D - Information technology services, including telecommunications services
Homeland Security Presidential Directive (HSPD) 12.
General Services Administration, Office of the Chief Acquisition Officer (V), GSA Headquarters Contracting Division (VC), 18th & F Streets, NW Room 4020, Washington, DC, 20405
Kisha Emmanuel, Contracts Specialist, Phone 202 219-3457, Fax 202 501-3161, Email firstname.lastname@example.org - Kisha Emmanuel, Contracts Specialist, Phone 202 219-3457, Fax 202 501-3161, Email email@example.com
1.0 PURPOSEThe General Services Administration (GSA) is requesting information on the capability of commercial vendors to provide systems? solutions that will meet the implementation requirements of Homeland Security Presidential Directive (HSPD) 12. Specifically GSA is seeking information on the capability of commercial vendors to deploy, operate, and maintain system solutions that provide one or more of the following core components for HSPD-12 systems
? Registration system/services;
? Identity Management System/services;
? Card Management System/services;
? Public Key Infrastructure (PKI) Certification Authority Services
? Card Printing System/services.
This solution must comply with Homeland Security Presidential Directive 12 (HSPD-12), Federal Information Processing Standard 201 (FIPS 201) and applicable NIST Special Publications developed by the National Institute of Standards and Technology. Respondents are requested to
(a) Identify current capacity to deploy, operate and maintain one or more HSPD-12 functional system components as identified in this RFI,
(b) Identify a capacity to deploy operate and maintain one or more HSPD-12 functional system components as identified in this RFI by August 27, 2006 (60 days prior to PIV II deadline),
(c) Identify a capacity to provide on-going operations and maintenance of the identified system components including 7x24 operations, 7x24 help desk capability and training services,
(d) Identify a capacity to provide the service in a highly available manner with a calculated service level at no less than 99.9% calculated on a monthly basis (43 minutes/month unplanned outage),
(e) Identify a 5 year estimate of costs based on ?number of cards issued? for 100,000 cardholders, 250,000 cardholders, 500,000 cardholders and > 1 million cardholders (initial year and four (4) years of O&M), and
(f) Optionally demonstrate the identified solution(s).
Alternatively, respondents are requested to submit proposals addressing alternative HSPD-12 service-based solutions with a) explanation why the alternative is better than the recommended approach in this RFI and b) answers to a though f in the above paragraph.
Homeland Security Presidential Directive 12 (HSPD-12), issued by President George W. Bush on August 27, 2004, mandates the establishment of a standard for identification of Federal Government employees and contractors. HSPD-12 requires the use of a common identification credential for both logical and physical access to Federally-controlled facilities and information systems. This policy is intended to enhance security, increase efficiency, reduce identity fraud, and protect personal privacy.
The Department of Commerce and National Institute of Standards and Technology (NIST) were tasked with producing a standard for a secure and reliable form of identification. In response, NIST published Federal Information Processing Standard Publication 201 (FIPS 201), Personal Identity Verification (PIV) of Federal Employees and Contractors, on February 25, 2005. This standard is accomplished in the form of a PIV card and associated digital credentials that comply with the FIPS 201 standard and are used for both physical and logical access control, and other applications as determined by the individual agencies. FIPS 201 consists of two parts: PIV I and PIV II. The standards in PIV I support the control objectives and security requirements described in HSPD-12. The standards in PIV II support the technical interoperability requirements described in HSPD-12. PIV II also specifies standards for implementing identity credentials on smart cards for use in the Federal PIV system.
