging threats, where data informing responses to each threat varies considerably from previous instances.


Desired Solution Attributes

The Department of Defense (DOD) requires timely, insightful, objective, and relevant health threat and biothreat information to inform national security decisions across the continuum of conflict. The Department will achieve this through the DoD biosurveillance program underpinned by a novel fit-for-purpose analytic capability enabling federated data collection, ingestion, processing, analysis, and insight production. The technical solution, when used by the biosurveillance analysts, should enable capable of rapid development and dissemination of strategic, anticipatory, and current operations analysis for risk mitigation from health and biothreats. 


To generate leadership-decision support and analytic products, the DOD seeks a dynamic cross-domain cloud-based information technology capability, enabled by artificial intelligence and machine learning, to make sense of big data and create analytic bandwidth for user-driven analysis and automation of routine processes across public health, biodefense, environmental, and intelligence data. 


To support the biodefense program, the Department seeks a system with the ability to adaptively license, ingest, structure, and correlate primary and secondary data sources at-scale to build a dynamic intelligence picture. The system should primarily be focused on streamlining and automating anticipatory analysis for biological and health-related questions, while simultaneously providing situational awareness for all levels of command. The system should be highly adaptable and support ad-hoc requests for information. This system is not intended to be an early warning algorithm; rather, it is intended to be the platform, infrastructure, and data visualization for use by biosurveillance analysts (human-computer interface) to generate early warning and response when integrated into broader programs. The technical solutions will integrate with a range of existing or new DOD capabilities, including the Combined Joint All Domain Command and Control (CJADC2) initiative. Additionally, the solution should be capable of integrating with pre-existing, controlled data sources, pulling or pushing information as necessary to ensure interoperability.


The Solution Should Successfully Demonstrate the Following:

  • Demonstrate adaptive ingest capabilities, sense making at-scale, anomaly detection on primary data feeds amplified by metadata, AI methods for data structuring and semantic reasoning, fusion, and data processing, to enable all-source analytics.


  • Demonstrate the ability to use tools for adaptive ingest of data provided by many entities, including interagency and international partners.


  • Demonstrate use of geospatial and temporal techniques to associate foundational feeds with well-structured data.


  • Demonstrate situational awareness and leadership decision support tools and information products, iterating from manual curation to automated collection and fusion to development, validation, deployment, and monitoring.


  • Create, connect, structure, and correlate data feeds, getting data from sensors and sources across domains, partners, allies, and platforms, using industry-standard communication protocols.


  • Enable (or provide) data scientists, software engineers, to join mission experts from the United States Government, on teams with the ability to receive and triage key questions, execute data analysis, deploy and monitor automated services.


  • Remain modular and adaptable through open architecture software designs, data rights and formats, and application program interfaces (APIs), ultimately ensuring consistent and reliable sustainment, maintenance, and innovation for all digital tools.


  • Demonstrate the ability to assess changing conditions, and work with customers from warfighters to policymakers to understand their key questions and respond with sophisticated solutions, while identifying opportunities for innovation (e.g., challenging long-standing assumptions and boundaries in health data analytics).


  • Demonstrate the capability to enable rapid answers to key intelligence questions for leadership decision support.


  • The team will understand accreditation process and associated technical requirements including audit, PKI identification and classification requirements.


  • Commercial solution(s) should be ready for full-scale operational testing, demonstration, and evaluation within 4 months from project start date.



  • Provide on-site and remote support during the on-base operational testing, demonstration, and evaluation period (US-bases), where prototypes will undergo a range of network testing, including but not limited to: MIL-STD_2525D, NIST 800 series, CNSSI 1253 series, and the National Industrial Security Program Operating Manual (NISPOM): 32 CFR 117.


Vendors with current or prior experience developing software at the TS level are preferred. Companies are expected to demonstrate a comprehensive understanding of DEVOPS across the spectrum of DoD classifications (unclassified, NIPR, SIPR, JWICS, etc). Solutions should demonstrate a mature understanding of using and creating application program interfaces to communicate with outside software platforms.


Multiple agreement awards are anticipated, and a single company is not expected to provide a solution that covers all solution areas. Preference will be given to product mixes that include solutions with evidence of similar deployments. The DoD may facilitate teaming arrangements among submissions offering complimentary capabilities to achieve desired effect. Companies are also welcome to present their own teaming arrangements in their solution briefs. If technology solutions are proprietary, performing companies will be expected to establish business to business safeguards that permit information sharing amongst teaming members in pursuit of solutions. Academic research proposals are not desired.


Successful prototypes will need network accreditation to ensure full functionality and deployment on DoD systems. Existing authority to operate (ATO) or certification as a system of record are a plus. Vendors must possess or be able to obtain necessary accreditations to deploy/operate their solutions in Defense Information Systems Agency (DISA) Impact Level 6 (IL6) environments.


*Note to offerors: It is anticipated human subjects research may be required in performance of any subsequent agreement(s). Therefore, offerors should be aware that compliance with 32 CFR 219, DoDI 3216.02 will be mandatory, as applicable.

FAQs

1. Question: What is the anticipated budget for the prototype phase? What is the anticipated budget for the follow-on production agreement?


1. Answer: We do not discuss funding.



2. Question: What is the anticipated period of performance (POP) for the prototype phase? What is the anticipated POP for the follow-on production agreement?


2. Answer: We anticipate the prototype period of performance may vary based on the performer.



3. Question: Who is the sponsoring program office for the production effort?


3. Answer: Biosurveillance cuts across several program offices. As such, the specific attributes of any successful solution will guide the programming decision.



4. Question: Can DIU define biosurveillance analyst more specifically, e.g., all-source intelligence analysts, epidemiologists, others?


4. Answer: A biosurveillance analyst may be any analyst with necessary access to source data tasked with developing insights to inform a key intelligence question.



5. Question: Is DIU interested in having vendors provide hands-on user testing and iteration between delivery of the initial prototype (i.e., four months or less after contract award) and the end of the prototype phase?


5. Answer: Yes



6. Question: Can DIU provide more information about the Government-provided data sources anticipated for this effort, and their scale, size, classification level, method of provision to vendor, and any other relevant technical information?


6. Answer: Commercial, open source, and government data at all classification levels may be anticipated.



7. Question: On what network(s) does DIU expect the prototype to be deployed (Unclassified, IL-5, IL-5 and IL-6, other?)


7. Answer: Performers should expect IL-6 deployment.



8. Question: How many test base sites does DIU anticipate running the network testing in, and where are these bases located geographically?


8. Answer: We do not disclose location data prior to award.



9. Question: What does DIU anticipate providing to vendors in terms of Government furnished equipment for the prototype / testing phase, e.g., cross-domain solution (CDS)?


9. Answer: We anticipate GFE requirements to vary by performer. These and other requirements will be developed in the course of contract negotiations.



10. Question: Are you considering sources of bio-type data / solutions that could pipe structured, tagged, labeled data (such as service member responses to health questions) into the sort of aggregation tool / decision support capability that you describe. Or, are you only looking, for this solicitation, to vet different possible solutions for the aggregation / decision support tool component?


10. Answer: Multiple agreement awards are anticipated, and a single company is not expected to provide a solution that covers all solution areas.

Eligibility Requirements

Awarding Instrument

  • This Area of Interest solicitation will be awarded in accordance with the Commercial Solutions Opening (CSO) process detailed within HQ0845-20-S-C001 (DIU CSO), posted to https://SAM.gov in March 2020. 


Follow-on Production

  • This project qualifies as a prototype project and meets the definition. A prototype project, as defined in the July 2023 Other Transactions Guide, is “a proof of concept, model, reverse engineering to address obsolescence, pilot, novel application of commercial technologies for defense purposes, agile development activity, creation, design, development, demonstration of technical or operational utility, or combinations of the foregoing. A process, including a business process, may be the subject of a prototype project.”


