Executive Summary of the Department of Justice's Request for Proposals for "Independent Technical Review of the Carnivore Electronic Communication Collection System".
(This page contains the DOJ's "Executive Summary" of the RFP only.
Solicitation Number: JSJMD-00-0106.
Date Issued: August 24, 2000.
Source: U.S. Department of Justice. The full RFP is 50 pages, and is available in the DOJ web site in both WordPerfect and PDF.
For more information, contact Mark Selweski, (202) 307-1968, mark.e.selweski@usdoj.gov.

Executive Summary
Independent Technical Review of the Carnivore System

Introduction:

Recent congressional inquiries and reports in the news media reflect considerable public concern over use by the Federal Bureau of Investigation of a relatively new investigative tool known as "Carnivore." Carnivore is a computer-based system that is designed to allow the FBI, in cooperation with an Internet Service Provider (ISP), to comply with court orders requiring the collection of certain information about emails or other electronic communications to or from a specific user targeted in an investigation. Questions that have been raised include concern that the FBI's temporary use of the Carnivore system could interfere with the proper functioning of an ISP's network; concern that the system might, when used properly, provide investigators with more information than is authorized by a given court order; and concern that even if the system functions appropriately when properly used, its capabilities give rise to a risk of misuse, leading to improper invasions of privacy.

In light of these concerns, the Attorney General has directed the Assistant Attorney General for the Justice Management Division to arrange for an independent technical review of the Carnivore system's design, function, and method of use. The results of this review will be documented by the Contractor in a draft and final report.

Scope and Objective:

While the results of the contractor’s review of the Carnivore system are expected to inform ongoing legal and policy discussions, the review itself is technical, not legal. The "Carnivore system" includes the Carnivore application software, other hardware and software normally deployed with it, and relevant practices, procedures, and methods of use. The primary objective of the technical review is to address the following questions, however, additional relevant questions may also be addressed:

(1) Assuming proper usage, will the Carnivore system provide investigators with all the information, and only the information, that it is designed and set to provide in accordance with a given court order?

(2) Assuming proper usage, will use of the Carnivore system introduce new, material risks of operational or security impairment of an ISP's network?

(3) Does use of the Carnivore system introduce new, material risks of the unauthorized acquisition, whether intentional or unintentional, of electronic communication information by (i) FBI personnel or (ii) persons other than FBI personnel?

(4) Are the protections built into the Carnivore system, including both audit functions and operational procedures or practices, commensurate with the level of the risks, if any, identified in response to (3) above?

Note: The term "assuming proper usage" includes assuming the existence of proper legal authority; the assistance and cooperation of the relevant ISP or system administrator, including the timely and accurate provision of any necessary system information; and observance, by those using the Carnivore system, of [begin page 2] any relevant statutes, policies, procedures, methods, and practices.

For purposes of Objective (1) above, the Contractor shall evaluate the performance of the Carnivore system in each of several model scenarios, which are described in Section C.4.1 and Attachment 1 to the RFP. The model scenarios are intended to reflect those that are most likely to be relevant in actual practice, and to give offerors a basis on which to prepare proposals. If other appropriate scenarios are identified either before or during performance of the contract, the Department may expand the scope of the technical review to include additional scenarios.

The Department recognizes that the Carnivore system is subject to certain inherent design limitations that preclude its use in certain situations. Those limitations will be identified to the Contractor, but for obvious reasons will not be made public.

The Carnivore system incorporates some commercial off-the-shelf software and hardware elements (such as the Windows operating system). While the scope of the review includes the overall configuration of the system, the review is not intended to entail exhaustive evaluation of those elements. In that regard, the Contractor’s review is confined to what is necessary to determine if the use of those products creates particular problems or risks within the scope of the Contract Objectives.

The contractor will document the results of the technical review into a draft and final report that the Department will make public to the maximum extent that is consistent with otherwise applicable law or contractual obligations and with preserving the effectiveness of Carnivore as a tool for effectuating court-ordered interceptions of electronic communications or related information. Given the Attorney General’s request for a thorough but prompt review of the Carnivore system and the intent to inform a broader public and legislative discussion of related legal and privacy issues, the Department desires that the draft technical report be submitted by November 17, 2000.

As noted above, the Department intends to make the draft report available to the public for comment. The Department’s goal is to maximize disclosure to the public giving due consideration to the confidential nature of some of the information that will likely be in the report. The Department will determine which parts of the report or associated information must remain confidential. The report as publicly released will identify any portion of the report that has been withheld from disclosure, and the Department's reasons for deciding to maintain it in confidence. The contractor will participate in the creation of the public version of the report.

After the draft report is made public, the Department expects to receive comments from interested members of the public. The Contractor will be involved in the public comment phase through participation in public discussions and preparing technical assessments of comments that go to technical aspects of the review.

Through the process of public discussion of the draft and final technical reports, the Department also anticipates that interested members of the public will express their views on various legal and policy issues related to, but distinct from, the technical issues addressed by the Contractor’s report. A group of Department officials chaired by the Assistant Attorney General for the Justice Management Division will consider those legal and policy issues and include a discussion of them in its final report to the Attorney General concerning the Carnivore system.

The contractor will revise the draft report to reflect the substance of the comments received from the public. The Department desires that the final technical report be submitted by December 8, 2000.

At the unilateral option of the Department, the Contractor may be requested to perform follow-on analyses of technical issues identified in the final technical report. Examples of follow-on work include [begin page 3] an analysis of vulnerabilities in the Carnivore system and/or the Department’s planned mitigation strategy for such vulnerabilities.

Source Selection Considerations:

While some of the key source selection issues are highlighted in this section, prospective offerors should carefully read RFP Section L, particularly Section L.4, and Section M.

• This procurement is being conducted using full and open competitive procedures and will result in the award of a single contract. The contract type will be time-and-materials (T&M).
  
• The primary goal of this procurement is to select an offeror that is capable of delivering an independent, objective, impartial and thorough technical review of the Carnivore system within the time frames specified in the RFP. While the total estimated cost to the Government will be a factor in the award decision, the Department will base its selection decision on a best value approach where technical merit (i.e., offeror capability and independence) is significantly more important than the total estimated cost.
  
• The Department’s selection decision will be based on its evaluation of written proposals that address the capability of the offeror and the offeror’s independence. Offeror capability is a function of the technical proficiency of the organization and staff proposed to perform the work and the offeror’s technical approach. Technical approach includes the offeror’s methodology for performing the technical review, ability to perform the entire technical review within the desired time frames in the RFP, as well as how the offeror will comply with the RFP security requirements. Offeror independence means that the Department seeks to avoid any appearance of improper influence by the Department, including the FBI, or by other law enforcement or governmental interests.
  
• The breadth and depth of expertise available within the offeror’s organization will be a relevant consideration in the selection decision. However, the offeror may propose individuals with special qualifications from another organization.
  
• Written Proposals are subject to strict page limitations.

Schedule:

The schedule of significant events for this procurement is outlined below:

Procurement Schedule