[Commerce Business Daily: Posted May 29, 1997] From the Commerce Business Daily Online via GPO Access [cbdnet.access.gpo.gov] PART: U.S. GOVERNMENT PROCUREMENTS SUBPART: SUPPLIES, EQUIPMENT AND MATERIAL CLASSCOD: 70--General-Purpose Information Technology Equipment OFFADD: National Institute of Standards & Technology, Acquisition & Assistance Div., Bldg. 301, Rm B117, Gaithersburg, MD 20899 SUBJECT: 70--SUPPORT DATA ENCRYPTION IN FEDERAL GOVERNMENT APPLICATIONS SOL 52SBNB7C1208 DUE 071197 POC Marsha Rodgers (301)975-6398, FAX (301)963-7732 DESC: BROAD AGENCY ANNOUNCEMENT -- The National Institute of Standards and Technology (NIST) is soliciting proposals for products and services which will demonstrate the viability of the recovery of keys that are used to support data encryption in Federal government applications. BACKGROUND: In May 1996, the Office of Management and Budget (OMB) released a white paper entitled "Enabling Privacy, Commerce, Security, and Public Safety in the Global Information Infrastructure". This paper stated that "government and industry must work together to create a security management infrastructure and attendant products that incorporate robust cryptography without undermining national security and public safety". Recently, a task group was formed for the purpose of testing the feasibility of implementing emergency key recovery capabilities in Federal Government applications. Approximately ten Federal agencies will participate in a Key Recovery Demonstration Project (KRDP), formerly known as the Emergency Access Demonstration Project (EADP) , to demonstrate the viability of key recovery. In this Broad Agency Announcement (BAA), NIST is soliciting products and services to support this project. GOALS: Specific goals of the KRDP include the following : (a) demonstrate the practicality of key recovery in Federal Government applications; (b) determine to what extent Commercial Off-The-Shelf ( COTS) products or commercially available services currently exist to support key recovery. Products that can be modified with minimum difficulty will also be considered; (c) determine how these products and services can be integrated into existing applications; (d) identify, implement, test and evaluate diverse key recovery technologies; and (e) identify barriers to interoperability among applications that use different key recovery technologies and make recommendations for lessening or removing those barriers. OBJECTIVES: Different methods of key recovery will be demonstrated . Encryption keys will be recovered by Key Recovery Agents upon receipt of an authorized request; keys used for digital signatures will not be recovered. Off-the-shelf technology is being sought for use on this project; there are no restrictions on standards compliance or algorithm usage. The KRDP will include a Public Key Infrastructure (PKI) which consists of a root Certification Authority (CA) and several dependent Certification Authorities. CAs certify the public keys of particular user communities and provide certification paths to other CAs so that public keys in other CA domains may be verified. The root CA will be located at and be operated by NIST. The remaining CAs will be located either at the sites of agencies participating in the project or at third party sites. Other components of the KRDP that will be procured under this BAA include Organization Registration Authorities (ORAs) and Key Recovery Agents (KRAs). ORAs authenticate users, validate requests, and interact with the Certification Authorities; ORAs may also request key recovery from a KRA. KRAs are used to recover keys, key components or plaintext messages upon the receipt of an authorized request. The infrastructure imposes no implementation constraints. An example of the services provided by a CA and a KRA could be included in a single product. An example infrastructure which illustrates three possible methods for accomplishing key recovery in a PKI environment can be found at the web site specified in this BAA. PROPOSAL CONTENT: NIST is seeking the following information about off-the-shelf products and/or services that can be used in the Key Recovery Demonstration Project: the functionality of the product or service (e.g., CA, ORA, KA, user); whether a product or a service is being offered; a list of all features (e.g., key generation) provided by the product or service; a description of the proposed key recovery methodology to be used, if appropriate; whether the proposed product or service is currently available and, if not, the expected date of availability; the requirements for operating or communicating with the proposed product or service; information which specifies how the product or service can be integrated with the product(s) and service(s) provided by other vendors or with other project elements (e.g., CA, ORA), if applicable; any constraints on product integration, such as dependence on a particular cryptographic algorithm, cryptographic product, communication interface etc.; and the extent to which additional negotiated enhancements to the product and/or service can be made . Since the enhancements that may be requested cannot be specified at this time, a general statement about the capability of responding to such a request is all that is required. The following information about the KRDP elements should be provided when being proposed by a vendor: (1) Certification Authority - A Certification Authority system certifies public keys and optionally generates public/private key pairs and may act as a certificate repository. If a Certification Authority system is provided as a service, specify the services provided and the cost of each service. Explain any factors that will cause the cost to vary and the method of obtaining the services that are provided. If a Certification Authority can be purchased, explain the impact of any factors that will affect the initial procurement cost and provide the cost of operating the system.Vendors who provide only a certificate repository service should specify the cost and the method of accessing this service . (2) Key Recovery Agent - If key recovery is provided as a service, specify the cost of registering with the key recovery service and the costs of key recovery operations. Indicate how these costs will vary, depending upon the number of users that are registered and the number of key recoveries that are performed. Specify the key archival services provided, if applicable, and the cost of these services. List and specify the costs of cryptographic products that must be used in conjunction with the key recovery service. If a key recovery product can be procured for operation by the user or user's representative, list all factors that will affect pricing. List and specify the costs of cryptographic products that must be used in conjunction with the key recovery service. (3) Organization Registration Authority - Specify all