  • The prototyping project is also directly relevant to enhancing mission effectiveness of military personnel and the supporting platforms, systems, components, or materials to be acquired or developed by the DoD, or to improvement of platforms, systems, components, or materials in use by the armed forces. The July 2023 “Other Transactions Guide” imparts guidance that is directly relevant, “focuses on the agency determination of the direct relationship of the prototype project (as opposed to a tangential association) with the DoD mission.” 


  • Companies are advised that any prototype Other Transaction (OT) agreement awarded in response to this Area of Interest may result in the award of a follow-on production contract or transaction without the use of further competitive procedures. The follow-on production contract or transaction will be available for use by one or more organizations in the Department of Defense and, as a result, the magnitude of the follow-on production contract or agreement could be significantly larger than that of the prototype OT. As such, any prototype OT will include the following statement relative to the potential for follow-on production: "In accordance with 10 U.S.C. 4022(f), and upon a determination that the prototype project for this transaction has been successfully completed, this competitively awarded prototype OTA may result in the award of a follow-on production contract or transaction without the use of competitive procedures.”



  • The follow-on production agreement will potentially have operational testing which goes beyond network testing, but also includes testing of the open architecture and interfaces, data collection, processing, fusion, and analysis, as well as workflow testing on effectiveness of the decision support and triage capabilities.

Joint Cyber Hunt Kit (JCHK)


Responses Due By

2024-06-14 23:59:59 US/Eastern Time

Joint Cyber Hunt Kit (JCHK)


Problem Statement and Concept of Operations


The Department of Defense (DoD) conducts hunt operations on DoD and international or domestic partner networks in order to discover advanced persistent threats (APT), and analyze their tactics, techniques, and procedures (TTP). These hunt operations require a next-generation deployable Joint Cyber Hunt Kit (JCHK) with cutting edge commercial off the shelf (COTS) and free and open source software (FOSS) capabilities.


The desired JCHK solution is best described as a mobile “security operations center (SOC) in a box” that can be transported by a nine person team, anywhere in the world. This hunt kit must be capable of standalone operation because it will most often operate in an environment where it is not permissible to connect to the internet, and not permissible to send data offsite for analysis. The hunt kit must also be capable of performing all hunt operation activities without requiring additional processing or storage resources from a partner’s on-premise infrastructure. Furthermore, the hunt kit must be transportable as carry-on luggage, meeting weight and dimension limitations on international commercial airlines, and be compatible with the limited wattage and poorly conditioned power available in developing nations. In addition to the described “SOC in a Box” capability, the JCHK shall also be a modular system that allows for additional processors, storage, software, and capability packages, as future requirements are realized.


Key hunt activities include: determining the best locations to place network sensors; determining all possible paths to sensitive information; validating and augmenting the network map using network traffic files; scanning the network for software, firmware, and configuration vulnerabilities; determining possible attack vectors and their likelihoods; analyzing PCAP files to determine normal behavior patterns; determining the causes of anomalous behaviors; discovering the TTPs APTs used to gain access to a network; discovering the TTPs APTs used to move within a network; discovering the infrastructure that APTs prepared within a network; discovering the TTPs APTs used for the Command and Control (C&C) of infrastructure; discovering and analyzing the TTPs APTs used to attack a target; discovering the TTPs APTs used to exfiltrate data, or deny critical services within a network; discovering the TTPs APTs used to defend their infrastructure or activities from detection or degradation by network defenses; and determining TTPs that network defenders could use to deter, disrupt, and defeat APT activities.


The hunt kit needs to be able to perform any and all activities related to discovering APT activities and analyzing their TTPs. This includes all of the functions typically included in extended detection and response (XDR) applications, including both endpoint detection and response (EDR) and network detection and response (NDR) functions. It also includes many of the functions typically included in case management and workflow management applications, including managing all of the hunt activities across the team as they investigate issues and piece together TTPs, write reports, and communicate with their leadership and other stakeholders. While the teams are on-mission, the hunt kit also provides all of the team’s information technology (IT) resources, including desktop IT resources for communication and report development.


