Navigating the Internet has become a routine thing since the invention of strong search engines like Google but not everything on the web is indexed and searchable. Websites that aren't meant to be found — from criminal sites to backend systems not meant for public consumption — are part of what's known as the "dark web."

The Veterans Affairs Department suffers from millions of cyberattacks and attempted breaches every month and wants to make sure its data — including the sensitive personal information on millions of veterans — isn't being sold or otherwise leaked in the dark corners of the Internet.

RFI: Sources Sought — Dark Web

The agency released a request for information on May 12 asking vendors about their ability to scan the dark web for data that should be solely in VA's control.

VA is specifically interested in whether vendors can meet all six of its criteria:

  1. The software shall be capable of searching the dark web for exploited VA data improperly outside of VA control.
  2. The software shall be capable of taking VA data and creating a one-way encrypted hash or pattern matching capability from that data ensuring that neither the vendor nor any other party not affiliated or working with VA can ascertain and/or use the data for any purpose other than this exercise.
  3. The software shall be capable of using VA's encrypted data hash or pattern matching to search the dark web and report back to VA what was found.
  4. The software shall be capable of distinguishing VA-sourced data on the dark web from data from any other source.
  5. The software shall be capable of integrating with the VA network and existing software platforms.
  6. The software shall conform to all VA information technology security policies, as outlined in VA Handbook 6500, in particular:
    a. The software shall not put any VA personally identifiable information (PII) or protected health information (PHI) at risk of breach;
    b. If the software processes VA PII and/or PHI data, the data shall be encrypted using FIPS 140-2 compliant methods; and
    c. The software shall not expose the VA network to any type of malware or cyberattack.

VA contracting officials are looking to collect all responses by noon on May 26.

Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.

Share:
More In Management
Federal contract workers deserve better pay, Congress can help
Today, the federal contract workers who are arguably struggling the most are those employed by companies operating under the Service Contract Act. These “blended federal workforce” employees typically consist of individuals from low-income communities – often women of color – performing work such as housekeeping.
Six proven steps to Zero Trust
Agency leaders are working to adopt the mindset of trust nothing and verify everything to prioritize the transformation of legacy systems.
US must prepare for proliferation of cyber warfare
To build cyber resilience in this heightened threat environment, agencies must work closely with both international counterparts and industry to align on a proactive, global approach to all cyber threats –– not just state-sponsored attacks.
In Other News
Load More