costs associated with the procurement and operation of an Organization Registration Authority. Explain the method of interaction with the Certification Authority and the Key Recovery Agent,wherever applicable. (4) User Software - Specify the functionality and cost of all user software that is required to perform encryption/decryption, key generation, key recovery, certificate path acquisition and verification and to interact with other system elements (e.g., Certification Authority, Key Recovery Agent). Responders should also provide any additional information about the functional capabilities, performance and cost of their product or service that will assist Federal agencies participating in the Key Recovery Demonstration Project in evaluating the offerings. Where cryptographic functions are performed, responders should state the degree to which their offered product or service complies with FIPS 140-1 . Where applicable, responders should specify the degree to which their offered product or service complies with the NIST draft " Minimum Interoperability Specification for PKI Components". SUBMISSIONS - Offerors are encouraged to submit concise, but descriptive proposals which will be accepted until 5:00 P. M., EST on JULY 11, 1997. Five (5) copies of the proposal shall be submitted to the following address: Marsha Rodgers, Acquisition and Assistance Division, National Institute of Standards and Technology, Building 301 Room B117, Gaithersburg, Maryland 20899. PROPOSALS SENT BY FAX OR E-MAIL WILL BE REJECTED. Proposals will be selected through a technical/scientific/business decision process with technical and scientific considerations being most important. Individual proposal evaluations will be based on acceptability or nonacceptability without regard to other proposals submitted under the announcement. HOWEVER, DUE TO BUDGETARY CONSTRAINTS, ALL ACCEPTABLE PROPOSALS MAY NOT BE FUNDED. No award will be made without a proposal to perform the specific effort within an estimated cost and time framework. PROPOSAL FORMAT- Proposals shall consist of two separate parts. Part 1 shall provide the technical proposal and Part 2 shall address costs. The proposal must not exceed the number of pages stated below (a "page" is defined to be a sheet of paper no greater than 8 x 11 inches, in type not smaller than 12 pitch) . Part 1 shall include: (1) Cover Page (1 Page) (a) Title: Key Recovery Demonstration Project Proposal; (b) Name of organization submitting proposal; (c) Contracting Official (Name, Title, Address, Telephone Number, Electronic Mail Address); (d) Technical Contact (Name, Title, Address, Telephone Number, Electronic Mail Address); (2) Organization Description (1 page)- (a) Principal business of organization; (b) Major qualifications and past achievements in data encryption/key recovery technology;(c) KRDP system elements for which proposal is being submitted.(3) Offered Products and/or Services (1-3 pages per offered product or service) - For each offered product and/or service, responders should provide the corresponding information requested in the Proposal Content Section of this BAA. Part 2, Costs, shall be supported by detailed breakdowns of labor hours by labor category and tasks/subtasks, materials, travel, computer and other direct and indirect costs. ADDITIONAL INFORMATION: The following documents can be accessed at World Wide Web site http://csrc.nist.rip/krdp: KRDP Project Summary, FIPS - 140-1, Implementation Evaluation Criteria for the KRDP, "Enabling Privacy, Commerce, Security, and Public Safety in the Global Information Infrastructure", referenced on Page 1, draft Minimum Operability Specification for PKI Compontents, and example Methods of Key Recovery. Any further technical questions relating to the BAA should be directed to : Jerry Mulvenna, Phone - (301) 975-3631, E-Mail Address - jerry.mulvenna@nist.gov. Any contractual questions should be directed to Marsha Rodgers at (301)975-6398. The period of performance of the BAA is six months from the date of each award. This announcement constitutes a Broad Agency Announcement as contemplated in FAR 6.102(d)(2). There will be no formal request for proposals or other solicitations regarding this announcement. Proposals shall be valid for a periodof twelve (12) months after submission. Where the effort consists of multiple portions which could reasonably be partitioned for purposes of funding, these should be identified with separate cost estimates for each. The Government reserves the right to select for award any, all, part, or none of the proposals received in response to this announcement. This BAA is an expression of interest only, and does not commit the Government to pay any pre-proposal or proposal preparation costs. All responsible sources may submit a proposal which shall be considered. EVALUATION CRITERIA/AWARD PROCESS : Proposals will be evaluated based on acceptability or unacceptability using the following criteria which are listed in decreasing order of priority: (1) Utility for Meeting Project Goals - For data recovery systems, the offered products and/or services should provide a method of implementing key recovery in Federal Government applications or the means to be integrated with the products and services offered by other contractors to provide this service. Reference the Implementation Evaluation Criteria for the KRDP at the above-mentioned web site. (2) Availability of Offered Products and/or Services - The offered products or services should be able to be integrated within a timeframe that will allow testing to commence as soon as possible.(3) Compliance with Applicable Standard or Specification- Where applicable, the degree to which the offered product or service complies with FIPS 140-1 or the draft "Minimum Interoperability Specification for PKI Components" shall be considered a positive factor in the proposal evaluation.(4)Diversity of Key Recovery Solutions- A primary project goal is to implement, demonstrate and evaluate different solutions for key recovery. Accordingly, products and/or services providing differing solutions will be preferred.(5) Past Performance - the offeror's capabilities, related experience, facilities, techniques, or unique combinations thereof which are integral factors for achieving the proposed objectives; and (6) Cost and cost realism - Cost realism will be used only as an evaluation criterion in proposals which have significantly under-or-over-estimated the cost to complete their effort. All awards made in response to this BAA shall be subject to availability of Government funds. Proposals will be evaluated and ranked by a Source Selection Evaluation Panel (SSEP) composed of representatives of Federal Agencies participating in the KRDP. LINKURL: http://www.nist.gov/admin/od/contract/contract.htm LINKDESC: NIST Contracts Homepage EMAILADD: Contract@nist.gov EMAILDESC: NIST Contracts Office CITE: (W-149 SN078311)