Finally, while there are several security-related requirements related to the hunt kit’s ability to operate on DoD networks, such as United States (US) Trade Agreement Act (TAA) compliance, DoD also desires a hunt kit whose components have no International Traffic in Arms (ITAR) or Export Administration Regulations (EAR) export restrictions so that foreign governments that partner with the US on hunts can procure the same hunt kits if they desire.


Schedule, Execution Details, and Quantity


The vendor must be capable of completing a prototype hunt kit for government testing within four months of receiving an Other Transaction (OT) award.


During the prototype phase of this acquisition, the vendor will deliver a fully integrated hardware / software solution, configure the software to best use the hardware resources, and integrate the software in order to improve workflows, dataflows, and the user experience (UX). The requirements for software integration and improvements will not be specified by the government, and are up to the vendor to choose as part of their strategy. The government’s hunt kit currently uses a mix of COTS software and FOSS, and the government will evaluate alternative software loads during the prototype phase of this acquisition. However, during any follow-on production phases of this acquisition, the government may choose to procure only hardware, software integration, and sustainment services if no compelling software solution is bid.


The vendor’s installation scripts or images will need to be compatible with the Joint Cyber Warfare Architecture (JCWA) software provisioning solution (JSPS), which uses infrastructure-as-code (IaC) technologies. IaC is defined as any software provisioning / software deployment mechanism that is automated, does not require a human with administrative rights to be involved, and can be stored in a repository. This includes Ansible deployment scripts, VMware deployment scripts, Kubernetes deployment scripts, and similar technologies. For the purposes of the prototyping efforts, the vendor may provision the software onto their hardware using any method they desire. Note that if the vendor demonstrates a provisioning solution in the prototyping phase that has sufficient merit, and is in the best interest of the government, there is a possibility that it could be added to the JSPS trade-studies.


If the government determines the prototype project to be successfully completed and decides to award a production OT or contract, the following may apply:


  • United States Cyber Command (USCYBERCOM) and the Service Cyber Components (SCC), including Army Cyber Command (ARCYBER), Fleet Cyber Command/Tenth Fleet (FCC/10F), Air Forces Cyber/16th Air Force (AFCYBER), Marine Corps Forces Cyberspace Command (MARFORCYBER), and Coast Guard Cyber Command (CGCYBER) may procure hunt kits on an indefinite delivery, indefinite quantity (IDIQ) basis.
  • The final quantities are unknown, but for design and production feasibility analysis purposes should be assumed to be approximately 100 hunt kits per year, with the ability to scale to approximately 250 hunt kits per year, upgrade critical technologies as necessary throughout a kit’s lifecycle, replace entire systems every 3-5 years, and be able to stock or procure parts to repair and refurbish systems as required within a 2-4 week time period.
  • The government will purchase the software licenses and supply them to the vendor as government furnished equipment (GFE). It is also likely that the government will provide a small number of government off the shelf (GOTS) applications as GFE. The vendor will be responsible for integrating and sustaining all software. However, the government will own all licenses, control the distribution / prioritization of licenses, and bear all software end user license agreement (EULA) enforcement risk.


Desired Product Specifications


The DoD’s requirements are listed in 5 sections: minimum hardware requirements, optional hardware preferences, minimum software requirements, optional software preferences, and vendor support requirements. The government may further refine or elaborate on any specifications during future phases.


Minimum Hardware Requirements


The hardware solution MUST be one that:

  • Can be deployable within stacked transport cases; and be deployable within a top-of-rack, or rack-mounted manner, without experiencing any degradation from electromagnetic interference or signal cross talk.
  • Can operate on international power sources ranging from 100 VAC to 240 VAC and 50 to 60 Hz.
  • Has the ability to operate in hot indoor temperatures, poorly conditioned power, frequent brown-outs, and occasional power surges.
  • Has the ability to be easily scaled up or down to the size of the network being hunted on, as well as the ability to be connected to to-be-defined (TBD) capability expansion packages that will extend the DoD’s hunt capabilities into areas such as industrial control systems (ICS) / supervisory control and data acquisition (SCADA) systems, internet of things (IOT), wireless, and cloud, or extend the JCHK’s capabilities with artificial intelligence / machine learning (AI/ML), storage, or out-of-band (OOB) communication solutions. Proposals for COTS capability expansion packages available within the JCHK prototype and production timeline may be submitted with the JCHK proposal, as separately priced options. Capability package equipment is not part of the nine person transport limit, but carry-on transport on international airline flights is still required.
  • Has all the equipment needed to tap and process all PCAP, logs, and metadata across a minimum of three “hunt sites” that each have a 1x 10 Gbps full duplex ingest line, or 2x 1 Gbps full duplex ingest lines. The hunt kit must be capable of processing this data 24x7, at fully saturated data rates, as a stand-alone system, without utilizing SPAN ports on tapped network devices. 
  • Has all equipment needed to enable a minimum of nine total host analysts and/or network analysts to perform hunt activities at an “analyst site”. This equipment must include laptops with approximately 17” screens; RJ45, HDMI, USB-A and USB-C connection ports. Any wireless communication, recording, or camera capabilities present must be able to be disabled via hardware, and not be capable of being enabled via software or network communications.
  • Has all equipment needed to connect all three hunt sites and the analyst site with whitelisted internet protocol (IP) addresses and virtual private network (VPN) encrypted communications. The connections must also be capable of supporting remote management of all network taps and firewalls using OOB channels; and must be able to connect to another access layer switch at the analyst site. The equipment must be able to meet all three of these conditions concurrently. 
  • Has all equipment needed to perform digital forensic analysis of drives and memory, including the equipment needed to clone drives and memory, and the equipment needed to prevent write-back.
  • Has the ability to use all common VPN protocols, including internet protocol security (IPsec), OpenVPN, and WireGuard.
  • Network taps must be both passive and regenerative so as to not interfere with normal operation of the network it is connected too, and can operate using only an on-board battery for at least 1 hour.
  • Has sensors, servers, and laptops that will allow all DoD standard hunt software loadset applications to be installed on virtual machines (VM) with their original equipment manufacturer’s (OEM) recommended resources, with no more than 75% processor utilization, 75% memory utilization, and 50% storage utilization at the sensor, server, and laptop level. For sizing purposes, assume the DoD standard hunt software loadset can be either a Splunk or Elastic based loadset, with approximately 25 total applications.
  • Has the ability to store at least 7 days of PCAP collected off a minimum of 3x 10 Gbps full duplex lines, and 90 days of logs and metadata on each server.
  • Supports RAID 1, 5, 6 or 10; to manage OS data using RAID 1; and to not lose queued mission data for at least 1 hour in the event of a site-power failure.
  • Has all equipment to allow the hunt kit to be connected to a site network using copper, multimode fiber, or single-mode fiber transmission lines.
  • Uses copper cabling with RJ45 connectors between all the stand-alone components that comprise the hunt kit, wherever feasible, to allow custom length cables to be easily created in the field. Where this is not feasible, the hunt kit must include the splicing tools needed to make the custom cable lengths.
  • Has a capability that aggregates all data from all network taps, making it available for analysis by any sensor or server. The load balancing functions typically included in a packet broker are not required.
  • Has network taps and firewalls without any type of in-band management capability, or the ability to turn it off.
  • All transport cases and stand-alone hunt kit components should be able to be secured in a way that makes physical tampering evident by casual inspection. At a minimum, the DoD requires that all transport cases and stand-alone components have the ability to be easily secured with wire ties and/or 2.5”x9” tamper evident tape, during both transportation and operation. Alternative solutions with the same or better tamper detection abilities are acceptable.
  • Has only self encrypting drives (SED) that comply with the latest version of the Federal Information Processing Standards (FIPS) specification 140, at Security Level 2 or greater, for all drives involved with processing mission, networking, or security data.
  • Has a trusted platform module (TPM) with a cryptographic module that is certified by the National Information Assurance Partnership (NIAP) for each stand-alone assembly involved with processing mission, networking, or security data.
  • Has all electronic subassemblies involved with processing mission, networking, or security data produced in countries that are members of the US TAA.
  • Has only stand-alone assemblies that are available for purchase as COTS items without any ITAR or EAR export restrictions for TAA designated countries.
  • Has an extremely high level of reliability, a high level of repairability, and good parts availability.
  • Has wheeled travel cases for all equipment that allows a 6-foot-tall person to walk comfortably while towing a case and rolls easily over cobblestone streets; except for laptops, which may have backpack style travel cases that fit under an airline seat.
  • Has a tool kit that contains all the tools needed to: remove all drives that process mission, network, or security data; configure the hunt kit for travel or different deployment options (top of rack, rack mounted, case mounted); and maintain or perform repairs and/or component replacements in the field. 