HSPD-12 requires that the Federal credential (the PIV) card be secure and reliable, which is defined as a credential that:
? Is issued based on sound criteria for verifying an individual?s identity;
? Is strongly resistant to identity fraud, tampering, counterfeiting, and terrorist exploitation;
? Can be rapidly authenticated electronically; and
? Is issued only by providers whose reliability has been established by an official accreditation process
3.0 HSPD-12 CORE SYSTEM TECHNICAL REQUIREMENTS
This section describes the functions to be performed and the certification and compliance standards for the HSPD-12 core system. Respondents must ensure the solution described is fully compliant with the referenced standards, and any certifications included in those standards:
? FIPS 201: Federal Information Processing Standards (FIPS) Publication 201, Personal Identity Verification (PIV) of Federal Employees and Contractors, National Institute of Standards and Technology (NIST), 25 February 2005
? SP 800-73: Special Publication 800-73, Interfaces for Personal Identity Verification, National Institute of Standards and Technology (NIST), April 2005
? OMB Implementation Guide: Implementation of Homeland Security Presidential Directive (HSPD) 12 ? Policy for a Common Identification Standard for Federal Employees and Contractors, Office of Management and Budget, M-05-24, DRAFT 5 August 2005.
? NIST 800-79: Guidelines for the Certification and Accreditation of PIV Card Issuing Organizations, Publication No. 800-79, NIST, July 2005
? OMB Circular A-130, Appendix III, Security of Federal Automated Information Resources, OMB, 28 November 2000
? Federal Identity Management Handbook, OMB, September 2005.
In addition, the proposed solution must ensure that the following functionality shall be available:
1. Logging and audit capability must support both forensic and system management capabilities with minimum ability to a) reconstruct the chain of trust for PIV issuance and management, b) reconstruct access events to a given logical and/or physical asset and c) reconstruct access events by an individual cardholder.
2. A flexible reporting functionality the allows data to be presented in graphical format, as well as filtered and sorted in any way necessary to present usage, operations, security, auditing, and management information.
3. Controls to prevent cardholders from having more than one card issued at any one time.
4. Support for separation of duties and roles segmented across departmental and agency lines.
5. Support for separation of data management and administration across departmental and agency lines.
6. Meets government privacy and confidentiality requirements.
7. Seamless interfaces between the components of the proposed solution, and those not proposed but noted on the diagram provided below, specifically, the Personnel Management System(s), Background Investigation System, Physical Access Control Systems and Logical Access Control Systems.
8. Ability to issue both SP800-73 Part 2 (transition) and Part 3 (endpoint) cards.
The Registration Function refers to the processes and information flows required for collecting identity information from registrants and distributing that information to required processing points. Registration includes collecting, storing, and maintaining all information and documentation that is required for verifying and assuring the applicant?s identity. Various types of biometric (e.g., fingerprints, photographs) and source identity information (e.g., passport, driver?s license) are collected from the applicant at the time of registration. Minimum concepts associated with Registration include: a) an interface between geographically distributed workstations and the identity management system, b) a 10 slap finger print scanner, c) a document scanner, d) a digital camera, e) a card reader and f) a driver?s license reader/validator. The registration function must interface with the identity management system to identify valid applicants and to store the applicants? identity verification biometrics and data. All data transferred between the registration service and the identity management system must take no more than 30 seconds across a T1 (1.54 mb) communications line.
3.2 Identity Management System (IDMS)
The identity management system (IDMS) is the secured data store for all applicant identity records. The IDMS performs the identity proofing, verification, and validation functions required to establish identity claim validity; holds and processes applicant status information; and ensures that all card issuance requirements are met prior to printing a card. The IDMS system extracts the primary and secondary finger prints and submits the 10 finger print slap to the Background Investigation facility (OPM, FBI) by accepted protocols. In addition the IDMS interfaces with the card management system, registration systems, a variety of government systems for personnel management, enterprise-level physical access control systems, and enterprise-level logical access control systems.
The respondent is requested to identify how an individual?s data can be securely protected with read/write permissions to data constrained by roles (sponsors, registrars, adjudicators, issuers) and by Agency (HHS, DOE, USDA, DHS, etc.)
3.3 Card/Credential Management System (CMS)
The card/credential management system tracks and manages the status of the PIV card throughout its entire lifecycle, including but not limited to the production-request, personal data record, activation, issuance, suspension, and revocation events. Card operations and maintenance functions such as addressing lost cards, card malfunctions, card renewal, card reissue, applet updates, pin resets and other card ?life cycle? functions should also be managed by the CMS.
