Navigating the Internet has become a routine thing since the invention of strong search engines like Google but not everything on the web is indexed and searchable. Websites that aren't meant to be found — from criminal sites to backend systems not meant for public consumption — are part of what's known as the "dark web."
The Veterans Affairs Department suffers from millions of cyberattacks and attempted breaches every month and wants to make sure its data — including the sensitive personal information on millions of veterans — isn't being sold or otherwise leaked in the dark corners of the Internet.
The agency released a request for information on May 12 asking vendors about their ability to scan the dark web for data that should be solely in VA's control.
VA is specifically interested in whether vendors can meet all six of its criteria:
- The software shall be capable of searching the dark web for exploited VA data improperly outside of VA control.
- The software shall be capable of taking VA data and creating a one-way encrypted hash or pattern matching capability from that data ensuring that neither the vendor nor any other party not affiliated or working with VA can ascertain and/or use the data for any purpose other than this exercise.
- The software shall be capable of using VA's encrypted data hash or pattern matching to search the dark web and report back to VA what was found.
- The software shall be capable of distinguishing VA-sourced data on the dark web from data from any other source.
- The software shall be capable of integrating with the VA network and existing software platforms.
- The software shall conform to all VA information technology security policies, as outlined in VA Handbook 6500, in particular:
a. The software shall not put any VA personally identifiable information (PII) or protected health information (PHI) at risk of breach;
b. If the software processes VA PII and/or PHI data, the data shall be encrypted using FIPS 140-2 compliant methods; and
c. The software shall not expose the VA network to any type of malware or cyberattack.
VA contracting officials are looking to collect all responses by noon on May 26.