Optional Hardware Preferences


The most preferred hardware solution would be one that:

  • Packs the greatest amount of throughput speed, processing power, and storage capacity into a form factor that is transportable by nine personnel as carry-on luggage on standard international airline flights.
  • For all drives that store mission, network or security data: has only drives that are easily removable without tools.
  • Has the ability to purge non-volatile memory (NVM) in accordance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-88 using ATA, SCSI, NVMe, TCG Opal, or TCG Enterprise cryptographic erase commands; or the ability to easily replace non-purgeable NVM using commonly available memory cards.
  • Has the ability to automatically detect tampering while deployed, and to alert network defenders.
  • Has the ability to automatically detect tampering during transport, and to alert network defenders, using wireless technologies that can be easily removed prior to deployment, and easily replaced for transport at the end of the mission.
  • Has the ability for all small form-factor pluggable (SFP) transceivers to be replaced with multi-source agreement (MSA)-compliant SFPs without any loss of functionality.
  • Requires the least number of spares and repair tools to ensure a 95% field availability level.
  • Has at least 50% empty space in the laptop backpack when the hunt kit is fully packed.
  • Has hard-sided travel cases that stack on their wide face in a stable manner that resists tipping over.


Minimum Software Requirements


The software solution MUST be one that: 

  • Has the ability to ingest data from Splunk security information and event management (SIEM) software and forwarders, and to feed data to Splunk SIEMs.
  • Has the ability to ingest data from Elastic SIEMs and forwarders, and to feed data to Elastic SIEMs.
  • Has the ability to actively (ie: via interrogation or scanning techniques that are detectable by network monitoring / log analysis tools) detect network vulnerabilities, known malware, and signs of intrusion.
  • Has the ability to correlate network maps, configuration data, vulnerability scans, and sensitive information locations, and to determine likely attack paths and how an attacker would prioritize them.
  • Has the ability to automatically ingest NetFlow, log and metadata data from network devices and hosts, and determine what is normal versus an anomaly with very good detection and low false alarm rates.
  • Has the ability to automatically ingest and incorporate cyber threat intelligence (CTI) and indicators of compromise (IOC) from a wide variety of data sources into vulnerability, threat and attack analyses.
  • Has the ability to process analytics that are distributed across a set of sensors.
  • Has the ability to automatically link, correlate, compare, timeline, trend, and display NetFlow, log and metadata data from network devices and hosts, in ways that make it very effective for analyzing attacker TTPs.
  • Has the ability to coordinate incident analysis data and activities across a hunt team in a manner that allows team members to collaborate on analyses using teleconferencing and multi-user editable files.
  • Has the ability to query any data within any hunt application, or to write a trigger that results in an action within any hunt application, using Structured Query Language (SQL) or similar.
  • Has the ability to automate workflow and dataflow across hunt applications, or to call queries or triggers using only the application programming interfaces (API) for the hunt applications.
  • Has the ability to create custom network topology maps that combine subsets of level 2 and level 3 topology maps, and incorporate evidence of attacker TTPs as annotations and links to the SIEM data.
  • Has the ability to easily create a virtualized environment that is a digital twin of the IT environment being analyzed at the partner site, for testing purposes.
  • Has the ability to automatically validate files against known hashes, of any common hash type.
  • Has the ability to detect malware within files, binaries, and addressable memory, with high levels of detection but low levels of false alarm.
  • Has the ability to perform malware analysis activities, including identification, triage, static analysis, dynamic analysis, and reverse engineering, all performed in a sandboxed environment.
  • Has the ability to perform cyber threat emulation (CTE) activities, including probing, penetration, pivoting, evasion, and coordinated attacks, that can be packaged to simulate a particular APT’s TTPs.
  • Has the ability to insert links to data, analyses, notes, dashboards, tables, charts, or graphs in a hunt application into a Microsoft (MS) Word, MS Excel, MS PowerPoint, MS Visio, or Adobe PDF document.
  • Has the ability to function without needing a connection to the external internet.
  • Has the ability to function in Linux, VMware, or Docker / Kubernetes environments.
  • Has the ability to function using only the processing and storage resources within the hunt kit.
  • Has the ability to be configured quickly and easily in a way that meets all the security control requirements for operating on a DoD network, that are applicable to software.
  • Has a licensing model that allows the government to pay a fixed cost per hunt kit license per year, and allows the hunt kit to be used to hunt on networks with an unknown quantity of devices and dataflow.


