|
Tech Law Journal |
 |
| News, records, and analysis of legislation, litigation, and regulation affecting the computer, internet, communications and information technology sectors | |
|
|
|
| |||||
|
SECTION C -- DESCRIPTION/SPECIFICATIONS/WORK STATEMENT C.1 Introduction and Background (a) Recent congressional inquiries and reports in the news media reflect considerable public concern over use by the Federal Bureau of Investigation of a relatively new investigative tool known as "Carnivore." Carnivore is a computer-based system that is designed to allow the FBI, in cooperation with an Internet Service Provider (ISP), to comply with court orders requiring the collection of certain information about emails or other electronic communications to or from a specific user targeted in an investigation. Questions that have been raised include concern that the FBI's temporary use of the Carnivore system could interfere with the proper functioning of an ISP's network; concern that the system might, when used properly, provide investigators with more information than is authorized by a given court order; and concern that even if the system functions appropriately when properly used, its capabilities give rise to a risk of misuse, leading to improper invasions of privacy. (b) In light of these concerns, the Attorney General has directed the Assistant Attorney General for the Justice Management Division to arrange for an independent technical review of the Carnivore system's design, function, and method of use. The results of this review will be documented by the Contractor in a draft and final report. (c) The system consists of Carnivore software written in C++ and deployed with a Windows NT Workstation operating system. No TCP IP stack is loaded. The platform is a commercial off the shelf (COTS) PC with a pentium III processor, 128 megabytes of RAM, between a 4 to 18 gigabyte hard drive and a 2 gigabyte Jaz drive for the collection of evidence. Additionally, the system includes: COTS communications software; a network interface card; a hardware authentication device; and a hardware network isolation device. (d) This document sets out the parameters for the independent technical review, and requests proposals to perform the work. Instructions and content requirements for offeror proposals are contained in Section L of this document. C.2 Definitions The following definitions apply to this contract: (1) As used herein, the term "Carnivore system" includes the Carnivore application software, other hardware and software normally deployed with it, and relevant practices, procedures, and methods of use. (2) For purposes of Objectives 1 and 2 in Section C.3, the term "assuming proper usage" includes assuming the existence of proper legal authority; the assistance and cooperation of the relevant ISP or system administrator, including the timely and accurate provision of any necessary system information; and observance, by those using the Carnivore system, of any relevant statutes, policies, procedures, methods, and practices. C.3 Contract Objective (a) The Contractor’s technical review of the Carnivore system should address the following four questions: (1) Assuming proper usage, will the Carnivore system provide investigators with all the information, and only the information, that it is designed and set to provide in accordance with a given court order? (2) Assuming proper usage, will use of the Carnivore system introduce new, material risks of operational or security impairment of an ISP's network? (3) Does use of the Carnivore system introduce new, material risks of the unauthorized acquisition, whether intentional or unintentional, of electronic communication information by (i) FBI personnel or (ii) persons other than FBI personnel? (4) Are the protections built into the Carnivore system, including both audit functions and operational procedures or practices, commensurate with the level of the risks, if any, identified in response to (3) above? (b) Additional, relevant questions may be added to the above list. C.4 Statement of Work C.4.1 Technical Review of the System (a) Subject to the security requirements of Section H.3, at contract award the Department will endeavor to provide (or make available) to the Contractor all relevant information or personnel the Contractor considers necessary to perform the technical review. Access to the source code and testing of the system will be limited to government controlled space unless the Contractor demonstrates that it has a facility with equivalent security arrangements.
