Submit your commercial solutions to solve national security challenges with the help from DIU.

Joint Cyber Hunt Kit (JCHK)

Problem Statement and Concept of Operations

The Department of Defense (DoD) conducts hunt operations on DoD and international or domestic partner networks in order to discover advanced persistent threats (APT), and analyze their tactics, techniques, and procedures (TTP). These hunt operations require a next-generation deployable Joint Cyber Hunt Kit (JCHK) with cutting edge commercial off the shelf (COTS) and free and open source software (FOSS) capabilities.

The desired JCHK solution is best described as a mobile “security operations center (SOC) in a box” that can be transported by a nine person team, anywhere in the world. This hunt kit must be capable of standalone operation because it will most often operate in an environment where it is not permissible to connect to the internet, and not permissible to send data offsite for analysis. The hunt kit must also be capable of performing all hunt operation activities without requiring additional processing or storage resources from a partner’s on-premise infrastructure. Furthermore, the hunt kit must be transportable as carry-on luggage, meeting weight and dimension limitations on international commercial airlines, and be compatible with the limited wattage and poorly conditioned power available in developing nations. In addition to the described “SOC in a Box” capability, the JCHK shall also be a modular system that allows for additional processors, storage, software, and capability packages, as future requirements are realized.

Key hunt activities include: determining the best locations to place network sensors; determining all possible paths to sensitive information; validating and augmenting the network map using network traffic files; scanning the network for software, firmware, and configuration vulnerabilities; determining possible attack vectors and their likelihoods; analyzing PCAP files to determine normal behavior patterns; determining the causes of anomalous behaviors; discovering the TTPs APTs used to gain access to a network; discovering the TTPs APTs used to move within a network; discovering the infrastructure that APTs prepared within a network; discovering the TTPs APTs used for the Command and Control (C&C) of infrastructure; discovering and analyzing the TTPs APTs used to attack a target; discovering the TTPs APTs used to exfiltrate data, or deny critical services within a network; discovering the TTPs APTs used to defend their infrastructure or activities from detection or degradation by network defenses; and determining TTPs that network defenders could use to deter, disrupt, and defeat APT activities.

The hunt kit needs to be able to perform any and all activities related to discovering APT activities and analyzing their TTPs. This includes all of the functions typically included in extended detection and response (XDR) applications, including both endpoint detection and response (EDR) and network detection and response (NDR) functions. It also includes many of the functions typically included in case management and workflow management applications, including managing all of the hunt activities across the team as they investigate issues and piece together TTPs, write reports, and communicate with their leadership and other stakeholders. While the teams are on-mission, the hunt kit also provides all of the team’s information technology (IT) resources, including desktop IT resources for communication and report development.

Finally, while there are several security-related requirements related to the hunt kit’s ability to operate on DoD networks, such as United States (US) Trade Agreement Act (TAA) compliance, DoD also desires a hunt kit whose components have no International Traffic in Arms (ITAR) or Export Administration Regulations (EAR) export restrictions so that foreign governments that partner with the US on hunts can procure the same hunt kits if they desire.

Schedule, Execution Details, and Quantity

The vendor must be capable of completing a prototype hunt kit for government testing within four months of receiving an Other Transaction (OT) award.

During the prototype phase of this acquisition, the vendor will deliver a fully integrated hardware / software solution, configure the software to best use the hardware resources, and integrate the software in order to improve workflows, dataflows, and the user experience (UX). The requirements for software integration and improvements will not be specified by the government, and are up to the vendor to choose as part of their strategy. The government’s hunt kit currently uses a mix of COTS software and FOSS, and the government will evaluate alternative software loads during the prototype phase of this acquisition. However, during any follow-on production phases of this acquisition, the government may choose to procure only hardware, software integration, and sustainment services if no compelling software solution is bid.

