Tag Archives: request for information

CIBS: Keeping Secrets From NGI

An interesting item popped up in SAM.gov. According to a Request for Information (RFI) due February 20, the FBI may have interest in a system for secret biometric searches.

“The FBI intends to identify available software solutions to store and search subjects at the classified level.  This solution is not intended to replace the Next Generation Identification System Functionality, which was developed and implemented in collaboration with the FBI’s federal, state, local, tribal, and territorial partners. The solution shall reside at the Secret and/or Top-Secret/SCI level with the ability to support data feeds from external systems.  The solution must allow the ability to enroll and search face, fingerprint, palmprint, iris, and latent fingerprints, and associated biographic information with a given set of biometrics.”

Now remember that the Next Generation Identification (NGI) system is protected from public access by requiring all users to adhere to the CJIS Security Requirements. But the CJIS Security Requirements aren’t Secret or Top Secret. These biometric searches, whatever they are, must REALLY be kept from prying eyes.

The RFI itself is 8 pages long, and is mysteriously numbered as RFI 01302025. I would have expected an RFI number 01152026. I believe this was an editing error, since FBI RFI 01302025 was issued in 2025 for a completely different purpose.

Whatever the real number is, the RFI is labeled “Classified Identity-Based Biometric System.” No acronym was specified, so I’m self-acronyming it as CIBS. Perhaps the system has a real acronym…but it’s secret.

If your company can support such a system from a business, technical, and security perspective, the due date is February 20 and questions are due by February 2. See SAM.gov for details.

Proposals and “Weasel Words”

Have you ever used the phrase “weasel word”? Here’s how Merriam-Webster defines it:

“a word used in order to evade or retreat from a direct or forthright statement or position”

I don’t know how weasels became the subject of a negative phrase like this, but here we are.

I learned the phrase “weasel word” when I started working in proposals. I’ve been writing proposals for nearly 15 years, and I’ve run into many cases where I don’t comply with the written word of a mandatory requirement, and I end up having to…evade or retreat.

I’ve adopted my share of favorite weasel words over the years. I’m not going to give away any of my secrets in this public forum, but you’ve probably heard me rant about the government weasel wording regarding REAL ID “enforcement”:

“This rule ensures that Federal agencies have appropriate flexibility to implement the card-based enforcement provisions of the REAL ID regulations after the May 7, 2025, enforcement deadline by explicitly permitting agencies to implement these provisions in phases….The rule also requires agencies to coordinate their plans with DHS, make the plans publicly available, and achieve full enforcement by May 5, 2027.”

As I have ranted repeatedly, the REAL ID enforcement DEADLINE is May 7, 2025, but FULL enforcement will be achieved by May 5, 2027. There are enough weasel words to distract from the fact that full enforcement is not taking place on May 7, 2025.

“Flexibility,” “implement in phases”…I’m taking notes. The next time I respond to a DHS RFI, I may use some of these.

Because Bredemarket does respond to Requests for Information, Requests for Proposal, and similar documents. One of Bredemarket’s clients recently received an award, with possible lucrative add-on work in the future.

Does your identity/biometric or technology conpany want the government to give you money? I can help. Talk to me: https://bredemarket.com/cpa/

Bredemarket’s “CPA.” The P stands for Proposal.

(Weasel picture Keven Law • CC BY-SA 2.0; https://commons.wikimedia.org/wiki/File:Mustela_nivalis_-British_Wildlife_Centre-4.jpg)

Are You Responding to the CBP RFI, “RFI Land Vehicle Primary Zone Traveler Photo Capture Device”?

Facial recognition firms, let’s talk about Requests for Information from the Department of Homeland Security. I wrote about one in 2021, so I figured I’d write about another one that was just published today.

But before I do, let me just say that…um…I’m experienced in responding to Requests for Information (RFIs) from the Department of Homeland Security…and that’s all I can say.

And this new RFI is intriguing.

The RFI with Notice ID RFI-LVPZTPCD was issued by U.S Customs and Border Protection today (April 30) and is due in one month (May 30). The description includes the following:

“CBP is seeking a solution for capturing facial images of vehicle occupants in an officer-manned primary zone at an inbound vehicle point of entry (POE).”

Today’s CBP RFI-LVPZTPCD envisions the use case in which people are entering the U.S. in a car…and are NOT getting out of the car. But you still have to capture their faces at a sufficient quality level, which is easier said than done. Heck, in May 2022 it took me several tries to capture a passport facial image at CVS when I WASN’T in a car. Now add distance, odd camera angles, and possibly an intervening car windshield, and you’re in for big challenges.

