The US Veterans Affairs Department (VA) has filed documents this past Thursday revealing it was looking for software that can scan the Dark Web for any leaked VA information.
Interested contractors are expected to submit their proposals, including technical capabilities, in a report no larger than 20 pages. The US government is specifically interested in software that meets seven conditions.
“ The software shall be capable of searching the “Dark Web” for exploited VA data improperly outside of VA control; ”
Normal Web-scanning software can run from any server without special requirements. Scanners aimed at the “Dark Web” need to work via the Tor and I2P protocols. Additionally, Dark Web data dump portals and forums often change their URLs, so the software must be able to discover new links on its own, or come with a dynamic list of Dark Web URLs to scan.
“ The software shall be capable of taking VA data and creating a one-way encrypted hash or pattern matching capability from that data ensuring that neither the vendor nor any other party not affiliated or working with VA can ascertain and/or use the data for any purpose other than this exercise; ”
From this point, it’s clearly that the VA does not intend to give a third-party contractor access to its data, but only use file hashes for identifying leaked data.
“ The software shall be capable of using VA’s encrypted data hash or pattern matching to search the “Dark Web” and report back to VA what was found; ”
The VA wants a nice dashboard so it can allow any employee to use the software without having the technical knowledge to spot leaked VA data in log lines.
“ The software shall be capable of distinguishing VA-sourced data on the “Dark Web” from data from any other source; ”
The software must be able to tell if a former military member’s personal data leaked from another source, like the OPM.
“ The software shall be capable of integrating with the VA network and existing software platforms; ”
The VA is not looking for software that needs special servers to run on. Extra requirements bring additional costs, which, the US government like any other government, is looking to cut down on.
“ The software shall conform to all VA information technology security policies, as outlined in VA Handbook 6500, in particular: ( a. ) The software shall not put any VA Personally Identifiable Information (PII) or Protected Health Information (PHI) at risk of breach; ( b. ) If the software processes VA PII and/or PHI data, the data shall be encrypted using FIPS 140-2 compliant methods; and ( c. ) The software shall not expose the VA network to any type of malware or cyber-attack. ”
The software should have its own security measures so an external attacker couldn’t leverage it to access the existing VA system. The government is not looking for something put together overnight.
“ Include commercial Bailment agreement ”
Mandatory legal term for almost all government contracts. Theentry explains it better.