U.S.

Department of the Treasury

Internal Revenue Service
Washington, DC 20224

Request for Information (RFI) for the

Development of Exploitation Techniques Against Cryptowallets

THIS REQUEST FOR INFORMATION (RFI) IS RELEASED PURSUANT TO FEDERAL

ACQUISITION REGULATION (FAR) PART 10, MARKET RESEARCH.

Disclaimer – This RFI is issued solely for information and planning purposes. This notice should
not be construed as a commitment by the Government for any purpose other than market research.
This announcement does not commit the Government to any contractual agreement. The
Government is not seeking proposals and will not accept unsolicited proposals. The Government
reserves the right to have further oral presentations and/or conversations with a subset of
respondents. The Government at its sole discretion will determine the subset for further
conversations.

No reimbursement will be made for any costs associated with providing information in response
to this announcement or any follow-up information requests.

Respondents will NOT be notified of the results of any analysis that the Government may perform.
All data received in response to this RFI that is marked or designated as corporate or proprietary
information will be fully protected from release outside the Government. The Government shall not
be liable for or suffer any consequential damages for any proprietary information not properly
identified. Proprietary information will be safeguarded in accordance with all applicable
Government regulations. All response documentation shall become the property of the Government
and will not be returned.

Introduction:

The purpose of this RFI is to gain insight into available services in the marketplace and to
explore technical features and capabilities.

The Department of Treasury, Internal Revenue Service (IRS), Criminal Investigation (CI),
Digital Forensics Unit routinely encounters cryptowallets subject to seizure and forfeiture.
Though a few known cyber penetration testers have published vulnerabilities on specific
devices, the process of decrypting the hardware devices to gain access to the wallets has been
challenging. In support of IRS-CI, further forensic research is needed to mature the process
and obtain reliable results. IRS-CI, Digital Forensics Unit is seeking to fulfill the following
objectives:

1
  Validate cybersecurity research in cryptographic wallets exploitation
 Identify new methods to gain access to cryptographic wallets
 Identify successful cryptographic models exploits can be accomplished
 Document the processes, hardware, and skillsets needed for reproduction in an
advance digital forensic laboratory
 Create hands-on training for the identified techniques in support of IRS-CI Digital
Forensics Laboratory.

It is a priority to combine the leading-edge cybersecurity research available on the topics of

embedded hardware exploitation with the disciplined, established science of digital forensics.
The explicit outcome of this requirement is to tame the cybersecurity research into measured,
repeatable, consistent digital forensics processes that can be trained and followed in a digital
forensics’ laboratory.

Established exploitation, reverse engineering and digital forensic techniques shall be used to
accomplish these tasks including:
 software and firmware analysis,
 hardware reverse engineering,
 integrated circuit identification,
 research and removal of integrated circuit packages and components, and
 deconstruction of printed circuit boards and integrated circuit packages
for the express purpose of identifying consistent, repeatable exploitation techniques against a
given device.

Through this RFI the IRS seeks to accomplish the following goals:

1. Identify potential sources.

2. Obtain comments, suggestions, and other forms of constructive feedback.

3. Identify any small business concerns, i.e. 8(a) business, HUBZone small business, small
disadvantaged business, woman-owned small business, veteran-owned small business, or service-
disabled veteran-owned small business that can perform the required services independently or
through partnering with a large business.

4. Identify which, if any, Best in Class (BIC) contract vehicles ((as designated by the Office of
Management and Budget (OMB)) your company has a contract with.

Response Format/Page Limitations:

All interested parties are invited to submit a capability statement. The capability statement must
specifically address the firm's ability to provide the services described in the SOO and below
questionnaire.

The overall total page limit for responses to this RFI is ten (10) single-sided pages. Font size shall
be no smaller than Times New Roman 12. Responses should be submitted electronically in
Microsoft Word or PDF format. Responses should be complete and sufficiently detailed. Please do
not submit marketing material. Responses should include the following information:

2
Company Name
Company Address
Company Point of Contact
Telephone Number
Email Address
DUNS Number
CAGE Code
NAICS Code
Business size/Socio-economic classification
BIC Vehicles you have a contract with
Contractor holder’s technical capabilities that addresses organization and staff experience
as follows:

1. Describe your firm's level of experience and qualifications, or potential to acquire the
capability, to support the requested services.

2. Describe your firm's ability to meet the criteria. Specifically, if it is able to provide solutions
to the objectives.

3. Provide examples of your firm’s experience with projects similar in size, scope, and
complexity. Indicate the percentage of the work that was performed by your firm as the
prime contractor.

4. Provide any contributions to relevant National Institute of Standards and Technology (NIST)
publications or similar scientific peer reviewed work for review.

5. Possible solutions and approaches that may currently exist in the marketplace, and
information regarding innovative ideas or concepts regarding the product or service in
question.

6. Provide comments/suggestions and/or insights you may want the Government to consider.

7. Is your company located in within the United States? Yes/No

8. Will all work on this request be completed at your company’s US Digital Forensic Lab?
Yes/No

9. Is your company experienced working for law enforcement agencies where the results can be
scrutinized either by an accreditation body or by court? Yes/No

10. Has your company created, performed, and delivered solutions requiring reverse engineering
using software and firmware review for any law enforcement or intelligence agency? Yes/No

11. Does your company have significant experience performing microcontroller exploitations
using glitching, chip-read, and bootloader interference of multiple device types? Yes/No

12. Does your company have experience applying microcontroller exploits form one device type
to another device type, e.g. exploits for hard drives to applied to drones? Yes/No

3
 13. Has any of your data extraction by exploiting microcontrollers been published or referenced
in publications by scientific organizations such as NIST? Yes/No

14. Does your company have significant experience developing Digital Forensics training
around embedded device data recovery techniques such as chip-off using milling, chip re-
work, and JTAG? Yes/No

15. Does your company have experience delivering consistent and repeatable processes through
scientific testing, documentation, and process in a query-able digital format, e.g. sqlite, json?
Yes/No

THIS INFORMATION IS BEING REQUESTED FOR MARKET RESEARCH

PURPOSES ONLY. All contractors please submit your response to this RFI electronically to
Tameka Long at Tameka.E.Long@irs.gov on or before the submission deadline. Vendors shall
reference “RFI for Development of Exploitation Techniques Against Cryptowallets” in the
subject line of their response as well as in the subject line of any other e-mail correspondence
referencing this notice. NO PHONE CALLS PLEASE. The deadline for submission of
information is Tuesday, June 1, 2021, 12:00 NOON, EST.

DISCLAIMER
This RFI is for planning purposes only and shall not be construed as a Request for Proposals
(RFP), Request for Quote (RFQ), Invitation for Bid (IFB) or as an obligation on the part of the
Government to acquire any services. Responses to this RFI shall not serve as proposals, bids, or
offers. In accordance with FAR 15.201(e), responses to this RFI are not offers and cannot be
accepted by the Government to form a binding contract. The Government reserves the right to
determine how it should proceed as a result of this notice.

Response to this notice is not a request to be added to a bidders list or to receive a copy of a
solicitation.

THE GOVERNMENT DOES NOT INTEND TO AWARD A CONTRACT SOLELY ON

THE BASIS OF THIS RFI.

No entitlement to payment of direct or indirect costs or charges by the Government will arise as a
result of the submission of the requested information.

No reimbursement will be made for any costs associated with providing information in response to
this announcement and any follow up information requests. Responses to this RFI may be
considered in the future determination of an appropriate acquisition strategy for the program.
The Government may not respond to any specific questions or comments submitted in response
to this RFI or information provided as a result of this request. Any information submitted by
respondents as a result of this notice is strictly voluntary.

Thank you for your interest.