[Commerce Business Daily: Posted May 29, 1997]

From the Commerce Business Daily Online via GPO Access




CLASSCOD: 70--General-Purpose Information Technology Equipment

OFFADD: National Institute of Standards & Technology, Acquisition

  & Assistance Div., Bldg. 301, Rm B117, Gaithersburg, MD 20899


SOL 52SBNB7C1208

DUE 071197

POC Marsha Rodgers (301)975-6398, FAX (301)963-7732

DESC: BROAD AGENCY ANNOUNCEMENT -- The National Institute of

  Standards and Technology (NIST) is soliciting proposals for

  products and services which will demonstrate the viability

  of the recovery of keys that are used to support data encryption

  in Federal government applications. BACKGROUND: In May 1996,

  the Office of Management and Budget (OMB) released a white

  paper entitled "Enabling Privacy, Commerce, Security, and Public

  Safety in the Global Information Infrastructure". This paper

  stated that "government and industry must work together to

  create a security management infrastructure and attendant products

  that incorporate robust cryptography without undermining national

  security and public safety". Recently, a task group was formed

  for the purpose of testing the feasibility of implementing

  emergency key recovery capabilities in Federal Government applications.

  Approximately ten Federal agencies will participate in a Key

  Recovery Demonstration Project (KRDP), formerly known as the

  Emergency Access Demonstration Project (EADP) , to demonstrate

  the viability of key recovery. In this Broad Agency Announcement

  (BAA), NIST is soliciting products and services to support

  this project. GOALS: Specific goals of the KRDP include the

  following : (a) demonstrate the practicality of key recovery

  in Federal Government applications; (b) determine to what extent

  Commercial Off-The-Shelf ( COTS) products or commercially available

  services currently exist to support key recovery. Products

  that can be modified with minimum difficulty will also be considered;

  (c) determine how these products and services can be integrated

  into existing applications; (d) identify, implement, test and

  evaluate diverse key recovery technologies; and (e) identify

  barriers to interoperability among applications that use different

  key recovery technologies and make recommendations for lessening

  or removing those barriers. OBJECTIVES: Different methods of

  key recovery will be demonstrated . Encryption keys will be

  recovered by Key Recovery Agents upon receipt of an authorized

  request; keys used for digital signatures will not be recovered.

  Off-the-shelf technology is being sought for use on this project;

  there are no restrictions on standards compliance or algorithm

  usage. The KRDP will include a Public Key Infrastructure (PKI)

  which consists of a root Certification Authority (CA) and several

  dependent Certification Authorities. CAs certify the public

  keys of particular user communities and provide certification

  paths to other CAs so that public keys in other CA domains

  may be verified. The root CA will be located at and be operated

  by NIST. The remaining CAs will be located either at the sites

  of agencies participating in the project or at third party

  sites. Other components of the KRDP that will be procured under

  this BAA include Organization Registration Authorities (ORAs)

  and Key Recovery Agents (KRAs). ORAs authenticate users, validate

  requests, and interact with the Certification Authorities;

  ORAs may also request key recovery from a KRA. KRAs are used

  to recover keys, key components or plaintext messages upon

  the receipt of an authorized request. The infrastructure imposes

  no implementation constraints. An example of the services provided

  by a CA and a KRA could be included in a single product. An

  example infrastructure which illustrates three possible methods

  for accomplishing key recovery in a PKI environment can be

  found at the web site specified in this BAA. PROPOSAL CONTENT:

  NIST is seeking the following information about off-the-shelf

  products and/or services that can be used in the Key Recovery

  Demonstration Project: the functionality of the product or

  service (e.g., CA, ORA, KA, user); whether a product or a service

  is being offered; a list of all features (e.g., key generation)

  provided by the product or service; a description of the proposed

  key recovery methodology to be used, if appropriate; whether

  the proposed product or service is currently available and,

  if not, the expected date of availability; the requirements

  for operating or communicating with the proposed product or

  service; information which specifies how the product or service

  can be integrated with the product(s) and service(s) provided

  by other vendors or with other project elements (e.g., CA,

  ORA), if applicable; any constraints on product integration,

  such as dependence on a particular cryptographic algorithm,

  cryptographic product, communication interface etc.; and the

  extent to which additional negotiated enhancements to the product

  and/or service can be made . Since the enhancements that may

  be requested cannot be specified at this time, a general statement

  about the capability of responding to such a request is all

  that is required. The following information about the KRDP

  elements should be provided when being proposed by a vendor:

  (1) Certification Authority - A Certification Authority system

  certifies public keys and optionally generates public/private

  key pairs and may act as a certificate repository. If a Certification

  Authority system is provided as a service, specify the services

  provided and the cost of each service. Explain any factors

  that will cause the cost to vary and the method of obtaining

  the services that are provided. If a Certification Authority

  can be purchased, explain the impact of any factors that will

  affect the initial procurement cost and provide the cost of

  operating the system.Vendors who provide only a certificate

  repository service should specify the cost and the method of

  accessing this service . (2) Key Recovery Agent - If key recovery

  is provided as a service, specify the cost of registering with

  the key recovery service and the costs of key recovery operations.

  Indicate how these costs will vary, depending upon the number

  of users that are registered and the number of key recoveries

  that are performed. Specify the key archival services provided,

  if applicable, and the cost of these services. List and specify

  the costs of cryptographic products that must be used in conjunction

  with the key recovery service. If a key recovery product can

  be procured for operation by the user or user's representative,

  list all factors that will affect pricing. List and specify

  the costs of cryptographic products that must be used in conjunction

  with the key recovery service. (3) Organization Registration

  Authority - Specify all costs associated with the procurement

  and operation of an Organization Registration Authority. Explain

  the method of interaction with the Certification Authority

  and the Key Recovery Agent,wherever applicable. (4) User Software

  - Specify the functionality and cost of all user software that

  is required to perform encryption/decryption, key generation,

  key recovery, certificate path acquisition and verification

  and to interact with other system elements (e.g., Certification

  Authority, Key Recovery Agent). Responders should also provide

  any additional information about the functional capabilities,

  performance and cost of their product or service that will

  assist Federal agencies participating in the Key Recovery Demonstration

  Project in evaluating the offerings. Where cryptographic functions

  are performed, responders should state the degree to which

  their offered product or service complies with FIPS 140-1 .

  Where applicable, responders should specify the degree to which

  their offered product or service complies with the NIST draft

  " Minimum Interoperability Specification for PKI Components".

  SUBMISSIONS - Offerors are encouraged to submit concise, but

  descriptive proposals which will be accepted until 5:00 P.

  M., EST on JULY 11, 1997. Five (5) copies of the proposal shall

  be submitted to the following address: Marsha Rodgers, Acquisition

  and Assistance Division, National Institute of Standards and

  Technology, Building 301 Room B117, Gaithersburg, Maryland


  will be selected through a technical/scientific/business decision

  process with technical and scientific considerations being

  most important. Individual proposal evaluations will be based

  on acceptability or nonacceptability without regard to other

  proposals submitted under the announcement. HOWEVER, DUE TO


  FUNDED. No award will be made without a proposal to perform

  the specific effort within an estimated cost and time framework.

  PROPOSAL FORMAT- Proposals shall consist of two separate parts.