The vendor’s installation scripts or images will need to be compatible with the Joint Cyber Warfare Architecture (JCWA) software provisioning solution (JSPS), which uses infrastructure-as-code (IaC) technologies. IaC is defined as any software provisioning / software deployment mechanism that is automated, does not require a human with administrative rights to be involved, and can be stored in a repository. This includes Ansible deployment scripts, VMware deployment scripts, Kubernetes deployment scripts, and similar technologies. For the purposes of the prototyping efforts, the vendor may provision the software onto their hardware using any method they desire. Note that if the vendor demonstrates a provisioning solution in the prototyping phase that has sufficient merit, and is in the best interest of the government, there is a possibility that it could be added to the JSPS trade-studies.

If the government determines the prototype project to be successfully completed and decides to award a production OT or contract, the following may apply:

• United States Cyber Command (USCYBERCOM) and the Service Cyber Components (SCC), including Army Cyber Command (ARCYBER), Fleet Cyber Command/Tenth Fleet (FCC/10F), Air Forces Cyber/16th Air Force (AFCYBER), Marine Corps Forces Cyberspace Command (MARFORCYBER), and Coast Guard Cyber Command (CGCYBER) may procure hunt kits on an indefinite delivery, indefinite quantity (IDIQ) basis.
• The final quantities are unknown, but for design and production feasibility analysis purposes should be assumed to be approximately 100 hunt kits per year, with the ability to scale to approximately 250 hunt kits per year, upgrade critical technologies as necessary throughout a kit’s lifecycle, replace entire systems every 3-5 years, and be able to stock or procure parts to repair and refurbish systems as required within a 2-4 week time period.
• The government will purchase the software licenses and supply them to the vendor as government furnished equipment (GFE). It is also likely that the government will provide a small number of government off the shelf (GOTS) applications as GFE. The vendor will be responsible for integrating and sustaining all software. However, the government will own all licenses, control the distribution / prioritization of licenses, and bear all software end user license agreement (EULA) enforcement risk.

Desired Product Specifications

The DoD’s requirements are listed in 5 sections: minimum hardware requirements, optional hardware preferences, minimum software requirements, optional software preferences, and vendor support requirements. The government may further refine or elaborate on any specifications during future phases.

Minimum Hardware Requirements

The hardware solution MUST be one that:

• Can be deployable within stacked transport cases; and be deployable within a top-of-rack, or rack-mounted manner, without experiencing any degradation from electromagnetic interference or signal cross talk.
• Can operate on international power sources ranging from 100 VAC to 240 VAC and 50 to 60 Hz.
• Has the ability to operate in hot indoor temperatures, poorly conditioned power, frequent brown-outs, and occasional power surges.
• Has the ability to be easily scaled up or down to the size of the network being hunted on, as well as the ability to be connected to to-be-defined (TBD) capability expansion packages that will extend the DoD’s hunt capabilities into areas such as industrial control systems (ICS) / supervisory control and data acquisition (SCADA) systems, internet of things (IOT), wireless, and cloud, or extend the JCHK’s capabilities with artificial intelligence / machine learning (AI/ML), storage, or out-of-band (OOB) communication solutions. Proposals for COTS capability expansion packages available within the JCHK prototype and production timeline may be submitted with the JCHK proposal, as separately priced options. Capability package equipment is not part of the nine person transport limit, but carry-on transport on international airline flights is still required.
• Has all the equipment needed to tap and process all PCAP, logs, and metadata across a minimum of three “hunt sites” that each have a 1x 10 Gbps full duplex ingest line, or 2x 1 Gbps full duplex ingest lines. The hunt kit must be capable of processing this data 24x7, at fully saturated data rates, as a stand-alone system, without utilizing SPAN ports on tapped network devices. 
• Has all equipment needed to enable a minimum of nine total host analysts and/or network analysts to perform hunt activities at an “analyst site”. This equipment must include laptops with approximately 17” screens; RJ45, HDMI, USB-A and USB-C connection ports. Any wireless communication, recording, or camera capabilities present must be able to be disabled via hardware, and not be capable of being enabled via software or network communications.
• Has all equipment needed to connect all three hunt sites and the analyst site with whitelisted internet protocol (IP) addresses and virtual private network (VPN) encrypted communications. The connections must also be capable of supporting remote management of all network taps and firewalls using OOB channels; and must be able to connect to another access layer switch at the analyst site. The equipment must be able to meet all three of these conditions concurrently. 
• Has all equipment needed to perform digital forensic analysis of drives and memory, including the equipment needed to clone drives and memory, and the equipment needed to prevent write-back.
• Has the ability to use all common VPN protocols, including internet protocol security (IPsec), OpenVPN, and WireGuard.
• Network taps must be both passive and regenerative so as to not interfere with normal operation of the network it is connected too, and can operate using only an on-board battery for at least 1 hour.
• Has sensors, servers, and laptops that will allow all DoD standard hunt software loadset applications to be installed on virtual machines (VM) with their original equipment manufacturer’s (OEM) recommended resources, with no more than 75% processor utilization, 75% memory utilization, and 50% storage utilization at the sensor, server, and laptop level. For sizing purposes, assume the DoD standard hunt software loadset can be either a Splunk or Elastic based loadset, with approximately 25 total applications.
• Has the ability to store at least 7 days of PCAP collected off a minimum of 3x 10 Gbps full duplex lines, and 90 days of logs and metadata on each server.
• Supports RAID 1, 5, 6 or 10; to manage OS data using RAID 1; and to not lose queued mission data for at least 1 hour in the event of a site-power failure.
• Has all equipment to allow the hunt kit to be connected to a site network using copper, multimode fiber, or single-mode fiber transmission lines.
• Uses copper cabling with RJ45 connectors between all the stand-alone components that comprise the hunt kit, wherever feasible, to allow custom length cables to be easily created in the field. Where this is not feasible, the hunt kit must include the splicing tools needed to make the custom cable lengths.
• Has a capability that aggregates all data from all network taps, making it available for analysis by any sensor or server. The load balancing functions typically included in a packet broker are not required.
• Has network taps and firewalls without any type of in-band management capability, or the ability to turn it off.
• All transport cases and stand-alone hunt kit components should be able to be secured in a way that makes physical tampering evident by casual inspection. At a minimum, the DoD requires that all transport cases and stand-alone components have the ability to be easily secured with wire ties and/or 2.5”x9” tamper evident tape, during both transportation and operation. Alternative solutions with the same or better tamper detection abilities are acceptable.
• Has only self encrypting drives (SED) that comply with the latest version of the Federal Information Processing Standards (FIPS) specification 140, at Security Level 2 or greater, for all drives involved with processing mission, networking, or security data.
• Has a trusted platform module (TPM) with a cryptographic module that is certified by the National Information Assurance Partnership (NIAP) for each stand-alone assembly involved with processing mission, networking, or security data.
• Has all electronic subassemblies involved with processing mission, networking, or security data produced in countries that are members of the US TAA.
• Has only stand-alone assemblies that are available for purchase as COTS items without any ITAR or EAR export restrictions for TAA designated countries.
• Has an extremely high level of reliability, a high level of repairability, and good parts availability.
• Has wheeled travel cases for all equipment that allows a 6-foot-tall person to walk comfortably while towing a case and rolls easily over cobblestone streets; except for laptops, which may have backpack style travel cases that fit under an airline seat.
• Has a tool kit that contains all the tools needed to: remove all drives that process mission, network, or security data; configure the hunt kit for travel or different deployment options (top of rack, rack mounted, case mounted); and maintain or perform repairs and/or component replacements in the field. 

Optional Hardware Preferences

The most preferred hardware solution would be one that:

