DIU Solicitation: Secure Cloud Management

DIU is accepting solution briefs in response to the solicitation(s) below during the indicated time periods. Submissions received after indicated time periods will not be considered.

https://www.diu.mil/work-with-us/companies/cso-solution-brief

 

1.

Secure Cloud Management:

The US Department of Defense (DoD) seeks to increase operational efficiency by leveraging cloud-based technologies commonly delivered through Cloud Service Providers (CSPs). Today, DoD mandates the use of a Cloud Access Point gateway to secure communication between DoD endpoints and CSPs. DoD is seeking an alternative cloud security gateway with off-the-shelf compatibility to a broad set of CSP offerings.

Background

Currently, DoD mandates the use of a Cloud Access Point (CAP) (“a system of network boundary protection and monitoring devices, otherwise known as a cybersecurity stack”) through which Cloud Service Provider (CSP) infrastructure connects to a DoD Information Network (DoDIN) service, the Non-secure Internet Protocol Router Network (NIPRNet), or Secret Internet Protocol Router Network (SIPRNet)”) (DoD Cloud Connection Process Guide, 2017, p. 58). 

The CAP sits as a gateway between the commercial cloud service offerings and the DoD network, protecting the DoDIN from cybersecurity vulnerabilities in the cloud, while still being permissive enough to allow application and data hosting in the cloud. The CAP is used only for connections to CSPs rated for processing data at Information Impact Level 4 (DoD IL4) and above; Information Impact Level 2 (DoD IL2) CSPs connect directly to the Internet (DoD Cloud Connection Process Guide, 2017, p. 5). The DoD mandates real-time deep content inspection and session control to access cloud services; however, cloud service providers will not allow 3rd party sensors to be installed, even on dedicated instances.

Our Ask

DoD seeks an alternative cloud security gateway to CSPs. Solutions should be commercial products that leverage a deployment track record and wide customer base to ensure off-the-shelf compatibility with a continuously growing base of managed cloud services.

Vendors selected for phase two will deliver an in-person pitch as well as a live product demonstration in Mountain View, CA in early 2020. The demonstration event will allow the evaluation team to assess the current maturity of the proposed solution. NOTICE: The Government will not provide funding for company participation in the demonstration.

The proposal should provide a near complete solution including:

  • Controlled access to managed/unmanaged apps in the cloud, including real-time network monitoring, application access control, and session termination 
  • Full audit trail of network and application access
  • Seamless integration into existing managed cloud services (SaaS and PaaS)
  • May be a Cloud Access Security Broker (CASB)
  • During prototype, must scale to support 500+ active users and 1,000 endpoints
  • Demonstrate, through synthetic workloads or verifiable customer references, the ability to scale to a minimum of 500,000 concurrent users and 1,000,000 endpoints in production.
  • Should support roaming users on mobile devices as well as telework users
  • Minimal latency is a must to provide for teleconferencing and VoIP
  • Support single tenancy within a specified geography and geographic load-balancing

Notes:

  • Solutions should be readily available and have commercial viability.
  • Companies must be US-owned.
  • The offering should have minimum DoD IL2 on Federal Risk and Authorization Management Program (FedRAMP) authorized or existing roadmap to DoD IL2; must be open to pursuing DoD IL4 certification as part of company roadmap.
  • Companies may include prior work on classified networks or facility clearance status in their submission (described at the unclassified level).  A Facilities Clearance is not required to receive an award in response to this AOI.
  • The Government may facilitate teaming arrangements among submissions offering complimentary capabilities to achieve desired effect. Companies are also welcome to present their own teaming arrangements in their solution briefs. 
  • Companies without a CAGE code will be required to register in SAM if selected. The Government recommends that prospective companies begin this process as early as possible.
  • Password-protected hyperlinks to product documentation of currently-shipping product such as administrators guide and integration guides are strongly encouraged.

Governing Documentation

This solicitation will be awarded in accordance with the Commercial Solutions Opening (CSO) process detailed within HQ0845-19-S-C001 (DIU CSO), posted to FBO in April 2019. Additionally this document can be found under “Commercial Solutions Opening” within the DIU Library at https://www.diu.mil/library.

Companies are advised that any prototype Other Transaction (OT) agreement awarded in response to this Area of Interest may result in the award of a follow-on production contract or transaction without the use of further competitive procedures. The follow-on production contract or transaction will be available for use by one or more organizations in the Department of Defense and, as a result, the magnitude of the follow-on production contract or agreement could be significantly larger than that of the prototype OT. As such, any prototype OT will include the following statement relative to the potential for follow-on production: "In accordance with 10 U.S.C. 2371b(f), and upon a determination that the prototype project for this transaction has been successfully completed, this competitively awarded prototype OTA may result in the award of a follow-on production contract or transaction without the use of competitive procedures.”

Submissions accepted from 11/14/2019 11:00 to 11/27/2019 23:00 PT

 

Solution Brief Requirements:

Solution Briefs should not exceed five (5) written pages using 12-point font or, alternatively, Solution Briefs may take the form of briefing slides which should not exceed fifteen (15). These limits are not requirements but are strongly recommended.

Suggested contents:

  • Title Page (does not count against page limit): Company Name, Title, Date, Point of Contact Name, E-Mail Address, Phone, and Address. Specifically identify the solicitation for which the Solution Brief is submitted.
  • Executive Summary (one page): Provide an executive summary of the technology.
  • Technology Concept: Describe the unique aspects of your technology and the proposed work as it relates to the solicitation. Identify whether the effort includes a pilot or demonstration of existing technology (identified as commercially ready and viable technology), or the development of technology for a potential defense application. If development or adaptation is proposed, identify a suggested path to mature the technology. Identify aspects which may be considered proprietary.
  • Company Information: Provide a brief overview of the company, including a summary of gross sales/revenue and investors / funding rounds (if applicable). Provide a summary of product history, roadmap, and go-to-market strategy.
  • Including existing customer list and/or customer case studies is encouraged.

Unnecessarily elaborate brochures or proposals are not desired. Diagrams / graphics depicting the essence of the proposed solution are strongly encouraged.

Related Topics: