Enterprise Encryption Software

SOURCES SOUGHT ANNOUNCEMENT The Department of the Defense Education Activity (DoDEA), VA on behalf of The Department of Defense, Office of Inspector General (DoD OIG), is seeking sources for a Enterprise Encryption Software. CONTRACTING OFFICE ADDRESS: Department of Defense Education Activity, Procurement Division, 4800 Mark Center Drive, Alexandria, VA 22350-1400. INTRODUCTION: This is a SOURCES SOUGHT synopsis to conduct market research and determine the availability of commercial enterprise encryption software that will allow the DoD OIG to protect, control, and track all data residing on DoD shared services infrastructure, private and/or public cloud environments. The software encryption solution should provide data-at-rest encryption, centralized key management, granular file access controls, and detailed data access event logs, allowing DoD OIG the capability to administer and manage encryption key and access policies to control who, what, when and how data can be accessed. DISCLAIMER: THIS SOURCES SOUGHT IS FOR INFORMATIONAL PURPOSES ONLY. THIS IS NOT A REQUEST FOR PROPOSAL. IT DOES NOT CONSTITUTE A SOLICITATION AND SHALL NOT BE CONSTRUED AS A COMMITMENT BY THE GOVERNMENT. RESPONSES IN ANY FORM ARE NOT OFFERS AND THE GOVERNMENT IS UNDER NO OBLIGATION TO AWARD A CONTRACT AS A RESULT OF THIS ANNOUNCEMENT. NO FUNDS ARE AVAILABLE TO PAY FOR PREPARATION OF RESPONSES TO THIS ANNOUNCEMENT. ANY INFORMATION SUBMITTED BY RESPONDENTS TO THIS TECHNICAL DESCRIPTION IS STRICTLY VOLUNTARY. CONTRACT/PROGRAM BACKGROUND: This is a new requirement. REQUIRED CAPABILITIES: Software encryption solution providing a single integrated platform capable of providing data-at-rest encryption, centralized key management, privileged user access control, granular file access controls, and detailed data access event logs. The ability to encrypt and secure structured and unstructured databases and files residing in physical, virtualized or cloud environments without having to change or modify infrastructure, OS, or applications. Encryption will operate with nominal impact to the network, compute layer, and with no increase in size to the storage area protected. REQURIED FEATURES • Full data protection suite, capable of centralizing key management and data protection into a single integrated platform. • Solution must support multitenant operations using role-based administration for compartmentalized management of data security policies, data encryption keys, and audit logs. • Encryption solution must run in Windows Server 2008 (R2), 2012 (R2), 2016; Linux RHEL/CentOS 6.x/7.x, and Unix (HP, AIX). • Solution must have the flexibility to run in a VMWare, Hyper-V, KVM, and Amazon elastic compute VM instances. • Encryption solution must be compatible with enterprise backup solutions (NetBackup, Spectrum Protect, CommVault, etc.) • Encryption performance must be able to demonstrate less than 10% overhead up to 70% CPU utilization. • Enforcement must continue to operate if there is a loss of access to the centralized key management portion. • Solution must be capable of Block level encryption at the file level and Field Level Encryption at the application layer. • Solution must be capable of tokenization with dynamic data masking. • Solution must be capable of safeguarding files in cloud storage environments. • Solution must be capable of NIST standard format-preserving encryption (FPE). • Solution must be able to work with SAN block level storage (iSCSI or Fiber Channel connections). • Solution must be able to utilize a centralized key management system. The key management system must be able to operate in a remote data center or the cloud so the data owner can maintain the policy and access controls remotely along with the keys. • Solution must support granular policy level control over who, what, when, where and by which application can access data. • Solution must be able to prevent, via policy, rogue users or applications from accessing data. • Ability to blind the storage administrator from seeing clear text data. • Solution must be able to prevent Windows Administrator, Linux/Unix Root, and Sys Admin level credentials from decrypting data. • Solution must be able to prevent SU/SUDO from Root. • Solution must be able to create separate, isolated communities of interest with separate RBAC, Keystore, Policy, and Host Administration. • Compatibility with known SIEM tools. This integration should be seamless and include at least, pre-built dashboards and connectors for Splunk, Arcsight, Qradar, Logirhytm and Nitro. • Provide audit/logging capture capabilities in real-time, showing the credentials accessing data, the application used, the location of data being accessed and any violations of access policy. • Solution must meet FIPS 140-2 Level 3 for both tamper evident and resistant levels for key management. • The use of Suite B (ECC) Compliant on TLS Communications • Support of KMIP for third