Not Provided
Chief Digital and Artificial Intelligence Office (CDAO)
Nov 2, 2022 ET
Nov 14, 2022 ET
Closed
Open
No Attachments
To find out more information about this Opportunity, please signin or register for an account.No additonal Opportunities were found.
This Open Call to Industry has the potential for pilot project awards that may be accomplished via Other Transaction Authority (OTA) for Prototype Projects pursuant to 10 USC 4022b (formerly 2371b). As such, assessment activities conducted in furtherance a potential pilot project award agreement are considered competitive in the same manner as a Broad Agency Announcement (BAA) or Commercial Solutions Opening (CSO), and solutions will be assessed independently of one another primarily for technical merit. The procedures outlined in this Open Call are considered to satisfy the reasonable effort to obtain competition in accordance with 10 USC 4022b.
DPG expectations:
DDS is seeking information to extend its current bug bounty operations for the DoD into the classified space; that is, to conduct bounties on classified information systems. Such systems could include traditional IT elements such as IP-based networks, computing systems, and applications, but also Operational Technology (OT) elements including various ICS/SCADA components and operational platforms.
We want to understand industry capabilities and interests in applying the commercial bug bounty model into the classified space, and discuss the additional challenges and constraints involved in developing such a capability. This may involve novel business models, use of technology and personnel, and potentially policy modifications.
Background
DDS has planned and executed over 40 bug bounties for the DoD since 2015, working with internal DoD partners (i.e., system owners) and industry partners. Bug bounties improve cybersecurity by gathering vetted independent security researchers (aka “white hat hackers) to discover and report on cyber vulnerabilities in a time-boxed manner; bounties incentivize researchers via cash awards (“bounties”), recognition, and other incentives. (For more information see e.g., https://en.wikipedia.org/wiki/Bug_bounty_program). Historically, DoD has performed these bug bounties only on unclassified systems. However, DDS and DoD system owners agree that classified systems could benefit from the same approach, subject to the risk management and regulatory issues surrounding classified information and systems.
Note: the DoD, through the Defense Cyber Crime Center, operates a Vulnerability Disclosure Program (see https://www.dc3.mil/Missions/Vulnerability-Disclosure/Vulnerability-Disclosure-Program-VDP/). This program is separate from the bug bounties conducted by DDS, and this RFI and any resulting program is not intended to modify DC3 VDP’s operations in any way.
Problem Statement
DDS has a track record of successfully executing bug bounties for the DoD on unclassified systems. We see value in extending the model to classified systems, beginning at the Secret level, and seek information from industry on their interest and capabilities in this area. To be clear, we are not seeking to execute classical penetration testing, which is a slightly different approach. Rather we wish to preserve the model of using “crowdsourced” independent vulnerability researchers, preferably in large groups (dozens to hundreds), managed by an industry partner, and rewarded based on their findings.
The key challenges we see are:
1. Availability of appropriately cleared industry partners (facility clearances, cleared employees).
2. Security and suitability of industry partner platforms to store vulnerability data for classified systems.
3. Similar to (1), availability of appropriately cleared independent security researchers.
4. Cost and logistical issues raised if access to the target systems requires on-site presence by the researchers, industry partners.
5. Potential requirement for an on-site or separate cloud instance of the industry partner’s operational platform suitable for storing vulnerability details of classified systems.Objective
DDS aims to establish an approach to operate bug bounties on
classified DoD systems, whereby industry partners are capable and desirous of
supporting them on a regular basis. Therefore, this Call to Industry seeks industry feedback/suggestions and/or solutions relating to the construction of such a business and operational model,
including timing, resourcing, constraints, and alternative approaches.
Unfortunately, there a multitude of great ideas; there are likely 1 or 2. This process enables us to focus on the few ideas and solutions that have technical merit and take action with a pilot project award. As a result, not all solution providers will participate in all rounds or obtain a pilot project agreement with the Government.
We also need flexibility as we learn new things during new assessment activities. The Government may skip or combine rounds as necessary to collect and assess information as it relates to proposed solutions. Further, the Government may go back to earlier rounds with clarifications and additional requests as necessary to identify successful solutions that will meet intended pilot project objectives. Finally, the Government may initiate steps toward a prototype project award at any round.
If you have feedback or a solution that addresses any of the listed problems, we would love to hear about it. Submit a brief discovery paper for us to assess. CDAO and select subject matter experts may invite those that have interesting feedback and/or the highest potential to solving the problem to Round 2.
The goal of the DPG is to allow our Industry partners to have the opportunity to pitch in a fast-paced environment with contracting professionals poised to execute rapid pilot project awards. If selected to participate at the DPG, you will receive instructions on whether to prepare for an informal one-on-one technical discussion, demonstration of a solution, “Shark Tank” pitch, or something similar to better understand your solution. Conversations may continue outside of the DPG if additional information is needed to understand detailed solution offerings, determine the feasibility of teaming between separate solution providers, and/or make a Round 3 determination.
The Government reserves the right to make one, some, or no pilot project awards based on the Round 2 results. Successfully negotiated awards are intended to be Other Transaction Agreements under 10 USC 4022. An award under 10 USC 4022 may result in a subsequent award of a follow-on production agreement without additional competition based on successful prototype completion.
Non-Government, subject matter expert (SME) judges may be used any assessment activity. Such assessors will be operating at the direction of the Government and through signed non-disclosure agreements (NDAs). The Government understands that information provided in response to this open call is presented in confidence and it agrees to protect such information from unauthorized disclosure to extent required by law. Your participation in any round of assessment under this Open Call indicates concurrence with the use of Non-Government SME judges.
Living Document
This Open Call supporting the Tradewind Prototype Challenges is a living document which is intended to evolve as our business processed are automated, we apply new business practices, or streamline any activity or workflow. All information presented within this document is subject to change. Specifically, the problems identified will be updated throughout the life of this Open Call. You check in regularly for updates at tradewindai.com.
PROBLEM ALIGNMENT: What is your feedback to DDS's outlined challenges and/or How well does your solution map to our published problem(s)? Argue the solution you’re providing is a fit to solve the published problem(s).
VALUE PROPOSITION: Why is your solution the best approach from a technical perspective? If you can convincingly refute alternatives to solving the problem, please briefly do so. If applicable, also consider arguing why the end user/warfighter would prefer your solution.
OPERATIONAL IMPACT: Looking only at the DoD personnel who will be impacted by your solution, argue that their jobs or lives will be significantly improved if your solution is adopted. What is the impact of your solution vs. today's solutions?
END USER DEMAND: Make your best pitch to the end user/warfighter directly. Why would an end user judge want to adopt your solution? To the extent that you can, make the case that end users -- once they experience your solution -- will ask for it themselves.
QUALITY OF PROSE: Prove you write clearly. Prove you argue convincingly.
Name
Anna Nichols
annaelizabeth.d.nichols.civ@mail.mil
Title
Not Provided
Phone
Not Provided