Special Publication 800-73 provides two PIV card specifications: an optional transition card specification (Part 2) and a mandatory endpoint card specification (Part 3). However, SP800-73 does not standardize card management interfaces. Proposed solutions should identify interoperability issues associated with the lack of standard PIV card management interfaces at the card level, and may provide observations and recommendations regarding PIV card management interface specifications.
Because smart cards issued by the CMS will remain in use for up to 5 years, a critical success factor in the project will be ?avoidance of card holder confusion.? Towards this goal, the respondent is requested to explain the process of a) updating of applets, PKI certificates and other information on the ICC, b) version control within the system, c) forgotten and regularly changing of PIN?s and d) other card life cycle functions.
The CMS interfaces with the IDMS, the PKI certification authority, and the card printing system, and must be capable of interacting with a variety of government systems for enterprise-level logical access control systems and physical access control systems in a secure manner. Responses must identify how the security of the system will be managed.
3.4 Public Key Infrastructure (PKI) Certificate Authority
The PKI Certification Authority function is responsible for the generation of key pairs, the issuance and distribution of digital certificates containing the public key of the cardholder, and management and dissemination of certificate status information. This function is used throughout the life cycle of PIV Cards, from generation and loading of authentication keys and PKI credentials, to usage of these keys for secure operations, to eventual renewal, reassurance, or termination of the card. The function is also responsible for the provisioning of publicly accessible repositories and services (such as PKI directories and certificate status responders) that provide information to the requesting application about the status of the PKI credentials. The PKI Certification Authority interacts with the CMS.
In all HSPD-12 deployments, the PKI certificate service requirements are provided in one of two ways:
? Approved PKI Certification Authorities as members of the Federal PKI that are cross-certified with the Federal Bridge Certificate Authority (these enterprise domains can be found at http://cio.gov/fbca).
? PKI Shared Service Providers that are approved to provide Federal PKI services under the Federal PKI Common Policy (these PKI Shared Service Providers can be found at http://cio.gov.ficc).
3.5 Card Printing System (CPS)
The card printing system covers card printing and distribution. These functions include personalization of the physical (visual surface) and logical (contents of the ICC chip) aspects of the card at the time of card personalization. The CPS is also responsible for all card production activities, including; maintaining control over the card stock, printing and personalizing the PIV card, logging and auditing of the print events, and distribution of the PIV Cards to the respective agency contact.
For the purpose of this RFI, the five components above are considered the ?HSPD-12 core system.? The personnel management systems (for employees, affiliates, or contractors), the background investigation system, physical access control systems and logical access control systems identified in Figure 1 will most likely be addressed by individual Departments and are not to be addressed in this RFI except for explaining data interfaces between the solution and these components.
4.0 TURNKEY SERVICE SOLUTIONS
The General Services Administration (GSA) is requesting information on the capability of commercial vendors to provide systems? solutions that will meet the implementation requirements of Homeland Security Presidential Directive (HSPD) 12. Specifically GSA is seeking information on the capability of commercial vendors to deploy, operate, and maintain system solutions that provide one or more of the following core components for HSPD-12 systems
? Registration system/services;
? Identity Management System/services;
? Card Management System/services;
? Public Key Infrastructure (PKI) Certification Authority Services
? Card Printing System/services
Respondents are requested to explain the availability and responsiveness of a help desk, accessible to a limited number of Federal persons (possibly persons limited to Department-specific help desks).
Respondents are requested to provide explanations concerning the interfaces to the system components on the architecture diagram that are not provided as part of the proposed solution.
5.0 HSPD-12 CORE SYSTEM PERFORMANCE MEASURES
The respondent is requested to comment on the practicality and validity of the following metrics:
? Card printing and distribution within 24 hours after the workflow indicates permission to print the card.
? Notification of suspension or revocation to a PACS and LACS interface within 20 minutes from notification to the system.
? Following the issuance and 1:1 biometric verification, activation of the card within 5 minutes.
? Enrollment (registration) time per applicant within 15 minutes.
? Systems are scalable in terms of number of transactions per day and number of records, to meet the federal government?s growth needs.
