RFI - Next Generation of the Assured Compliance Assessment Solution (ACAS)

Amendment 0002 - he purpose of the amendement is to update the reponses due from no later than 5 p.m. EDT on May 2, 2025 to no later than 5 p.m. EDT on May 9, 2025.

Amendment 0001 - The purpose of the amendement is to answer questions recieved as illustrated in Attachment 1 Questions and Answers.

In addition, companies who wish to respond to this RFI should send responses via email no later than 5 p.m. EDT on May 2, 2025.

REQUEST FOR INFORMATION

The Defense Information Systems Agency (DISA), Program Executive Office (PEO) Cyber, Endpoint Security Portfolio Program Office (referred to as the Program Office) is seeking information from industry to assist with the development and planning of the next generation of the Assured Compliance Assessment Solution (ACAS).

THIS IS A REQUEST FOR INFORMATION (RFI) NOTICE ONLY. THIS IS NOT A REQUEST FOR PROPOSALS (RFP). NO SOLICITATION IS AVAILABLE AT THIS TIME.

Overview and Purpose of this Procurement

The DISA Program Office is chartered with helping Department of Defense (DoD) customers leverage provided and emerging endpoint security solutions. The ACAS team within the Program Office identifies and implements scalable enterprise scanning solutions, provides engineering consultation, provides troubleshooting and other support, provides training, and continuously assesses emerging technologies and solutions to enhance capabilities. The ACAS team is committed to increasing the security posture of the DoD by providing tools that effectively assess and provide accurate information, enhance awareness, and enable compliance in order to defend and protect the United States of America.

The Program Office is seeking information to determine the availability of a next generation scanning solution to scan an estimated 11 million devices that builds on the existing spectrum of scanning capabilities with the ability to scale from one asset to the size of the DoD enterprise with scan results collected at a minimum every 72 hours, or more frequently as can be supported by the bandwidth, storage and infrastructure.

The current ACAS capability provides the DoD (Combatant Commands, Services, DoD Agencies and Field Activities, Combat Support Agencies, and other program approved organizations) a means for identifying and assessing assets and devices; and evaluating the design, security and compliance posture of DoD systems and networks. As a next generation solution to the current ACAS, the Program Office is seeking a solution that:

1. Sustains what the DoD already has on-premises and allows for expansion into areas such as Internet of Things (IoT), Operational Technology (OT) and the cloud.
2. Covers the full range of network-based scanning, host-based agent and agentless scanning, log correlation, and passive traffic analysis capabilities.
3. Assesses compliance with security controls, configuration best practice guidelines, network and data segmentation, network architecture, and patch management.
4. Works on all types of assets/network infrastructure.
5. Provides flexibility to incorporate changes as new technologies emerge, opportunities for consolidation are identified, new standards are accepted/established by the DoD, and new customers/customer demands arise and need to be met.

The Program Office is seeking information from the vendor community to assist with finding the best solution available. The Program Office has done research including demos and hands on with some of the potential solutions. However, it is possible for the Program Office to miss a solution or miss a key feature of a solution that could potentially change the direction of the future procurement activities. The Program Office is seeking the perspective of the vendor community in terms of solution options and best fit .

Scope of Effort

The result of the RFI is for the Program Office to make an informed decision on:

• The most suitable product candidates for replacement of ACAS.
• The potential costs, migration criteria, impact to the user community, training options, licensing or hosted, and ability to continue providing services during the migration period.
• The hardware, software, access, storage, circuitry, bandwidth, and program office level of support. The Program Office must provide for the solution to run at a local and global scale.

The end result of any subsequent procurement is an affordable scanning solution that meets the current capabilities and can expand in the future to meet the requirements listed in this RFI. The target period of performance for the next generation ACAS contract/order is 1 November 2025 through 31 October 2030, set up as a firm fixed price order with a base year and 4 option years.

ACAS is used DoD-wide, both Continental United States (CONUS) and Outside Continental United States (OCONUS). All devices connected to the DoD Information Network (DoDIN) are within scope. Devices include laptops, desktops, servers, hand-held devices, infrastructure assets (e.g., routers, switches), Internet Protocol (IP)-based telephony gear, printers, scanners, facsimile, thermostats, refrigerators, light switches, and may run any of the following operating systems: Windows, UNIX/Linux and variants (e.g. Solaris, OS X, Juniper Network Operating System (JUNOS)), Cisco IOS, Macintosh, and thin-client operating systems.

ACAS is an approved production system composed of Tenable Security Center, Nessus Scanner, Nessus Agents, Nessus Manager, and Nessus Network Monitor. The Program Office provides two options for users to access and use ACAS:

• An Enterprise Service available to support any approved organization. Multiple Non-secure Internet Protocol Router Network (NIPRNet) and Secret Internet Protocol Router Network (SIPRNet) ACAS (Tenable) Security Centers are located at CONUS and OCONUS (Europe and Pacific). All Security Centers in the Enterprise Service have a 30-day back-up and recovery capability. Application upgrades are executed by DISA staff. The service includes Red Hat Enterprise operating system licensing (RHEL). Organizations are responsible for implementing their own scanners to connect to this service.
• For organizations who prefer to implement and manage their own ACAS: DISA provides ACAS Enterprise Licensing and applications for Security Center and Nessus Manager (including patches and upgrades), enterprise reciprocity and supporting Assessment and Authorization (A&A) documentation, and enterprise help desk support. Organizations provide their own ACAS Security Centers, scanners, back-up and recovery capability, and RHEL licenses for the Security Centers.

The existing ACAS licensing, add-ons, and professional services are being executed under the following:

Contract Number: NNG15SC34B / HC108421F0030

Contract Vehicle: NASA SEWP

Incumbent and their size: Sirius Federal LLC, Other than Small Business

Method of previous acquisition: Brand Name; Limited Sources

Period of performance: December 27, 2020 December 26, 2025

Technical Characteristics

The following are the technical and operational characteristics for the solution:

• Standards based. Must support National Institute of Standards and Technology (NIST) compliance solutions where they are fully defined and validation programs are available (e.g., Security Content Automation Protocol (SCAP), Common Vulnerabilities and Exposures (CVE), Common Platform Enumeration (CPE), Extensible Configuration Checklist Description Format (XCCDF), and Open Vulnerability and Assessment Language (OVAL)). The Government also expects vendor proprietary scanning languages will be used for devices and operating systems.
• Agent/Agentless. Support both an agent-based approach to scanning as well as agentless scanning (i.e., installed on the endpoint and an option to ride on some other non-network protocol). Allow scanning with administrative and non-administrative privileges and do not require Root/Admin privileges to operate.
• Network Discovery and Assessment. Discover and provide a detailed network inventory, illustrating all assets on a defined set of IP ranges and/or circuits across any network; capable of assessing open ports, running applications, operating systems and versions, etc. Enable consistent root, administrative or system-level access to attain the data required for complete scan results that accurately reflect the vulnerability, patch, and configuration status of each device. Work on expeditionary DoD networks, where devices are continually being connected, disconnected, then reconnected and/or created and deleted, such as virtual environments.
• Asset Identification and Characterization. Uniquely and persistently identify devices; each device shall be associated with a unique identifier used to reliably track changes in inventory, compliance, and vulnerability posture for the asset over time, and not impacted by changes in the IP address, Medium Access Control (MAC) address, or existence of multiple devices with duplicate IP and MAC addresses. Scan results for devices with insufficient data to uniquely identify the devices shall be identified and excludable from reports. Allow characterization of individual assets and groups of assets by associating metadata (e.g., organization that owns the asset, accreditation boundary, releasability of asset data, logical location of the device on the network, and/or other data) that assists with targeting scans or understanding scan results.
• Automated Network Vulnerability/Compliance Scanning. Provide tailored scanning based on available resources and mission priorities. Provide execution of an automated recurring scan based upon a scheduled time period. Execute customized scans based on priority of effort, such as speed, completeness, or network impact. Provide a capability to determine asset configuration and access rights. Compare the discovered configuration and permissions to organization security configuration policies as well as standard templates for industry best practices (e.g., vendor, NIST, National Security Agency (NSA), System Administration Audit Network Security Institute (SANS), etc.) using standards-based formats (e.g., XCCDF).
• Application Vulnerability Scanning. Assess the security of exposed application interfaces to include web pages, individual databases hosted by a common database management system, collaborative applications, scripting, file sharing applications, and other applications hosting exploitable interfaces against known attack vectors such as SQL injection, cross-site scripting, command injection, buffer overflow, etc. Results should focus on application and software assessment methodologies and policies, procedures and techniques. Provide vulnerability, misconfiguration, and missing patch assessments with data confidence equal to system level access on Windows devices or root level access on non-Windows devices. Enable administrative input to cross-reference commercially identified or categorized vulnerabilities to the DoD Information Assurance Vulnerability Management (IAVM) reporting compliance requirements based on CVE ID, patch ID, or another designator.
• Configuration Assessment. Assess and collect inventories of authentication controls, access controls, applied patches, confidential data handling services or products, spyware, malware, anti-virus product configurations, systems, and server vulnerabilities.
• Remote and Peripheral Device Configuration. Provide assessments against network devices such as printers, multi-functioning devices (MFD), cross domain guards, Universal Serial Bus (USB) connected devices on connected systems, firewalls and router configurations, virtual private networking servers and connecting clients, server configurations such as email and remote access, VoIP, wireless and Demilitarized Zone (DMZ) security.
• Performance. Must balance the time it takes to complete an accurate analysis against the consumption of available resources (e.g., network bandwidth, target stability, inadvertent denial of service). Must support the ability to interrupt and resume scans to meet endpoint performance needs. Agent and network-based scanning capabilities should request and transmit only the scan definitions/plugins required to assess the software installed on the target devices. Further limit bandwidth by implementing incremental updates to scan definitions (i.e. only send definitions that have changed since the last update). Provide incremental reports containing only vulnerabilities, misconfigurations, and inventory elements that have changed since the last assessment.
• Scalability. Ability to control assessments and gather data for a minimum of 100,000 servers, workstations, routers, and switches with fully authenticated vulnerability and compliance results ("managed" devices) along with 250,000 devices with unauthenticated results such as OS fingerprinting, open ports, and inferred vulnerabilities based on packet header analysis ("unmanaged" devices) in the same on-site repository.
• Areas of Growth. The Program Office is interested in expanding the existing capabilities to address technical requests/requirements. This includes:
• Using open standard protocols such as Trusted Network Connect (TNC) Interface for Metadata Access Protocol (IF-MAP).
• Going beyond Cyber Operational Attribution Management (COAMS) tagging and implementing an identifier that facilitates accurate and detailed scanning and can be used to confirm the scan results.
• Public Key Infrastructure enabled and scalability on-premises.
• Scanning of cloud assets, devices, and hybrid environments; scalability in the cloud; support for Amazon Web Services (AWS)/Azure/Oracle Cloud Infrastructure (OCI)/ Google Cloud Platform (GCP); Federal Risk and Authorization Management Program (FedRAMP) certification.
• Expanding capabilities for scanning IoT and OT.
• Additional opportunities for third party (3rd Party) integration.