(b) While the results of this review are expected to inform ongoing legal and policy discussions, the review itself is technical, not legal. If the Contractor believes that answers to specific legal questions are important to its review, the COTR will provide answers to those questions that shall be accepted as assumptions for purposes of the review, and identified as such in the Contractor’s report. (c) For purposes of Contract Objective (1) (see Section C.3), the Contractor shall evaluate the performance of the Carnivore system in each of several model scenarios, which are summarized in Attachment 1. The model scenarios are intended to reflect those that are most likely to be relevant in actual practice, and to give offerors a basis on which to prepare proposals. If other appropriate scenarios are identified either before or during performance of the contract, the Contracting Officer will expand the scope of the technical review to include additional scenarios. (d) The Department recognizes that the Carnivore system is subject to certain inherent design limitations that preclude its use in certain situations. Those limitations will be identified to the Contractor, but for obvious reasons will not be made public. (e) As noted in Section C.1, the Carnivore system incorporates some commercial off-the-shelf software and hardware elements (such as the Windows operating system). While the scope of the review includes the overall configuration of the system, the review is not intended to entail exhaustive evaluation of those elements. In that regard, the Contractor’s review is confined to what is necessary to determine if the use of those products creates particular problems or risks within the scope of the Contract Objectives (see Section C.3). C.4.2 Reports C.4.2.1 Format (a) All deliverables shall be provided to the COTR in both printed and digital form. Digital format shall be WordPerfect or Microsoft Word for all items except briefing materials which shall be a Corel Presentations or Microsoft PowerPoint slide show. (b) The Department intends to make the Contractor’s draft and final reports public to the maximum extent that is consistent with otherwise applicable law or contractual obligations and with preserving the effectiveness of Carnivore as a tool for effectuating court-ordered interceptions of electronic communications or related information. (c) The Department anticipates that comments provided to the Contractor by the COTR on draft deliverables will seek clarification, offer suggested replacement text, question perceived incorrect statements, or offer guidance to the Contractor. The Contractor shall resolve all comments raised by the COTR in a subsequent deliverable. (d) The only reference to the Contractor’s name in any deliverable shall appear on the cover page of that deliverable. Color and graphics will be used in documents at the discretion of the Contractor to enhance readability and understanding of the material. C.4.2.2 Progress Reports and Briefings (a) The Contractor shall report to the COTR weekly describing progress and any problems and proposed solutions. The Contractor shall alert the COTR of any problems related to contract performance at the earliest opportunity. (b) Prior to submitting the draft and final reports, the Contractor shall brief (i.e., there will be two separate briefings) the COTR and other DOJ officials on the anticipated contents of the reports. C.4.2.3 Draft Technical Report (a) The Attorney General has asked for a thorough but prompt review of the Carnivore system. This independent technical review is also intended to inform a broader public and legislative discussion of related legal and privacy issues. For these reasons, the Department desires that the draft technical report be submitted by November 17, 2000 (offerors are to include a proposed delivery schedule with their proposal, see Section L.4.2.1.3). (b) As noted above, the Department intends to make the draft report available to the public for comment. The Department’s goal is to maximize disclosure to the public giving due consideration to the confidential nature of some of the information that will likely be in the report. The Department will determine which parts of the report or associated information must remain confidential. The report as publicly released will identify any portion of the report that has been withheld from disclosure, and the Department's reasons for deciding to maintain it in confidence. The Contractor shall participate in the creation of the public version of the report as directed by the COTR. C.4.2.4 Public Comment Period After the draft report is made public, the Department expects to receive comments from interested members of the public. As directed by the COTR, the Contractor shall participate in the public comment phase as follows: (1) The Project Manager must make himself/herself available to participate in public discussions. (2) The Contractor shall consider, in preparing its final report, any comments that go to technical aspects of the review.