I wonder how many facial recognition vendors are planning to respond to this RFI…and how many need the experienced proposal help that Bredemarket can provide.

  • I know one biometric firm that often responds to Department of Homeland Security RFIs, but this firm does not have a “Land Vehicle Primary Zone Traveler Photo Capture Device.” So while this firm has used Bredemarket’s proposal services in the past, it won’t respond to this particular RFI.
  • I know another biometric firm with a keen interest in land vehicle primary zone traveler photo capture devices, and perhaps this firm may respond to this RFI. But this is the firm that didn’t renew my consulting contract in the fall of 2024, and I haven’t heard from them since.

Of course, there are other facial recognition firms out there, some of which may have outstanding solutions to the CBP’s problem.

And in case you haven’t heard, Bredemarket has an opening for a facial recognition client, and can provide winning proposal development services.

So if I can help your facial recognition firm respond to this RFI, book a call: https://bredemarket.com/cpa/

Putting the P in CPA.

(San Ysidro Port of Entry picture by Philkon (Phil Konstantin) – Own work, CC BY-SA 3.0, https://commons.wikimedia.org/w/index.php?curid=15343509.)

Submission (of proposals)

(All images Imagen 3)

From the early 1990s to 2019, the majority of my identity/biometric proposal work was with U.S. state and local agencies, with some work with foreign agencies (such as Canada’s RCMP), private entities, and a few proposals to U.S. federal agencies.

I had no idea what was going to happen in 2020, and one of the surprises is that the majority of my identity/biometric proposal work since 2020 has been with U.S. federal agencies. Many requests for information (RFIs) as well as other responses.

The L&M does stop at Bredemarket, apparently. 

The L & N, not M, but close enough for government work.

I’ve worked on client proposals (and Bredemarket’s own responses) to the Departments of Defense, Homeland Security, Justice, and perhaps some others along the way.

And no, there’s no uniformity

Same department, different requirements.

Coincidentally, the two most recent identity/biometric proposals I managed for Bredemarket clients went to the same government department. But that’s where the similarities ended.

The first required an e-mail submission of a PDF (10 pages maximum) to two email addresses. A relative piece of cake.

Mmm…cake. Always reward your proposal people.

The last required an online submission. No, not a simple upload of a PDF to a government website. While my client did have to upload 2 PDFs, the majority of the submission required my client to complete a bunch of online screens.

And there were two separate sets of instructions regarding how to complete these online screens…which contradicted each other. So I had to ask a clarification question…and you know how THAT can go.

Oh, and as the consulting proposal expert, I could not complete the online screens on behalf of the client. The client’s company had a single login, which was assigned to a single person (a company executive) and could NOT be used by anybody else. 

So on the day of proposal submission the executive and I videoconferenced, and I watched as the executive answered the responses, in part using a document in which I had drafted responses.

And of course things were not perfect. The executive pasted one of my responses into the space provided, and only THEN did we discover that the response had an unadvertised character limit. So I rewrote it…at the same time that I resized a required image with unadvertised dimension restrictions.

But there’s some uniformity

Perhaps if I had written more federal proposals at Printrak, Motorola, MorphoTrak, IDEMIA, and Incode, I would have known these things. Perhaps not; as late as 2014 I was still printing proposals on paper and submitting 10 or more volumes of binders (yes, binders) along with CDs that had to be virus-checked.

Some Requests for Proposal (RFPs) provide helpful checklists.

But regardless of whether you submit proposals online, via CD, or in paper volumes, some things remain constant.

  • Follow the instructions.
  • Answer the questions.
  • Emphasize the benefits.
  • And don’t misspell the name of the Contracting Officer.

If you need Bredemarket’s proposal services, or my content or analysis services, visit my “CPA” page to get started.

Retabulating the work that Bredemarket has done for clients (as of February 16, 2022)

My biometric/identity collateral wasn’t the only thing that I updated yesterday.

As part of my preparation for yesterday evening’s Ontario IDEA Exchange meeting, I took the time to update my “local” brochure. (Because local is important: see the first of my three goals for 2022.) This brochure includes a section that discusses the types and numbers of pieces that I have prepared for clients, including the number of case studies, the number of RFx responses, and so forth.

Those numbers hadn’t been updated since last September.

Before going to the meeting, I wanted to make sure my “local” brochure had the latest numbers.