Optional Software Preferences


The most preferred software solution would be one that:

  • Has the ability to detect malware within unaddressable memory, firmware, and integrated circuits (IC) with high levels of detection, but low levels of false alarm.
  • Has the ability to passively (ie: without performing any outgoing communications) detect network vulnerabilities, known malware, and signs of intrusion.
  • Has automations or wizards / work-aids that allow a basic level analyst to perform malware analysis activities as thoroughly as an intermediate level analyst. 
  • Has automations or wizards / work-aids that allow a basic level analyst to perform CTE activities as thoroughly as an intermediate level analyst.
  • Has the ability to search information from the malware and CTE analyses from the SIEM and integrate information from the malware and CTE analyses into the network maps.


Vendor Support Requirements


The DoD requires a hunt kit vendor who:

  • Has the ability to support the prototype and production contracts using only personnel who are US Persons as defined by the US Immigration Reform and Control Act (IRCA) of 1986 as amended, and using only facilities, IT equipment, and personnel located in the US.
  • Has the ability to deliver the quantities of hunt kits desired, within the desired timelines, with high levels of quality assurance, and low levels of cost, schedule, and hunt kit performance risk.
  • Has the ability to provide software integration, configuration, and optimization services in a fast-paced user-driven DevSecOps environment, including developing dataflow scripts and plugins, and productivity enhancement tools.
  • Has the ability to provide 24x7 help desk support in the areas of hardware configuration, software configuration, hunt software usage, site-integration troubleshooting, and dataflow troubleshooting.
  • Has the ability to provide system refurbishment services, including NIST SP 800-88 compliant NVM sanitization, hardware repairs, upgrades, and performance testing. 
  • Has the ability to provide system logistical services and inventory management for hardware components located in sites throughout the US.
  • Has the ability to provide systems engineering support in the areas of deployment technical planning, hardware/software system optimization, software suite improvement, and failures / root cause analysis.
  • Has the ability to provide the security engineering and system documentation required to attain an authority to operate (ATO) to connect a system to DoD networks, including classified networks, and to support site-specific security inquiries.
  • Has the ability to develop training materials including: hardware configuration and administration manuals, software configuration and administration manuals, and activity-based software usage videos.


Awarding Instrument


This Area of Interest solicitation will be awarded in accordance with the Commercial Solutions Opening (CSO) process detailed within HQ0845-20-S-C001 (DIU CSO), posted to SAM.gov on 13 Jan 2020, updated 02 Oct 2023. This document can be found at: https://sam.gov/opp/e74c907a9220429d9ea995a4e9a2ede6/view


Vendors are reminded that in order to utilize an Other Transaction (OT) agreement the requirements of 10 USC 4022 must be satisfied. Specifically reference 10 USC 4022(d), which requires significant contribution from a nontraditional defense contractor, all participants to be small business concerns, or at least one third of the total cost of the prototype project is to be paid out of funds provided by sources other than the federal government.


