Notice ID: RFPOS316732_23
Description
The Office of the Chief Information Officer (OCIO) within the Office of the Assistant Secretary for Administration at the U.S. Department of Health Services (HHS) has recently deployed an Application Programming Interface (API) Management Platform (currently provided by Mulesoft) to facilitate the development and re-use of connections from source-of-record databases and the applications that consume or transact based on those data. The Government would like to explore the application of novel, generative technologies in the Machine Learning/Artificial Intelligence (ML/AI) space to assist with automating the development of security artifacts that support the automated interchange of data via API connections. Additionally, the government would like to explore the application of machine learning technologies to the automated monitoring and classification of data traversing APIbased system interconnections.
STATEMENT OF OBJECTIVES/SCOPE
The Government’s objective is to explore the application of generative ML/AI technologies to the development of an automated process to generate the artifacts required by NIST Publication SP 800-47 to facilitate the sharing of data between the API Management Platform and systems either providing data to or consuming data from the API Management Platform.
OBJECTIVES
C.2.1 Objective 1: NIST Artifact Automation
Offeror shall develop and implement a capability to determine the correct type of documentation required to enable data sharing between two systems based on source and destination of the data being shared and use generative technologies to create diagrams, tables, and/or other repetitive features required by the artifact supporting the data sharing arrangement based on the above parameters.
C.2.1.1 The outcome associated with this objective would be an application with the capability to generate the appropriate interconnection documentation based on user input, existing security artifacts and data available from compliance management tools (e.g. RSA Archer) or other available sources where that application demonstrates an emphasis on minimizing the amount of manual user input required.
C.2.1.2 The anticipated timeline for this objective option would include delivery of an initial prototype and some initial implementation in a production context during the initial 12-month base period of performance and full production implementation and initial modifications based on early user feedback taking place during the 12-month option period.
C.2.2 Objective 2: API Utilization Monitoring
Offeror shall develop and implement the capability to monitor actual data exchanged via an API connection for potential privilege escalation or other vulnerabilities where the data observed traversing an individual API is inconsistent the original intent described in the security documentation which initially authorized the interface.