Requested Information

Based on the information provided in the previous sections, interested vendors should provide the following in response to the RFI:

• What solution do you recommend to satisfy the technical requirements described in this RFI? What are its key technical characteristics (e.g., what standards are already built in? how it supports customizable scanning? how it supports portability?)? In two or three sentences, describe why you chose the recommended solution. In four or five sentences, describe what is unique about your solution or what sets it apart from similar solutions in the marketplace.
• How should this solution be architected to support the entire DoD (i.e. network deployment and support, logical data flow)?
• How would your company establish operations support for the Program Office to include business critical support (24x7) (i.e. manpower required to deploy, support, train Program Office staff, assist with training for customers, product support plan)?
• Discuss the management support for the entire enterprise.
• How does your company/your solution include and address software support (e.g., patches, releases, unlimited downloading, etc.)?
• If applicable, describe the tools you provide your customers to track licenses and manage the software (to access the commercial off-the-shelf (COTS) license and track downloads, upgrades, and updates of the software families).
• Describe the pricing methods for the suggested solution to include the costs of software, training and operational support. If subject matter expert (SME) support will be included or proposed, describe what the support will do.
• Describe if your solution can meet/the vendor has experience with NIAP, STIGS, Assessment and Authorization, 508, FIPS 140-2.
• Describe how your recommended solution would integrate with the capabilities in DoD today. What synergies could be realized in this proposed architecture?
• Discuss your solution or company offering for training on the software (e.g., white papers, YouTube videos, webinars, more formal training curriculum such as instructor led or self-paced).
• The DoD and the Program Office will continue to evolve its capabilities, policies, procedures, and other guidance, including consideration of solutions that address multiple programs (i.e., how the vulnerability assessment solution could be used to supplement, or be supplemented by, Comply2Connect (C2C) efforts). Describe how the company follows, embraces, prototypes and plans for releases of new technology and evolving technology trends. Describe how the company assists customers and businesses with embracing planned technology changes.
• Include a Rough Order of Magnitude over a five-year lifecycle. Include training, installing, software license, maintenance, tracking system, and any other costs. If your solution includes only the software licenses and maintenance that information would also be valuable.
• If a solution other than Tenable is recommended, a key consideration for the next generation ACAS solution is the ability to successfully transition the existing user and license base (the DoD) to the new solution. Describe how you would assist to retain and support the deployed environments and currently in use users while transitioning to your solution and expanding the environment. What tools are available within your solution or assistance within your company to assist with the transition (e.g., solution will read in/accept scan data from Tenable, company staff will work with you to plan the transition, pre-developed scripts to read in data run by knowledgeable and experienced company staff, etc.)?
• How is your solution licensed or purchased in the Federal Government (Enterprise license? Subscription license? Hosted?)? If applicable, list the existing vehicles (e.g. GWACS) the Government can procure the solution from.
• Do you have any other suggestions or considerations for the Program Office?
• Please also submit the following non-technical information:

1. 1. Company Name
   2. CAGE/Unique Entity ID under which the company is registered in SAM.gov
   3. Company Address
   4. Technical and Contracts Points of contact information
   5. Are you a small business under an NAICS 541519, Information Technology Value Added Resellers, size standard $34M or 513210, Software Publishers, size standard $47M?
   6. If a small business, what type of small business are you (e.g.8(a), HubZone, Women Owned, Veteran Owned, etc.).)?
   7. Are you interested as a Prime or Subcontractor?

Response Guidelines:

Interested parties are requested to respond to this RFI with a white paper. Submissions cannot exceed 20 pages, single spaced, 12-point type with at least one-inch margins on 8 1/2 X 11 page size. The response should not exceed a 5 MB e-mail limit for all items associated with the RFI response. Responses must specifically describe the contractor's capability to meet the requirements outlined in this RFI. Oral communications are not permissible. SAM.gov will be the sole repository for all information related to this RFI

In addition, please complete ACAS 3 Requirements for RFI spreadsheet, CRITICAL Requirements Tab and OPTIONAL Tab, HIGH Technical Requirements. To complete CRITICAL Tab, please use the dropdown in Column C and enter any clarifying information or comments in Column D. To complete OPTIONAL Tab, HIGH, enter any clarifying information or comments in Column D.

Companies who wish to respond to this RFI should send responses via email no later than 5 p.m. EDT on April 24, 2025, to bogdan.f.novacescu.civ@mail.mil, jason.c.wilson66.civ@mail.mil, and melyssa.d.lafontaine.civ@mail.mil .

Industry Discussions:

DISA representatives may choose to meet with potential offerors and hold one-on-one discussions. Such discussions would only be intended to obtain further clarification of potential capability to meet the requirements, including any development and certification risks.

Questions:

Questions regarding this announcement shall be submitted in writing by e-mail to melyssa.d.lafontaine.civ@mail.mil and carmelynanne.bryan.civ@mail.mil . Verbal questions will NOT be accepted. Answers to questions will be posted to SAM.gov. The Government does not guarantee that questions received after 5 p.m. EDT on April 17, 2025, will be answered in time for vendors to address in their response. The Government will not reimburse companies for any costs associated with the submissions of their responses

Disclaimer:

This RFI is not a Request for Proposal (RFP) and is not to be construed as a commitment by the Government to issue a solicitation or ultimately award a contract. Responses will not be considered as proposals, nor will any award be made as a result of this synopsis.

All information contained in the RFI is preliminary as well as subject to modification and is in no way binding on the Government. FAR clause 52.215-3, Request for Information or Solicitation for Planning Purposes , is incorporated by reference in this RFI. The Government does not intend to pay for information received in response to this RFI. Responders to this invitation are solely responsible for all expenses associated with responding to this RFI. This RFI will be the basis for collecting information on capabilities available. This RFI is issued solely for information and planning purposes. Proprietary information and trade secrets, if any, must be clearly marked on all materials. All information received in this RFI that is marked Proprietary will be handled accordingly. Please be advised that all submissions become Government property and will not be returned nor will receipt be confirmed. In accordance with FAR 15.201(e), responses to this RFI are not offers and cannot be accepted by the Government to form a binding contract.