? Each component of the proposed solution shall have an uptime requirement of 99.9% measured on a monthly basis (no more than 43 minutes per month unplanned outage)
? Help Desk services shall be available to limited Department-level help desks for assistance with system availability, performance and card-printing status. Human availability and response to help desk requests shall be within 5 minutes of a phone call.
Respondents are encouraged to provide additional metrics on other aspects of the deployment of one or more HSPD-12 system components.
6.0 ESTIMATE OF COSTS
The respondent is requested to identify a 5 year estimate of costs based on ?number of cards issued? for 100,000 cardholders, 250,000 cardholders, 500,000 cardholders and > 1 million cardholders (initial year and four (4) years of O&M). Other formulations and pricing models may be proposed.
The respondent is requested to explain the strategy for providing system and physical security for the provided service.
8.0 OTHER INFORMATION SOUGHT
In addition, respondents are encouraged to address the following issues:
Should the government specify interfaces between functional components or will interoperability be defined by industry?
What is the industry?s capacity to provide the identified system components as an integrated solution to one or more federal enterprises?
What is the industry?s capacity to provide multiple enterprise-wide solutions simultaneously to meet government-wide implementation timeframe of October 2006?
9.0 RESPONDENT INFORMATION SOUGHT
Respondents should identify their interest as either a Prime Contractor or a Subcontractor. The statement should also include information on corporate experience, as well as key staff experience with turnkey service-based solutions of similar size, scope, and complexity. The response should include past performance information on systems of similar size, scope, and complexity, including (1) Contract Name; (2) Point of Contact (POC); (3) Phone Number; (4) email address; and, (5) Description of Services Provided. The response should address basic corporate information including annual gross revenue, number of employees in the company, number of years in business, and the primary focus of the business and associated NAICS code(s). The cover letter submitted in response to this request should include the following information: (1) Company Name; (2) Primary Point of Contact; (3) Address; (4) Telephone Number; (5) Fax Number; (6) E-mail address for POC; and, (7) Interest as Prime Contractor or Subcontractor. The cover letter should also indicate the Socioeconomic status of the company as one or more of the following: (1) small business; (2) 8(a) business; (3) HUBZone small business; (4) small disadvantaged business; (5) woman-owned small business; (6) veteran-owned small business; (7) service-disabled veteran-owned small business; or (8) large business.
10.0 INSTRUCTIONS FOR RESPONDING
The objective of this Request for Information (RFI) announcement is to obtain information on capabilities currently available in the marketplace, based on the requirements outlined above, from all interested businesses (large and small). Responses to this RFI will assist the Government in determining acquisition strategies for individual Federal Departments and the Federal Government at large. All interested businesses are hereby invited to submit responses of no more than 25 pages that address Section 3.0 through Section 7.0. The response should be tailored to this request and specifically address capabilities to provide the services outlined above in the timeframes identified.
Written or email responses shall be submitted to:
Darwin Roberts, Operations Manager
Center for Smart Card Solutions (TFS)
General Services Administration
1800 F Street NW, Rm 5010
Washington, DC 20405
Respondents are requested to submit proposals no later than 4:30 P.M. Eastern Time on January 9, 2006. Responses shall be sent in accordance with Section 10. The results of this RFI may or may not result in any additional procurement being taken.
All questions shall be submitted in writing via email to the Darwin Roberts, at firstname.lastname@example.org no later than December 29, 2005, EST, 1:00 pm. No questions will be accepted by telephone. The Government reserves the right to edit any questions as needed to protect the identity of the source, but absent this consideration, the Government intends to quote each submitted question verbatim in its response. The Government has targeted, but cannot guarantee a consolidated response to all vendors on or about January 3, 2005.
This is a RFI issued solely for information gathering. It does not constitute a Request for Proposal (RFP). Responses to this RFI will not affect a potential offeror ability to respond to any RFP that may or may not follow. Please ensure that any sensitive or protected information is marked as such.
12/12/2005 12:00:00 AM
|Click here to return to the front page