C.4.2.5 Final Technical Report The Contractor shall revise the draft report as necessary in light of technical comments received from the Department or the public. The Department desires that the final technical report be submitted by December 8, 2000 (offerors are to include a proposed delivery schedule with their proposal, see Section L.4.2.1.3). C.4.3 Additional Analyses (Option) At the unilateral option of the Department, the Contractor may be requested to perform follow-on analyses of technical issues identified in the final technical report. Examples of follow-on work include an analysis of vulnerabilities in the Carnivore system and/or the Department’s planned mitigation strategy for such vulnerabilities. The Contracting Officer will define the optional requirements in writing and request that the Contractor submit a cost and technical proposal to perform the optional work. The Contractor shall not perform any optional work unless and until it has received written authorization to do so from the Contracting Officer. C.5 Contract Management and Administration C.5.1 General The Contractor shall provide all management, administration, staffing, planning, scheduling, procuring, etc., for all items and services required by the contract. Listed below are all of the management and administration requirements that must be provided within the unit prices contained in Section B, i.e., the following items are not separately billable under the contract. (1) All activities associated with recruiting and hiring staff, such as advertising, screening applicants, interviewing, reference checking, etc. (2) Maintaining "in-house" skills, teaming and/or subcontract arrangements to ensure that staff with the requisite experience, skills and knowledge are available on short notice. (3) All activities associated with management of the Contractor's facilities that may be utilized, including obtaining space, equipment, furniture, supplies, maintenance, security requirements (see Section H.3.2), etc. (4) Utilizing electronic means to conduct business transactions under this contract to the maximum extent feasible. This will include, but is not limited to, Government/Contractor electronic mail exchange to support contract administration, Contractor invoicing, and electronic funds transfer for payment of approved invoices. After contract award, the Contractor and the Contracting Officer will agree on the methods and scope of electronic communications that the Contractor shall follow during the contract period. (5) Planning, scheduling and procuring airfare, lodging accommodations, and ground transportation for all approved travel by Contractor personnel. Ensuring that invoiced travel costs are itemized in accordance with the Government travel regulations in effect at the time of travel (See Section B.1.2.1). (6) Planning for and making all necessary arrangements to ensure that Contractor personnel performing field work have all necessary equipment (e.g., laptop computers) and supplies by the time they arrive at the site. (7) Assembling billing data and billing back-up materials, including all time and materials needed for preparing any responses to Government billing rejection letters. Generating, distributing, and tracking invoices, including generating reports and responding to inquiries regarding invoice status, tracking which deliverables and/or units have been invoiced and which have not, etc. (8) All activities associated with managing subcontractors/team members, such as identifying and qualifying them, negotiating subcontracts, reviewing invoices, ensuring compliance with the security and other requirements of this Contract, etc. (9) Implementing and maintaining quality assurance and quality control systems to ensure that all contract requirements are met throughout the term of the contract. C.5.2 Contractor Staff (a) Because much of the detailed information to which the Contractor’s staff will have access is sensitive from a law enforcement perspective and/or subject to the proprietary rights of non-governmental third parties, all staff members will be required to sign an agreement (similar to that contained in Section J, Attachment 2) that they will not disclose or use information about the Carnivore system that is disclosed to them in connection with the review, other than as permitted in connection with the conduct of the Contractor’s review and the preparation and authorized disclosure of its report. (b) The individuals listed below are considered key personnel for this contract. At a minimum, the key personnel will include the Project Manager. The Project Manager is a senior manager responsible for coordinating the management of all work performed under this contract. The Project Manager shall act as the central point of contact with the Department and shall have the full authority to act for the Contractor in the performance of the required work. The Project Manager works independently or under the general direction of senior level Contractor business management on all phases of performance, including contract management, project/task order management, coordination of resource needs, coordination with corporate resources and management, and has direct accountability for the technical correctness, timeliness and quality of deliverables. [Names of Key Personnel to be inserted from Contractor’s proposal] (c) All key personnel listed in paragraph (a) above are subject to the following: (1) Replacement of any key personnel is subject to the prior written approval of the COTR. (2) Requests for replacement shall include a detailed resume containing a description of the qualifications and experience of the individual(s) proposed. (3) Contractor proposals to move any key personnel off this contract shall be submitted in writing at least 30 days in advance of proposed move, and are subject to the approval of the COTR, including approval of proposed replacement. (4) The Department reserves the right to review the qualifications of all staff selected to work on this contract before assignment, including the individuals proposed (in the Contractor's proposal) and any replacements for these individuals, and to reject individuals who do not have appropriate experience in the conduct of reviews such as this. (d) The Contractor shall immediately remove any Contractor/subcontractor employee found to represent a threat to the safety of government records, government employees, or other Contractor employees.
|
|