• Packs the greatest amount of throughput speed, processing power, and storage capacity into a form factor that is transportable by nine personnel as carry-on luggage on standard international airline flights.
• For all drives that store mission, network or security data: has only drives that are easily removable without tools.
• Has the ability to purge non-volatile memory (NVM) in accordance with National Institute of Standards and Technology (NIST) Special Publication (SP) 800-88 using ATA, SCSI, NVMe, TCG Opal, or TCG Enterprise cryptographic erase commands; or the ability to easily replace non-purgeable NVM using commonly available memory cards.
• Has the ability to automatically detect tampering while deployed, and to alert network defenders.
• Has the ability to automatically detect tampering during transport, and to alert network defenders, using wireless technologies that can be easily removed prior to deployment, and easily replaced for transport at the end of the mission.
• Has the ability for all small form-factor pluggable (SFP) transceivers to be replaced with multi-source agreement (MSA)-compliant SFPs without any loss of functionality.
• Requires the least number of spares and repair tools to ensure a 95% field availability level.
• Has at least 50% empty space in the laptop backpack when the hunt kit is fully packed.
• Has hard-sided travel cases that stack on their wide face in a stable manner that resists tipping over.

Minimum Software Requirements

The software solution MUST be one that: 

• Has the ability to ingest data from Splunk security information and event management (SIEM) software and forwarders, and to feed data to Splunk SIEMs.
• Has the ability to ingest data from Elastic SIEMs and forwarders, and to feed data to Elastic SIEMs.
• Has the ability to actively (ie: via interrogation or scanning techniques that are detectable by network monitoring / log analysis tools) detect network vulnerabilities, known malware, and signs of intrusion.
• Has the ability to correlate network maps, configuration data, vulnerability scans, and sensitive information locations, and to determine likely attack paths and how an attacker would prioritize them.
• Has the ability to automatically ingest NetFlow, log and metadata data from network devices and hosts, and determine what is normal versus an anomaly with very good detection and low false alarm rates.
• Has the ability to automatically ingest and incorporate cyber threat intelligence (CTI) and indicators of compromise (IOC) from a wide variety of data sources into vulnerability, threat and attack analyses.
• Has the ability to process analytics that are distributed across a set of sensors.
• Has the ability to automatically link, correlate, compare, timeline, trend, and display NetFlow, log and metadata data from network devices and hosts, in ways that make it very effective for analyzing attacker TTPs.
• Has the ability to coordinate incident analysis data and activities across a hunt team in a manner that allows team members to collaborate on analyses using teleconferencing and multi-user editable files.
• Has the ability to query any data within any hunt application, or to write a trigger that results in an action within any hunt application, using Structured Query Language (SQL) or similar.
• Has the ability to automate workflow and dataflow across hunt applications, or to call queries or triggers using only the application programming interfaces (API) for the hunt applications.
• Has the ability to create custom network topology maps that combine subsets of level 2 and level 3 topology maps, and incorporate evidence of attacker TTPs as annotations and links to the SIEM data.
• Has the ability to easily create a virtualized environment that is a digital twin of the IT environment being analyzed at the partner site, for testing purposes.
• Has the ability to automatically validate files against known hashes, of any common hash type.
• Has the ability to detect malware within files, binaries, and addressable memory, with high levels of detection but low levels of false alarm.
• Has the ability to perform malware analysis activities, including identification, triage, static analysis, dynamic analysis, and reverse engineering, all performed in a sandboxed environment.
• Has the ability to perform cyber threat emulation (CTE) activities, including probing, penetration, pivoting, evasion, and coordinated attacks, that can be packaged to simulate a particular APT’s TTPs.
• Has the ability to insert links to data, analyses, notes, dashboards, tables, charts, or graphs in a hunt application into a Microsoft (MS) Word, MS Excel, MS PowerPoint, MS Visio, or Adobe PDF document.
• Has the ability to function without needing a connection to the external internet.
• Has the ability to function in Linux, VMware, or Docker / Kubernetes environments.
• Has the ability to function using only the processing and storage resources within the hunt kit.
• Has the ability to be configured quickly and easily in a way that meets all the security control requirements for operating on a DoD network, that are applicable to software.
• Has a licensing model that allows the government to pay a fixed cost per hunt kit license per year, and allows the hunt kit to be used to hunt on networks with an unknown quantity of devices and dataflow.

