26 Jan 2018

Privacy Preserving Implementations Auditing

Type of document: Contract Notice
Country: United States

Privacy Preserving Implementations Auditing

Agency:
Department of Commerce

Official Address:
Acquisition Division
Room 3J438 Washington DC 20233

Zip Code:
20233

Contact:
Jackie L. Kennedy, Sr. Contract Specialist, Phone 3017631270, Email jackie.l.kennedy@census.gov

Link:

Date Posted:
24/01/2018

Classification:
D

Contract Description:
SOURCES SOUGHT/REQUEST FOR INFORMATION
Auditing of Privacy Preserving Implementations in Statistical Programs

The following Request for Information (RFI) is issued solely for Market Research purposes. The Census Bureau will use the information gathered in support of the 2020 Census of Population and Households, the 2017 Economic Census, and other data products produced by the Census Bureau.

This document does not constitute a Request for Proposal (RFP) or a commitment to issue a Request for Proposal by the Census Bureau. The Census Bureau is not accepting offers at this time nor will the information provided be evaluated or considered as an offer. The Census Bureau is not responsible for any cost incurred by a contractor in responding to this announcement.

The following questions are intended to help the Census Bureau learn more about the capabilities of the marketplace for software auditing and formal evaluations for privacy vulnerabilities. Although answers to these questions are optional, the Census Bureau encourages companies to submit responses based on their knowledge and experience with this service in the commercial marketplace. Based on the information provided, and as part of its ongoing market research, the Census Bureau may contact individual respondents for additional information.

All information provided will be kept confidential and will be utilized for market research purposes directly related to the work described above.

INSTRUCTIONS:
Responses to this RFI should be sent as an attachment to jackie.l.kennedy@census.gov, in Word or PDF format document, not to exceed twenty (20) pages (8.5″ x 11″, 12-pitch font size).
The following information should also be included in your response document:
1. Company name, address, and web site.
2. Contact person’s name, position, email and phone number.
3. Brief description of the organization, including business size (e.g. large business, small business (including type) and services provided. If company has a current GSA contract, please provide the contract number.

RESPONSE DUE DATE: Friday, February 2, 2018 by 4:00pm

DESCRIPTION:

The Census Bureau is developing software that implements mechanisms for performing privacy preserving statistical data analysis. This software will be used for the 2020 Census of Population and Households, the 2017 Economic Census, and other data products produced by the Census Bureau. In conjunction with this development effort, the Census Bureau is looking for companies who have experience in both software auditing and formal privacy to perform a detailed evaluation of the software.
Much of the software being developed by the Census Bureau will be released as open source software. Although the software is designed to work with confidential data protected by Title 13 and/or Title 26, the Census Bureau hopes to provide this software with test datasets that can be freely redistributed. It is expected that much of the Census Bureau’s software will be written in the Python programming language, maintained in a git-based software repository, and run on a Linux server. It is possible that the software may use the Apache Spark data analysis platform to achieve scalability.

The software that the Census Bureau is developing will perform privacy-preserving data analysis using formally private techniques. Examples of such techniques include the literature of differential privacy.

The Census Bureau is aware that there is an established industry of consulting firms and other providers who can audit software for security vulnerabilities. However, the Census Bureau is not aware of any companies who can (or have) audited software for privacy vulnerabilities. Examples of privacy vulnerabilities would include the improper mingling of sensitive and non-sensitive data, the movement of data from the sensitive category to the non-sensitive category without having that data undergo a privacy preserving data analysis, and the improper implementation of a privacy preserving algorithm.

QUESTIONS:

1. Does your company have experience in software auditing? If the answer is yes, please provide:

a. A brief description of previous experience in software auditing.

b. Name of the US Government agency(ies) for which you have provided software auditing functions, and a point of contact.

c. Names of any US corporations for which you have provided software auditing functions that are willing to serve as reference customers, and a point of contact.

d. Does your experience extend to the auditing of statistical software? If so, please provide information regarding the kinds of statistical software you have audited, and the purposes for which the audits have been performed.

e. Does your experience extend to the auditing of software that implements formally private statistical analysis? If so, please provide information regarding the kinds of privacy preserving analytical software that you have audited, and the purpose for which the audits were performed.
 
2. We understand that companies that have not previously audited privacy preserving statistical software may nevertheless be qualified to audit our software. Please, therefore, provide any experience that you have in developing software that performs privacy preserving data analysis.

3. Does your company use any software tools for performing software audits? If the answer is yes, please describe the tools.
 
4. Does your company possess any staff who have direct experience in the area of formal privacy? If so, please provide their names and experience, including a publication list.

5. Is there any minimum requirement to engage your services? Does your company require a commitment to a minimum amount of work within a time period?

6. The Census Bureau will be making incremental improvements to its privacy preserving statistical software over the course of time. What approaches does your company employ to reduce the cost and non-monetary burdens of subsequent audits?

7. What sort of paperwork or certifications does your company issue to signify a completed audit?

8. Beyond access to the software being audited, what other sorts of access does your company require? For example, do you require access to the developers, to development specifications, or to test data?

9. Which computer languages has your company previously audited?

10. What commercial/industry standards does your company employ for mitigating, managing, and preventing data breaches or data being stolen?

11. Describe your company’s pricing policy. Please provide as much detail as possible, including, to the maximum extent possible, the estimated cost of the auditing on a project, monthly, quarterly, and/or yearly basis, as applicable. Does your company have differential pricing based on the amount work requested?

12. Please provide any additional information your company considers to be useful to the Census Bureau during the market research process, including industry-preferred strategies for the acquisition of commercial databases.

DISCLAIMER: This RFI is issued solely for information and planning purposes and does not constitute a solicitation. In accordance with FAR 15.201 (e), responses to this notice are not offers and cannot be accepted by the Government to form a binding contract. Respondents are solely responsible for all expenses associated with responding to this RFI. Responses to this RFI will not be returned. Respondents will not be notified of the result of the review.

Response Date:
020218

Sol Number:
YA1323-RM-18-0020