VA to hunt stolen data on the Dark Web
Veterans Affairs is looking for companies that can help it scour the Dark Web for VA data that is improperly outside of VA’s control.
The health care agency is a frequent target of hackers and this new request for information looks like an attempt by VA to find some tools to mitigate the damage of past and future attacks.
The Dark Web is that part of the internet where cybercriminals buy and sell data, such as stolen credit card numbers and other personal data. People also can buy hacking software and services and even drugs and other illegal contraband. It isn’t indexed by search engines and you typically need some type of software, configuration or authorization to access it.
Responses to VA’s RFI are due May 26.
VA is looking for information on a software package that has these seven capabilities or features. I’m quoting directly from the RFI:
- The software shall be capable of searching the “Dark Web” for exploited VA data improperly outside of VA control.
- The software shall be capable of taking VA data and creating a one-way encrypted hash or pattern matching capability from that data ensuring that neither the vendor nor any other party not affiliated or working with VA can ascertain and/or use the data for any purpose other than this exercise.
- The software shall be capable of using VA’s encrypted data hash or pattern matching to search the “Dark Web” and report back to VA what was found.
- The software shall be capable of distinguishing VA-sourced data on the “Dark Web” from data from any other source.
- The software shall be capable of integrating with the VA network and existing software platforms.
- The software shall conform to all VA information technology security policies, as outlined in VA Handbook 6500, in particular: a.) The software shall not put any VA Personally Identifiable Information (PII) or Protected Health Information (PHI) at risk of breach; b.) If the software processes VA PII and/or PHI data, the data shall be encrypted using FIPS 140-2 compliant methods; and c.) The software shall not expose the VA network to any type of malware or cyber-attack.
- Include commercial Bailment agreement
Posted by Nick Wakeman on May 13, 2016 at 9:26 AM