Optional Software Preferences

The most preferred software solution would be one that:

• Has the ability to detect malware within unaddressable memory, firmware, and integrated circuits (IC) with high levels of detection, but low levels of false alarm.
• Has the ability to passively (ie: without performing any outgoing communications) detect network vulnerabilities, known malware, and signs of intrusion.
• Has automations or wizards / work-aids that allow a basic level analyst to perform malware analysis activities as thoroughly as an intermediate level analyst. 
• Has automations or wizards / work-aids that allow a basic level analyst to perform CTE activities as thoroughly as an intermediate level analyst.
• Has the ability to search information from the malware and CTE analyses from the SIEM and integrate information from the malware and CTE analyses into the network maps.

Vendor Support Requirements

The DoD requires a hunt kit vendor who:

• Has the ability to support the prototype and production contracts using only personnel who are US Persons as defined by the US Immigration Reform and Control Act (IRCA) of 1986 as amended, and using only facilities, IT equipment, and personnel located in the US.
• Has the ability to deliver the quantities of hunt kits desired, within the desired timelines, with high levels of quality assurance, and low levels of cost, schedule, and hunt kit performance risk.
• Has the ability to provide software integration, configuration, and optimization services in a fast-paced user-driven DevSecOps environment, including developing dataflow scripts and plugins, and productivity enhancement tools.
• Has the ability to provide 24x7 help desk support in the areas of hardware configuration, software configuration, hunt software usage, site-integration troubleshooting, and dataflow troubleshooting.
• Has the ability to provide system refurbishment services, including NIST SP 800-88 compliant NVM sanitization, hardware repairs, upgrades, and performance testing. 
• Has the ability to provide system logistical services and inventory management for hardware components located in sites throughout the US.
• Has the ability to provide systems engineering support in the areas of deployment technical planning, hardware/software system optimization, software suite improvement, and failures / root cause analysis.
• Has the ability to provide the security engineering and system documentation required to attain an authority to operate (ATO) to connect a system to DoD networks, including classified networks, and to support site-specific security inquiries.
• Has the ability to develop training materials including: hardware configuration and administration manuals, software configuration and administration manuals, and activity-based software usage videos.

Awarding Instrument

This Area of Interest solicitation will be awarded in accordance with the Commercial Solutions Opening (CSO) process detailed within HQ0845-20-S-C001 (DIU CSO), posted to SAM.gov on 13 Jan 2020, updated 02 Oct 2023. This document can be found at: https://sam.gov/opp/e74c907a9220429d9ea995a4e9a2ede6/view

Vendors are reminded that in order to utilize an Other Transaction (OT) agreement the requirements of 10 USC 4022 must be satisfied. Specifically reference 10 USC 4022(d), which requires significant contribution from a nontraditional defense contractor, all participants to be small business concerns, or at least one third of the total cost of the prototype project is to be paid out of funds provided by sources other than the federal government.

Follow-on Production

Companies are advised that any prototype OT agreement awarded in response to this AOI may result in the award of a follow-on production contract or transaction without the use of further competitive procedures. The follow-on production contract or transaction will be available for use by one or more organizations in the Department of Defense and, as a result, the magnitude of the follow-on production contract or agreement could be significantly larger than that of the prototype OT. As such, any prototype OT will include the following statement relative to the potential for follow-on production: "In accordance with 10 U.S.C. 4022(f), and upon a determination that the prototype project for this transaction has been successfully completed, this competitively awarded prototype OT may result in the award of a follow-on production contract or transaction without the use of competitive procedures.”

Problem Statement

Aircraft handling support equipment (SE) comprise a significant number of emissions-generating vehicles on naval ships and Navy/Marine Corps installations. In alignment with the National Defense Strategy, the Department of Defense (DoD) is prioritizing energy demand reduction by adopting more efficient technologies that increase range, endurance, and operational flexibility in contested environments.

Desired Solution Attributes

DoD is seeking commercially-proven hybrid, plug-in hybrid, or electric systems capable of performing aircraft handling in support of Navy and Marine Corps missions. These SE perform aircraft spotting maneuvers for a variety of aircraft, including but not limited to: E-2C/D, F/A-18 (all variants), E/A-18G, F-35B/C, H-53E/K, H-60R/S, T-45, V-22 (all variants), and potentially, unmanned aerial vehicles. The government requires commercial solutions for two common-use SE items: 

1. Mid-range tow tractors favored for land-based usage, used to transport aircraft and other towable ground support equipment over longer distances, and 
2. Spotting dollies favored for shipboard usage, with shorter distances traversed and narrow clearance for aircraft repositioning. 