I’ll go ahead and share them with you. This covers the projects that Bredemarket has completed for clients over the last 18 months, as of February 16, 2022:

  • Fourteen (14) case studies
  • Eight (8) articles (blog posts)
  • Three (3) service offering descriptions
  • Three (3) white papers
  • Nine (9) RFx responses
  • Four (4) sole source responses
  • Six (6) proposal templates
  • One (1) technical leave behind
  • Two (2) biometric analyses
Inland Empire B2B Content Services from Bredemarket.

As it turns out, I didn’t hand out my local brochure to anyone at last night’s IDEA Exchange. (It was a small crowd, most of whom I already knew.)

But at least I’ve tabulated the numbers.

Now I just have to update all of my NON local collateral…

Bredemarket and September 2021 on the proposal side

I was looking over the Bredemarket blog posts for September, and I found some posts that addressed the proposal side of Bredemarket’s services. (There are also blog posts that address the content side; see here for a summary of those posts.)

As a starting point, what proposal services has Bredemarket provided for its clients? I quantified these around the middle of the month and came up with this list.

And I’ve been working on additional proposal projects for clients that I haven’t added to the list yet.

Now if you’ve already read my September 2021 content post, it seems like I’ve been repeating myself. Well the repetition ends here, because my other big proposal-related accomplishment for the month was my Association of Proposal Management Professionals Foundation certification.

For details on my certification, see https://www.credly.com/badges/f177cbf8-e085-4fae-943a-1e418d86c872.

This will not only allow me to provide better proposal services to biometric firms (yes, yes, I am a biometric proposal writing expert), but also to other firms.

What other firms?

I’ll let you know.

If I can provide proposal services for you:

Using Toggl Track to quantify proposal services for marketing purposes

Bredemarket’s slogan should be “better late than never.” It took me a year to print business cards, and it has taken me almost a year to quantify my proposal services work for clients. But Toggl helped me quantify my work.

Incidentally, this post is NOT sponsored by Toggl. If I were smart I would have pitched this post to Toggl and gotten something substantive in return. But I’m not that smart; I’m just a happy Toggl Track user. Sure the service has had a couple of hiccups in April and August, but Toggl responded to these hiccups quickly. In general, Toggl Track has been very useful in tracking time, gathering data to bill clients, and (as I just discovered this week) very useful in quantifying Bredemarket’s work and accomplishments.

Quantifying hours per proposal

The whole Toggl Track quantification exercise started over the last couple of weeks, when I had two separate discussions with firms regarding the number of hours that a contractor usually spends responding to a request for something (proposal, information, comment, etc.). Acronym lovers can use RFx, RFP, RFI, RFC, etc. as needed.

After the second client raised the issue, I realized that my Toggl Track data contained time data on all of my billable proposals work. (Helpful hint: even with the free version of Toggl Track, you can set up project names to keep track of billable hours, although you have to manually calculate the billing yourself.)

So I logged into Toggl Track, selected the billable projects that I knew had Rfx hours, downloaded a comma-separated values (csv) version of all of the data from January 1, 2021 to present, opened the csv file in Excel, filtered out the columns that I didn’t need, filtered out the rows that didn’t pertain to RFx work, sorted the data by description (for example, “AFIS proposal for Noname County”), then subtotaled the hours at each change of description.

And then I realized that I did something wrong.

When the Toggl Track data was loaded into Excel, it used a standard hours-minutes-seconds format. What that meant was that the subtotals also displayed in a standard hours-minutes-seconds format. So if I had three time entries—one for 10:00:00, one for 9:00:00, and one for 8:00:00—the resulting subtotal would be 3:00:00, or only three hours.

Whoops.

I played around a bit with the number formats in the Duration column, and found a format (displayed in Excel as “37:30:55”) that correctly rendered my subtotals—in the example above, yielding the correct value of 27:00:00, or 27 hours.

So once I got the subtotals to work correctly, what did I find, based on my own RFx proposal work data?

  • One of my projects required approximately 20 billable hours of work.
  • Three of the projects required less than 20 billable hours per project.
  • The remaining three required more than 35 billable hours per project.

Obviously my results do not apply to other independent contractors, and certainly do not apply to employees who are involved much more intimately in a company’s proposal process. So don’t try to extrapolate my numbers and make the declaration “Studies show that nearly half of all RFx responses require over 35 hours of work per person.”

But this data gave me the information that I needed in my discussions with the second firm.

But this exercise raised another question that I should have answered long ago.

Quantifying total proposal work

As Bredemarket, I have not only worked on RFx responses, but have also worked on sole source responses, and on proposal templates.

But I’ve never compiled a definitive overview of all of my proposal work.

