Federated Search

Questions & Answers / Clarifications

This document provides answers to vendor questions regarding an RFI for a Federated Search capability for the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF).

• Due Date/Time: SAM.gov and GSA eBuy had conflicting dates. Responses are due according to GSA eBuy (March 25 at 5pm). SAM.gov has closed.
• Eligibility: The RFI is open to all business sizes for market research purposes, despite the RFI document mentioning small business market research.
• Submission Format: Vendors should submit responses in PDF format as an attachment, typically through the eBuy submission form, rather than via email. For specific eBuy submission issues, vendors should contact the eBuy help desk.
• Technical Requirements: ATF envisions a hybrid retrieval model combining lexical and semantic approaches. They anticipate Attribute Based Access Control (ABAC) for field-level granularity. Data volumes are estimated at 1-5TB with 500GB-1TB annual growth. User population is expected to not exceed 500 concurrent users.
• Data Sources & Integration: ATF will provide technical details for internal systems (Spartan, NForce, NESS, eTrace) and API licenses/agreements for external vendors (Accurint, CLEAR, TLO, etc.) if a solicitation is pursued. Interoperability with existing authentication mechanisms (SSO, MFA, ADFS, PIV) is required.
• Security: A SECRET eligibility clearance is required for all personnel. FISMA compliance is a requirement, and a High NIST 800-53 Rev 5 baseline is needed. A new Authority to Operate (ATO) package will need to be supported by the contractor.
• Environment: ATF will provide AWS GovCloud environments, VPCs, networking, and OpenShift clusters. All work is expected to be completed onsite at ATF Headquarters in Washington, DC.
• Page Limits: Diagrams and images, as well as tables, will not count against the 15-page limit for white paper submissions.
• Methodologies & Technologies: Documentation for ATF's Agile Scrum Methodology and Enterprise Standard Technologies (SQL Server, Oracle, PostGres, AWS) will be provided. Specific CI/CD tools (Cucumber, Digital.Ai, GitLab, Jenkins, etc.) are listed.
• Data Volumes & Growth: Current volume is estimated at 83 million records (including photos), with storage in TB, 20% annual growth, and an ingestion rate of 22,234/day. User accounts are 5000 with 500 concurrent users.

These clarifications address ambiguities regarding submission deadlines, eligibility, technical approach, security requirements, and submission content, which are critical for vendors preparing a response.

Form / Attachment / Pricing Sheet

This document outlines the standard technologies approved for use by the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) across its client environments, data centers, and continuous integration/continuous deployment (CI/CD) pipelines. It serves as a reference for vendors to understand the technology stack and standards expected for solutions supporting ATF.

Client Environment:

• Workstation: Dell Latitude 54xx, Core i5, 16 GB RAM, Windows 10 Enterprise.
• Authentication: PIV, with Cisco DUO for exceptions.
• Browsers: Microsoft Edge, Google Chrome, Firefox.
• Document Storage: Microsoft OneDrive, SharePoint.
• Collaboration: Microsoft Teams.
• Mobile: Apple iPhone XR, 12 (apps must be on an approved list).

Data Center:

• Primary: AWS GovCloud.
• Alternate: Microsoft Azure GovCloud (for specific integrations).
• Containerization: RedHat OpenShift.
• Server OS: RedHat Enterprise Linux, MS Server 2016/2019.
• Database: Microsoft SQL Server 2019.
• Programming: Java, AngularJS, .Net.
• Application Servers: Apache Tomcat, Microsoft IIS.
• Low-code: Pega Systems.
• Geospatial: ESRI ATF GeoPortal.
• Reporting: Microsoft Power BI.
• ITSM: Service Now.

CI/CD Pipeline:

• Agile Management: Digital.ai.
• Source Code: GitLab.
• Build/Pipeline: Jenkins, Mavin.
• Repository: Nexus.
• Development Tools: Visual Studio Enterprise/Code, Postman, SoapUI.
• Testing Tools: SonarQube, JUnit, Mockito, Selenium, Katalon, JMeter, Cucumber.

Vendors proposing solutions for ATF should ensure their offerings are compatible with or can be integrated into these standard technologies. Understanding these standards is crucial for developing compliant and deployable solutions within the ATF's IT ecosystem. This document helps bidders assess technical feasibility and potential integration challenges.

Request For Information (RFI)

This RFI is issued by the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) for planning purposes to conduct market research. The ATF is seeking information on qualified small business concerns capable of designing, developing, and implementing a scalable Federated Search solution. This solution aims to enable seamless, real-time information retrieval across the agency's disparate digital platforms.

• Internal Connectivity: Develop secure connectors for internal agency repositories (e.g., SharePoint, SQL, On-premises Files, AWS) for ATF programs like Spartan, Nforce, Ness, and Etrace.

