Inactive

This is a synopsis of a Department of Homeland Security (DHS) Science and Technology Directorate (S&T) requirement to be solicited on a sole source basis to: GrammaTech, Inc. 531 Etsy Street Ithaca, N... This is a synopsis of a Department of Homeland Security (DHS) Science and Technology Directorate (S&T) requirement to be solicited on a sole source basis to: GrammaTech, Inc. 531 Etsy Street Ithaca, NY 14850 This is a noncompetitive action under FAR 6.302-1. Based on DHS S&T's market research and in-depth knowledge of the software assurance static analysis tools landscape GrammaTech is the best qualified company to execute this research. S&T awarded a contract to GrammaTech under a full and open Broad Agency Announcement which provided a group of contractors capable of doing this work. S&T selected two companies from this group to begin the Static Tool Analysis Modernizatoin Project (STAMP), with the intent of down selecting to the performer that best executed the project objectives. GrammaTech remained as a performer after this down select. The GrammaTech contract was awarded as an assisted acquisition by the Department of Health and Human Services (HHS). However, HHS is no longer able to service this requirement and DHS S&T still has the requirement. The work GrammaTech still has left under the HHS contract will not be done unless DHS awards a new contract to GrammaTech. The research proposed for the base and option periods builds substantially on work already completed under the STAMP project. It would be a significant duplication of effort and investment for the Government to select another performer through full and open competition and have them repeat work already completed by GrammaTech. The Government anticipates awarding a stand-alone contract as a result of the solicitation. The Government is not utilizing a General Services Administration Schedule or any sort of Government-wide or multiple-award contract to issue an order. The primary place of performance will be at GrammaTech facilities and certain Government facilities designated by DHS S&T. The period of performance will include a 12-month base and one 6-month option period. No response to this synopsis is requested. All responsible sources may submit a capability statement, proposal, or quotation, which shall be considered by the agency. The following is a summary of the requirement: DHS is committed to using cutting-edge technologies and scientific talent in its quest to make America safer. The DHS S&T is tasked with researching and organizing the scientific, engineering, and technological resources of the United States and leveraging these existing resources into technological tools to help protect the homeland. One element of the DHS S&T research and development portfolio is Cyber Security research and more specifically, software assurance. The nation's critical infrastructure (e.g., energy, transportation, financial services) and society are extensively and increasingly controlled by software. However, weaknesses in software expose vulnerabilities that put these critical infrastructure resources at risk. As of October 2017, the National Vulnerability Database (NVD) reported more than 12,000 vulnerabilities in the calendar year. That's nearly double the number reported in 2015 and 2016. This risk is compounded by software size and complexity and the growing reliance on reusable software code and open-source software in organizations. The current state-of-the-art software assurance tools have not kept pace with modern software. The complexity and size of software make it more difficult for software analysis tools to perform. Oftentimes these tools have difficulty tracking data flows through complex and large software systems, to the point that software analysis tools oversimplify and make assumptions about software code that is inaccurate. The goal of STAMP is to modernize a list of candidate software analysis tools to improve tool performance and coverage, to seamlessly integrate and support continuous integration and DevOps operational environments and provide more accurate analysis of results by reducing false-positives and provide more visibility into false-negatives that often leave residual risks. STAMP is designed to create new techniques that advance the state-of-the-art capabilities found in software analysis tools and will help address the risks posed by the increasing use of software. STAMP will improve the testing and evaluation of static analysis tools, with a focus towards improving deployment and understanding as well as expanding weakness coverage and strength of tools for use in the Software Assurance Marketplace (SWAMP). In addition, GrammaTech Inc. will develop and implement a repeatable methodology for testing, evaluation, and modernizing existing open-source static analysis tools. To perform this work, the contractor will need to have the following minimum capabilities: • Deep understanding of the current state of static analysis tools, including the shortcomings of the various tool vendors, the challenges facing software security implementers as they consider acquiring software assurance tools • In depth knowledge of the software security life cycle and how it must be integrated into the software development work flow • Deep corporate experience in software analysis and flaw-finding capability, particularly as applied in a research and development environment • Understanding of and previous experience working with the National Institute of Standards and Technology, specifically their Software Assurance Metrics And Tool Evaluation (SAMATE) program • Previously demonstrated experience developing realistic test cases, at scale, based on real open source code • Previously demonstrated experience performing both white box and black box testing of static analysis tools • Previously demonstrated experience in developing a unified methodology for software assurance testing, including consideration of the following: test-case generation, target development languages and existing tools, assessment, tool development, evaluation, and deployment. The contractor will also need to have personnel to conduct research and development, do technical writing and editing, web portal design, incorporating machine learning and other data science techniques into software testing and perform program management tasks and reporting.