Now I’ve certainly discussed bits of my proposal work here and there. You’ve probably already seen the testimonial that I received from a client regarding my proposal template work:

“I just wanted to truly say thank you for putting these templates together. I worked on this…last week and it was extremely simple to use and I thought really provided a professional advantage and tool to give the customer….TRULY THANK YOU!”

But after the proposal hours exercise above, I decided that it was time to quantify this work.

  • How many competitive proposals have I worked on for clients?
  • How many sole source responses have I worked on for clients?
  • How many of these “extremely simple to use” (my client’s words, not mine) templates have I assembled?

Obviously I had all the data; I just had to pull it together.

So I went to Toggl Track (and to other sources) to quantify my total proposal work, searching for billable (and in the cases of Bredemarket’s own proposals, nonbillable) work and identifying all the projects.

Sharing the quantification

Once that was done, I was able to create a neat handy dandy summary.

Which I put into a brochure.

Bredemarket Proposal Services (September 10, 2021)Download

Which I then added to various pages on the Bredemarket website.

September 10, 2021 iterative revision to https://bredemarket.com/bredemarket-and-proposal-services/.

And, of course, I’ll share the information in this blog post when I publish it and distribute it via my social media outlets-not forgetting Instagram, of course. (Did you notice that my statistical graphic is square? Now you know why.)

And I need to share this information in one more place, but that’s a topic for another time.

Can my proposal services help you?

If my experience (now with better quantification!) can help you with your proposal work, then please contact me.

DHS TSA mDL Public Meeting general observations

As I previously noted, today (June 30, 2021) was the day for the Department of Homeland Security’s Transportation Security Administration to hold its public meeting on its Request for Comment on “Minimum Standards for Driver’s Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Mobile Driver’s Licenses.” (See PDF or text version. The second link contains the method for providing comments.)

I will not provide a recap of the comments made by participants during the meeting, but will instead provide some general observations.

Incidentally, the list of all meeting participants will be made public at some point, and it’s possible that the chat transcript from the meeting will also be made public at some point.

Agreement and disagreement among the participants

As can be expected, there were a variety of views expressed at the meeting, ranging from industry comments about the items that should be in the DHS standard, to privacy advocates who questioned why DHS was implementing a standard at all. One example:

  • Industry participants, such as myself, were enthusiastic about the ability of a mobile driver’s license (mDL) to automatically update itself when new information became available at the DMV. For example, if I move to a new address, the DMV can automatically update the mDL on my smartphone to reflect the new address.
  • Privacy participants were, to put it mildly, a bit less enthusiastic about this feature. Physical driver’s licenses are updated as infrequently as every ten years; why should digital driver’s licenses be any different?

But there was apparent agreement between the industry and privacy participants about one possible feature on mDLs – the ability to control the data that leaves the smartphone and is sent to the verifying official. Everyone seemed to agree that this information should be granular, and that the mDL should not automatically send ALL available information on the mDL.

Let me provide an example. When I go to a bar and use my physical driver’s license to prove my age, the verifier (Jane Bartender) is provided access to my name, my address, my date of birth, my height, my (claimed) weight, and all sorts of personal information that would freak out your average privacy advocate. NONE of this information is needed to prove my age, not even my date of birth. All that the verifier needs to know is whether I am over the age of 21. An mDL can be designed to specifically state ONLY that I am over the age of 21 without revealing my birthdate, my address, or my (claimed) weight.

(You’d think that the privacy advocates would be thrilled about this granularity and would urge people to use mDLs because of this privacy benefit, but privacy and security folks are naturally suspicious and have a hunch that all of the information is being provided in the background anyway through double-secret means.)

But are the participants ready to respond to the RFC?

I had one other observation from the meeting. Before sharing it, I should explain that the meeting allowed the participants to ORALLY share the views that they will subsequently express in WRITTEN comments on or before the July 30 deadline.

And based upon the oral comments that I heard, some of the participants are ready to share their written comments…and others are not.

There were participants who spoke to the DHS about their items of interest, not only briefly stating these items, but WHY these items should be important to the DHS and to the general public.

And then there were participants who concentrated on unimportant details that were NOT of interest to the DHS or the general public. I won’t provide specific examples, but let’s just say that some participants talked about themselves rather than about DHS’ needs.

If these participants’ written comments are of the same tone as their oral comments, I can assure you that their comments will not influence the DHS in any way. Although I guess they can go back to their organizations and proudly proclaim, “We told the DHS how important we are!”

The DHS doesn’t care how important you are. In the DHS’ mind, you are not important. Only the DHS is important. (Oh, and the Congresspeople who fund the DHS are important, I guess.)