party key support and PKCS #11 libraries to offer the widest variety of capability. • Solution must make use of Live Data Transformation that streamlines encryption deployment and ongoing operation by enabling. • Requires no maintenance windows for deploying initial encryption or for ongoing rekeying efforts. • Ability to migrate data from clear text to encrypted, without downtime or any disruption to users, applications, or business workflows. • Allows for periodic key rotation, without having to duplicate data or take associated applications off line. SOURCES SOUGHT: The anticipated North American Industry Classification System Code (NAICS) for this requirement is 541519, with the corresponding size standard of _150 employees. This Sources Sought Synopsis is requesting responses to the following criteria from all sources that can provide software with the required features under the NAICS Code. To assist DoDEA in making a determination regarding the level of participation by small business in any subsequent procurement that may result from this Sources Sought, you are also encouraged to provide information regarding your plans to use joint venturing (JV) or partnering to meet each of the requirements areas contained herein. This includes responses from qualified and capable Small Businesses, Small Disadvantaged Businesses, Service Disabled-Veteran Owned Small Businesses, Women-owned Small Businesses, HUBZone Small Businesses, and 8(a) companies. You should provide information on how you would envision your company's areas of expertise and those of any proposed JV/partner would be combined to meet the specific requirements contained in this announcement. In order to make a determination for a small business set-aside, two or more qualified and capable small businesses must submit responses that demonstrate their qualifications. Responses must demonstrate the company's ability to perform in accordance with the Limitations on Subcontracting clause (FAR 52.219-14). CAPABILITY STATEMENT Interested contractors must identify and/or demonstrate the following: 1. Provide your past experience successfully providing the commercially available encryption Software to a Federal agency. 2. Provide an affirmative response in your firm's ability to meet all of the Required Features listed above. 3. Provide catalog pages, descriptions, and other software documentation that details of your software's capability to meet all of the Required Features identified above. 4. Explain how your licenses are sold and what is included in the cost of the licenses. 5. Describe you firm's approach to providing annual software maintenance. 6. Describe any training that you provide with installation of the software. If training is provided explain how your training will be made available to the government (electronically or online only). 7. Describe any implementation/installation support that you will provide to ensure the encryption software is fully operational and working as intended. 8. Provide a planning cost estimate for encrypting 460 servers and the cost of annual maintenance. SUBMISSION DETAILS: Responses must include: 1) Business name and address; 2) Name of company representative and their business title; 3) Type of Business; 4) Cage Code; 5) Other contract vehicles that would be available to the Government for the procurement of the product and service, to include ENCORE II, General Service Administration (GSA), GSA MOBIS, NIH, NASA SEWP, Federal Supply Schedules (FSS), or any other Government Agency contract vehicle. (This information is for market research only and does not preclude your company from responding to this notice.) Vendors who wish to respond to this sources sought should send responses via email no later than December 12, 2018, 12:00 PM, Eastern Standard Time (EST) to Mr. Jerome Carter at [email protected] and Mr. Wardell Gordon at [email protected]. Interested vendors should submit a brief capabilities statement package (no more than ten (10) pages) demonstrating ability to provide a software package that meets the government need. The response should not exceed a 10 MB e-mail limit for all items associated with the response. Responses must specifically describe the contractor's capability to meet the requirements outlined in this notice. Oral communications are not permissible. Proprietary information and trade secrets, if any, must be clearly marked on all materials. All information received that is marked Proprietary will be handled accordingly. Please be advised that all submissions become Government property and will not be returned. All government and contractor personal reviewing RFI responses will have signed non-disclosure agreements and understand their responsibility for proper use and protection from unauthorized disclosure of proprietary information as described 41 USC 423. The Government shall not be held liable for any damages incurred if proprietary information is not properly identified.