NIST posts sources sought for cybersecurity research, development, implementation
On December 21, the National Institute of Standards and Technology posted the following sources sought notice. Responses are due via email. The response deadline has been extended from January 8 to January 15 at 3:00pm.
The National Institute of Standards and Technology (NIST) Information Technology Laboratory’s (ITL) Computer Security Division is seeking to identify sources with the capabilities to assist the Division in accomplishing its core mission of providing standards, technology, tools, and practices to protect our nation’s information and information systems.
General Task Areas:
1. Provide technical inputs into, and support the development of, Standards, Guidelines, NIST Interagency Reports (NISTIRs), Models, Measures, Derived Test Requirements (DTRs), and Standard Reference Material(s) for topic areas including, but not limited to:
a. Applied Cybersecurity (for example, Cyber-Physical Systems, Public Safety Communications, Health Information Technology, Electronic Voting, Critical Infrastructure, and Federal Agency Cybersecurity)
b. Information and Communications Technology Supply Chain Risk Management
c. Cybersecurity Awareness, Training, Education, and Workforce Development
d. Cryptographic Standards, and Techniques for Emerging Applications
e. Validation Programs (for example, cryptographic modules, security content automation protocols)
f. Identity, Access, and Privilege Management
g. Cloud Computing and Virtualization
h. Mobile Security
i. Network and Internet Security
j. Advanced Security Testing, Measurement, and Reference Data (for example, security content automation, incident handling, vulnerability management, and information sharing)
k. Technical Security Metrics (for example, roots of trust, combinatorial testing, attack graphs)
l. Organizational and System Risk Assessment and Management
m. Software and application development, and application modeling
n. Privacy engineering and risk management2. Development work to be conducted in the following areas:
a. Automated testing and reference implementations
a. Generation of STIX-expressed indicators from cyber forensic analysis tools
b. Generation of SCAP-expressed content from automated indicators
b. Policy Machine demonstrations and reference implementations
c. Proof of concept of various PIV and derived credential implementations
d. Crypto Validation Program (CVP) resolve automation system software development3. Research work to be conducted in the following areas:
a. Cyber-Physical Systems, Public Safety Communications, Health Information Technology, Electronic Voting, Critical Infrastructure, and Federal Agency Cybersecurity practices
b. Information and Communications Technology Supply Chain Risk Management
c. Cybersecurity Awareness, Training, Education, and Workforce Development
d. Cryptographic Research, and Techniques for Emerging Applications
e. Validation Programs (for example, cryptographic modules, security content automation protocols)
f. Identity, Access, and Privilege Management
g. Cloud Computing and Virtualization
h. Mobile Security
i. Network and Internet Security
j. Advanced Security Testing, Measurement, and Reference Data (for example, security content automation, incident handling, vulnerability management, and information sharing)
k. Technical Security Metrics (for example, roots of trust, combinatorial testing, attack graphs)
l. Organizational and System Risk Assessment and Management
m. Software and application development, and application modeling
n. Privacy engineering and risk management4. Support development and implementation of processes and mechanisms to enable effective outreach and communications with collaborators and stakeholders across the cybersecurity landscape, including industry, academia, standards organizations, and governments. Processes and mechanisms may include, but are not limited to:
a. Planning and supporting workshops, conferences, webinars, and meetings;
b. Facilitating discussions and consensus-making;
c. Supporting use of communications tools including social media and innovative publishing methods;
d. Creating and/or managing a web environment and web content;
e. Testing web usability and efficacy;
f. Preparing lessons learned from previous outreach work;
g. Developing an economic and social impact evaluation of the state pilots funded under the NSTIC State Pilots Cooperative Agreement Program;
h. Developing use cases and tools to enable implementation of the privacy risk management framework; and
i. Supporting the preparation, analysis, and adjudication of Requests for Information and other public comment responses.5. Program operations and analysis work to be conducted in the following areas:
a. NVD analysis
b. SCAP analysis
c. CMVP analysis
d. CAVP analysis
e. SCAP support to labs and vendors
f. CVP support to labs and vendorsFull information is available here.
Source: FedBizOpps