Perhaps in the next 30 days these other participants will take a look back at their message drafts and ask themselves the “So what?” question. What will motivate the DHS to incorporate desired features into the standard? And why should they?

And, as always, I can help. If nothing else, I can confidentially review your draft comments before submission and provide some suggestions. (Yes, it’s shameless plug time.)

If I can help you with your RFC response:

Or perhaps you are ready to respond now. I guess we’ll all find out when the DHS publishes its final standards, which may or may not reflect your priorities.

The DHS RFI “Minimum Standards for Driver’s Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Mobile Driver’s Licenses” is NOT due on June 18 (it’s now due July 30)

Back in April I wrote about a Request for Information that was issued by the Department of Homeland Security. Its title: “Minimum Standards for Driver’s Licenses and Identification Cards Acceptable by Federal Agencies for Official Purposes; Mobile Driver’s Licenses.”

The information was due to DHS on June 18 (tomorrow), and my post included a “shameless plug” offering to help companies with their responses.

No company requested my assistance.

But all is not lost, because you can STILL request Bredemarket’s assistance in composing your responses, because, according to Jason Lim, the due date has been extended.

DHS will hold a virtual public meeting on June 30, 2021 on mDL REAL ID RFI to answer questions regarding the RFI and to provide an additional forum for comments by stakeholders and other interested persons regarding the issues identified in the RFI.

DHS is also extending the comment period for the RFI by 42 calendar days to provide an additional period for comments to be submitted after the public meeting. New deadline is July 30, 2021.

If you want to register for the public meeting, click on the link at the bottom of Jason Lim’s LinkedIn post. I’ve already registered myself (the meeting starts at 7:00 am PDT, but at least I don’t have to commute to go to the meeting).

And the shameless plug still applies: if you need assistance in managing, organizing, writing, or checking your response, contact me (email, phone message, online form, appointment for a content needs assessment, even snail mail). As some of you already know, I have extensive experience in responding to RFIs, RFPs, and similar documents, and have been helping multiple companies with such responses under my Bredemarket consultancy.

Requests for Comments (RFCs), formal and casual

I don’t know how it happened, but people in the proposals world have to use a lot of acronyms that begin with the letters “RF.” But one “RF” acronym isn’t strictly a proposal acronym, and that’s the acronym “RFC,” or “Request for Comments.”

In one sense, RFC has a very limited meaning. It is often used specifically to refer to documents provided by the Internet Engineering Task Force.

A Request for Comments (RFC) is a numbered document, which includes appraisals, descriptions and definitions of online protocols, concepts, methods and programmes. RFCs are administered by the IETF (Internet Engineering Task Force). A large part of the standards used online are published in RFCs. 

But the IETF doesn’t hold an exclusive trademark on the RFC acronym. As I noted in a post on my personal blog, the National Institute of Standards and Technology recently requested comments on a draft document, NISTIR 8334 (Draft), Mobile Device Biometrics for Authenticating First Responders | CSRC.

While a Request for Comments differs in some respects from a Request for Proposal or a Request for Information, all of the “RFs” require the respondents to follow some set of rules. Comments, proposals, and information need to be provided in the format specified by the appropriate “RF” document. In the case of NIST’s RFC, all comments needed to include some specific information:

  • The commenter’s name.
  • The commenter’s email address.
  • The line number(s) to which the comment applied.
  • The page number(s) to which the comment applied.
  • The comment.

Comments could be supplied in one of two ways (via email and via web form submission). I chose the former.

Cover letter of the PDF that I submitted to NIST via email.

On the other hand, NIST’s RFC didn’t impose some of the requirements found in other “RF” documents.

  • Unlike a recent RFI to which I responded, I could submit as many pages as I liked, and use any font size that I wished. (Both are important for those respondents who choose to meet a 20-page limit by submitting 8-point text.)
  • Unlike a recent RFP to which I responded, I was not required to state all prices in US dollars, exclusive of taxes. (In fact, I didn’t state any prices at all.)
  • I did not have to provide any hard copies of my response. (Believe it or not, some government agencies STILL require printed responses to RFPs. Thankfully, they’re not requiring 12 copies of said responses these days like they used to.)
  • I did not have to state whether or not I was a small business, provide three years of audited financials, or state whether any of the principal officers of my company had been convicted of financial crimes. (I am a small business; my company doesn’t have three years of financials, audited or not; and I am not a crook.)

So RFC responses aren’t quite as involved as RFP/RFI responses.

But they do have a due date and time.

By Arista Records – 45cat.com, Fair use, https://en.wikipedia.org/w/index.php?curid=44395072