DIU seeks secure cloud management solution briefs

DIU posted a solution brief solicitation for secure cloud management. Submissions will be accepted through November 27.

The US Department of Defense (DoD) seeks to increase operational efficiency by leveraging cloud-based technologies commonly delivered through Cloud Service Providers (CSPs). Today, DoD mandates the use of a Cloud Access Point gateway to secure communication between DoD endpoints and CSPs. DoD is seeking an alternative cloud security gateway with off-the-shelf compatibility to a broad set of CSP offerings.

Background

Currently, DoD mandates the use of a Cloud Access Point (CAP) (“a system of network boundary protection and monitoring devices, otherwise known as a cybersecurity stack”) through which Cloud Service Provider (CSP) infrastructure connects to a DoD Information Network (DoDIN) service, the Non-secure Internet Protocol Router Network (NIPRNet), or Secret Internet Protocol Router Network (SIPRNet)”) (DoD Cloud Connection Process Guide, 2017, p. 58). 

The CAP sits as a gateway between the commercial cloud service offerings and the DoD network, protecting the DoDIN from cybersecurity vulnerabilities in the cloud, while still being permissive enough to allow application and data hosting in the cloud. The CAP is used only for connections to CSPs rated for processing data at Information Impact Level 4 (DoD IL4) and above; Information Impact Level 2 (DoD IL2) CSPs connect directly to the Internet (DoD Cloud Connection Process Guide, 2017, p. 5). The DoD mandates real-time deep content inspection and session control to access cloud services; however, cloud service providers will not allow 3rd party sensors to be installed, even on dedicated instances.

DoD seeks an alternative cloud security gateway to CSPs. Solutions should be commercial products that leverage a deployment track record and wide customer base to ensure off-the-shelf compatibility with a continuously growing base of managed cloud services.

Vendors selected for phase two will deliver an in-person pitch as well as a live product demonstration in Mountain View, CA in early 2020. The demonstration event will allow the evaluation team to assess the current maturity of the proposed solution. NOTICE: The Government will not provide funding for company participation in the demonstration.

The proposal should provide a near complete solution including:

  • Controlled access to managed/unmanaged apps in the cloud, including real-time network monitoring, application access control, and session termination 
  • Full audit trail of network and application access
  • Seamless integration into existing managed cloud services (SaaS and PaaS)
  • May be a Cloud Access Security Broker (CASB)
  • During prototype, must scale to support 500+ active users and 1,000 endpoints
  • Demonstrate, through synthetic workloads or verifiable customer references, the ability to scale to a minimum of 500,000 concurrent users and 1,000,000 endpoints in production.
  • Should support roaming users on mobile devices as well as telework users
  • Minimal latency is a must to provide for teleconferencing and VoIP
  • Support single tenancy within a specified geography and geographic load-balancing

Notes:

  • Solutions should be readily available and have commercial viability.
  • Companies must be US-owned.
  • The offering should have minimum DoD IL2 on Federal Risk and Authorization Management Program (FedRAMP) authorized or existing roadmap to DoD IL2; must be open to pursuing DoD IL4 certification as part of company roadmap.
  • Companies may include prior work on classified networks or facility clearance status in their submission (described at the unclassified level).  A Facilities Clearance is not required to receive an award in response to this AOI.
  • The Government may facilitate teaming arrangements among submissions offering complimentary capabilities to achieve desired effect. Companies are also welcome to present their own teaming arrangements in their solution briefs. 
  • Companies without a CAGE code will be required to register in SAM if selected. The Government recommends that prospective companies begin this process as early as possible.

Full information is available here.

Source: DIU