A key objective of this solicitation is to lower maintenance costs via operational endurance and self-sustaining upkeep of equipment. The DoD seeks solutions that can operate for >375 hours between unscheduled maintenance actions. When maintenance is required, it is desired to:

• Be able to perform the maintenance action in under 2.5 hours
• Reduce unique skill-set and tooling required to perform maintenance actions
• Support maintenance with high availability of parts from the commercial marketplace

Operational flexibility can also be obtained through reduction in overall SE footprint. Onboard energy storage may optionally allow aircraft handling SE to perform the function of other accessory SE (e.g., power carts, frequency converters, air start units, etc.). Peak export power of such systems reach:

• 400Hz (90VAC threshold, 120VAC objective)
• 28VDC (500A continuous, 1500A helicopter start)
• 270VDC (72kW continuous)

Ideal solutions described:

• Tow tractors should support an 8-hour shift usage profile of 25 miles traversed across 11 towing maneuvers, without opportunity for charging. A shift usage profile consists of 15% engage/disengage of load, 15% towing aircraft, 25% parking/positioning aircraft, 15% moving without payload, and 30% idle. For all-electric tow tractors, voltage of 80+ NMV for Level 2 or DC Fast Charging. Tractors should provide a drawbar pull of 11,000 pounds forward (8,000 pounds reverse). Tractors should operate at 15 mph with no towed load, and 5 mph forward/3 mph reverse with towed load.
• Spotting dollies, positioners, or equivalent solutions should support a 12-hour shift with no opportunity for charging. A shift usage profile consists of 8% idle (startup, standby, shutdown), 22% moving without payload; 15% engage/disengage/load-lifting and lowering of load, 30% towing aircraft, and 25% parking/positioning aircraft. Dollies should provide a drawbar pull of 14,100 pounds and a lift capacity of 17,300 pounds. Dollies should operate at 3 mph under no load and 2.5 mph under load (1.5 mph at a 5 degree incline). Dollies operating under remote control should have tethered remote connection.
• All solutions should tow an average load of 65,000 pounds (peak 80,000 pounds).
• All solutions should allow charging via a Level 2 charging station using the J1772 charging standard.
• All solutions should emit Electromagnetic interference (EMI) levels within the electromagnetic radiation hazard MAE threshold detailed in Figures 2-1 of NAVSEA OP 3565 Volume 2 when operated near electrically initiated ordnance.
• If utilized, cameras and related monitors should not have the ability to record or transmit information.

Additional considerations in accordance with DoD’s 2023 Lithium-Ion Battery Strategy and DIU’s Advanced Battery Standardization programs:

• Integrate standard low-voltage batteries, standard modules in series from electric vehicle battery vendors, and/or Li6T (MIL-PRF-32565) starter battery to support ease of upgrades among diverse suppliers.
• Share battery test data and/or certifications, aligned to FCAB Battery Test Manual, USABC Battery Test Manual For Electric Vehicles, USABC Battery Abuse Testing Manual for Electric and Hybrid Vehicle Applications, SAE-J2929, SAE-J2464, and/or related industry standards.
• Preference will be given to solutions with domestic or Allied sourced supply chains for battery materials and manufacturing.

Demonstrations:

• Commercial solution(s) should be ready for full-scale operational testing, demonstration, and evaluation within 8 months from project start date.
• Vendors should have environmental and electromagnetic testing performed at an approved independent lab prior to delivery.
• Vendors will provide on-site and remote support during the on-base operational testing, demonstration, and evaluation period (US-bases), where prototypes will undergo a range of environmental and electromagnetic testing, including but not limited to: MIL-STD-810H, MIL-STD-461G, and MIL-STD-464C.