  Part 1 shall provide the technical proposal and Part 2 shall

  address costs. The proposal must not exceed the number of pages

  stated below (a "page" is defined to be a sheet of paper no

  greater than 8 x 11 inches, in type not smaller than 12 pitch)

  . Part 1 shall include: (1) Cover Page (1 Page) (a) Title:

  Key Recovery Demonstration Project Proposal; (b) Name of organization

  submitting proposal; (c) Contracting Official (Name, Title,

  Address, Telephone Number, Electronic Mail Address); (d) Technical

  Contact (Name, Title, Address, Telephone Number, Electronic

  Mail Address); (2) Organization Description (1 page)- (a) Principal

  business of organization; (b) Major qualifications and past

  achievements in data encryption/key recovery technology;(c)

  KRDP system elements for which proposal is being submitted.(3)

  Offered Products and/or Services (1-3 pages per offered product

  or service) - For each offered product and/or service, responders

  should provide the corresponding information requested in the

  Proposal Content Section of this BAA. Part 2, Costs, shall

  be supported by detailed breakdowns of labor hours by labor

  category and tasks/subtasks, materials, travel, computer and

  other direct and indirect costs. ADDITIONAL INFORMATION: The

  following documents can be accessed at World Wide Web site

  http://csrc.nist.gov/krdp: KRDP Project Summary, FIPS - 140-1,

  Implementation Evaluation Criteria for the KRDP, "Enabling

  Privacy, Commerce, Security, and Public Safety in the Global

  Information Infrastructure", referenced on Page 1, draft Minimum

  Operability Specification for PKI Compontents, and example

  Methods of Key Recovery. Any further technical questions relating

  to the BAA should be directed to : Jerry Mulvenna, Phone -

  (301) 975-3631, E-Mail Address - jerry.mulvenna@nist.gov. Any

  contractual questions should be directed to Marsha Rodgers

  at (301)975-6398. The period of performance of the BAA is six

  months from the date of each award. This announcement constitutes

  a Broad Agency Announcement as contemplated in FAR 6.102(d)(2).

  There will be no formal request for proposals or other solicitations

  regarding this announcement. Proposals shall be valid for a

  periodof twelve (12) months after submission. Where the effort

  consists of multiple portions which could reasonably be partitioned

  for purposes of funding, these should be identified with separate

  cost estimates for each. The Government reserves the right

  to select for award any, all, part, or none of the proposals

  received in response to this announcement. This BAA is an expression

  of interest only, and does not commit the Government to pay

  any pre-proposal or proposal preparation costs. All responsible

  sources may submit a proposal which shall be considered. EVALUATION

  CRITERIA/AWARD PROCESS : Proposals will be evaluated based

  on acceptability or unacceptability using the following criteria

  which are listed in decreasing order of priority: (1) Utility

  for Meeting Project Goals - For data recovery systems, the

  offered products and/or services should provide a method of

  implementing key recovery in Federal Government applications

  or the means to be integrated with the products and services

  offered by other contractors to provide this service. Reference

  the Implementation Evaluation Criteria for the KRDP at the

  above-mentioned web site. (2) Availability of Offered Products

  and/or Services - The offered products or services should be

  able to be integrated within a timeframe that will allow testing

  to commence as soon as possible.(3) Compliance with Applicable

  Standard or Specification- Where applicable, the degree to

  which the offered product or service complies with FIPS 140-1

  or the draft "Minimum Interoperability Specification for PKI

  Components" shall be considered a positive factor in the proposal

  evaluation.(4)Diversity of Key Recovery Solutions- A primary

  project goal is to implement, demonstrate and evaluate different

  solutions for key recovery. Accordingly, products and/or services

  providing differing solutions will be preferred.(5) Past Performance

  - the offeror's capabilities, related experience, facilities,

  techniques, or unique combinations thereof which are integral

  factors for achieving the proposed objectives; and (6) Cost

  and cost realism - Cost realism will be used only as an evaluation

  criterion in proposals which have significantly under-or-over-estimated

  the cost to complete their effort. All awards made in response

  to this BAA shall be subject to availability of Government

  funds. Proposals will be evaluated and ranked by a Source Selection

  Evaluation Panel (SSEP) composed of representatives of Federal

  Agencies participating in the KRDP. 

LINKURL: http://www.nist.gov/admin/od/contract/contract.htm

LINKDESC: NIST Contracts Homepage

EMAILADD: Contract@nist.gov

EMAILDESC: NIST Contracts Office

CITE: (W-149 SN078311)