Follow-on Production


Companies are advised that any prototype OT agreement awarded in response to this AOI may result in the award of a follow-on production contract or transaction without the use of further competitive procedures. The follow-on production contract or transaction will be available for use by one or more organizations in the Department of Defense and, as a result, the magnitude of the follow-on production contract or agreement could be significantly larger than that of the prototype OT. As such, any prototype OT will include the following statement relative to the potential for follow-on production: "In accordance with 10 U.S.C. 4022(f), and upon a determination that the prototype project for this transaction has been successfully completed, this competitively awarded prototype OT may result in the award of a follow-on production contract or transaction without the use of competitive procedures.”


FAQs

1. Your storage specifications seem high and will be expensive. Is that what you want?

We're not focused on cost at this stage. We're looking for the best solution that meets the specification.

2. For the minimum software specifications provided in the solicitation, will any be satisfied by GOTS or other government provided software?

No.

3. Can you provide additional information on the Joint Cyber Warfare Architecture (JCWA) software provisioning solution (JSPS)?

No.

4. Can you provide a list with the DoD standard hunt software load set?

No.

5. Can you provide a list of GOTS applications the government is likely to provide for the prototype project?

No. There aren’t any for this prototype.

6. What types of files will need to be automatically validated against known hashes, of any common hash type?

Files of all types will need to be validated against known hashes, of any common hash type.

7. What is the goal of the hash validation process?

The goal of validating file hashes is both to discover known malware files, and to validate that infrastructure-related files, such as operating system (OS) or firmware files, have not been modified.

8. What types of files would need to have a hash comparison?

Files of all types will need to be compared against known hashes, of any common hash type.

9. Would the customer provide the known good hash or would this need to be provided by the company developing the JCHK?

For each application in the software load set the vendor supplies as part of their prototype, the vendor must supply a hash value and its hash type.

10. Can you specify the storage requirements in terabytes for the ability to store at least 7 days of PCAP collected off a minimum of 3x10 Gbps full duplex and 90 days of logs and metadata on each server? This number varies greatly depending on the assumptions used in the storage calculation.

The storage requirement is not stated in terabytes because vendors may employ different data compression strategies in their storage designs. However, proposed designs must be capable of meeting all storage and processing specifications when all incoming data links are fully saturated. Log and metadata loads will vary depending on the infrastructure used by each mission partner. However, proposed designs must be capable of meeting all storage and processing specifications when hunt sites are large enterprises with numerous network and host logging functions enabled.

11. Is there an expectation for a "management approach" to be addressed in the Phase 1 response or will this be addressed later?

No. This effort is only for the delivery of a prototype. Management approach will be addressed at a later time.

12. We believe the software specifications section may be in conflict with an earlier section. Is the government providing us all licensed software as GFE?

The software statements identified in the “Minimum Software Requirements” and “Schedule, Execution Details, and Quantity” sections are not contradictory because they are referencing different phases of the acquisition process. The minimum software requirement is a prototype provision while the software licensing in the quantity section speaks to what may apply to a production contract.

13. Can the government clarify if the requirement for the JCHK is to provide both TAPs which are "passive" as well as TAPs that are "regenerative" or if the intent is to provide a TAP which is both "passive and regenerative"?

Using the following definitions they could reside in the same device:

Passive TAP - There is no data originating from the TAP to the tapped devices. The TAP device should only forward information that was originally intended for the network devices, and should not be detectable, negotiate communications with the tapped devices, nor interfere with the network being tapped.

Regenerative TAP - The TAP device negates the signal loss over long network runs that would cause a loss of communications.

14. What product certifications are required for submissions on this prototyping effort? (e.g., TAA, IPv6, FIPS, APL, etc.)

This is a Phase 1 submission for a solution response based upon the Commercial Solutions Opening (CSO). Provide any information your company deems necessary to allow the government to evaluate your solution.