• External Connectivity: Develop connectors for authorized external/third-party data sources (e.g., Accurint AVCC, Clear, i2 Analyst Notebook, Transunion TLO, Vigilant/License Plate Reader, Pennlink, Tangles, Whooster).

• Data Segregation: Implement a "Search-Time:" aggregation architecture ensuring data remains logically and physically separate.

• Selective Query Logic: Provide a user interface (UI) with "toggle" or "filter" capabilities for selecting internal, external, or hybrid search modes.

• Environment: Support Production, Training, and Testing environments with scalability for future needs.

• Training and Knowledge Transfer: Provide general user and program manager training.

• NIST Compliance: Solution must comply with NIST SP 800-53 security controls (moderate/high impact level).

• Identity Management: Integrate with the Agency’s identity, credential, and access management (ICAM) system (e.g., PIVCAC, OKTA, Active Directory).

• Section 508: UI must be fully compliant with Section 508 of the Rehabilitation Act.

• Place of Performance: Partially at contractor's U.S. location and partially at ATF headquarters.

• Methodology: Conformity to ATF’s Agile Scrum Methodology, IT Methodology, Data Management Requirements, and Enterprise Standard Technologies.

• Environment: Build within Government approved GovCloud environments.

• Best Practices: Utilize commercial best practices including Agile Scrum, CI/CD, Automated Testing, and Automated Deployments.

Respondents should provide information on company capabilities, past performance (including contract numbers and similar work), experience, differentiators, and staffing estimates. Specific experience with NIST compliance, Identity Management, and Section 508 is required. Responses are limited to 15 pages (excluding diagrams/images).

• Questions Due: Friday, March 13, 2026, 4:00 PM ET
• RFI Responses Due: Friday, March 20, 2026, 4:00 PM ET

This is for market research only and not a Request for Proposal (RFP). No reimbursement will be made for costs associated with providing information. Responses are voluntary and do not preclude future participation.

Performance Work Statement (PWS)

The Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF) Office of Intelligence Operations (OIO) seeks to design, develop, and implement a Federated Search solution. The objective is to enable seamless, real-time information retrieval across disparate digital platforms, consolidating results from internal and external data sources into a single interface to reduce search latency and increase operational efficiency.

The contractor will provide a multidisciplinary team to develop a Federated Search solution. This includes:

• Designing and developing secure connectors for internal agency repositories (e.g., SharePoint, SQL, On-premises Files, AWS) and authorized external/third-party data sources (e.g., Accurint AVCC, Clear, i2 Analyst Notebook, Transunion TLO).

• Implementing a "Search-Time:" aggregation architecture ensuring data remains logically and physically separate.

• Developing a user interface (UI) with "toggle" or "filter" capabilities for internal, external, or hybrid search modes.

• Ensuring compliance with NIST SP 800-53 (moderate/high impact), Section 508 of the Rehabilitation Act, and integration with the Agency’s identity, credential, and access management (ICAM) system.

• Providing comprehensive training for Government personnel (General Users, Project Managers, Designated Security Officers).

• Period of Performance: Base year (12 months) with four (4) one-year options.

• Place of Performance: Partially at the contractor’s location within the United States and partially at ATF headquarters.

• Adherence to ATF’s Agile Scrum Methodology and IT Governance Manual.

• Conformity to Data Management Requirements as prescribed by the ATF Data Management Division.

• Development within Government approved GovCloud environments.

• Use of Government-provided tools and adherence to ATF Enterprise Standard Technologies.

• Personnel must complete a suitability determination by the Government’s Personnel Security Division (PSD).

• Compliance with ATF Executive Order 14110 and OMB memorandum M-24-10 regarding Artificial Intelligence (AI) use.

Key deliverables include Project Management documentation (e.g., Sprint Progress Reports, Release Reports), Application Development artifacts (e.g., DB Schemas, Data Dictionary, Source Code, Deployment Plans), UX Development outputs (e.g., Wireframes, UI Mockups), Testing documentation (e.g., Test Scripts, UAT Plans), and Transition Out documentation. Specific deliverables and their schedules are detailed in Section 7.0 of the PWS.

Other / Unclassified

This document, ATF Order 7231.1, establishes the policy framework for technical and behavioral standards and guidelines for the creation and management of ATF data. It covers data quality, consistency, security, compliance, and access. The order outlines the purpose, references, modification/termination procedures, and directs questions to the Chief Data Officer.

This policy is relevant to potential bidders as it details the ATF's commitment to data governance, standardization, and management. Understanding these policies can inform vendors about the operational environment and data handling expectations within the ATF, which may be pertinent for contracts involving data management, IT systems, or data analysis. It highlights the importance of data integrity, security, and compliance, which are critical aspects of government contracting.

Other / Unclassified

This document, the "ATF Agile Playbook," provides guidance for teams engaging in ATF Agile projects. It outlines the practices and artifacts generally expected by project teams using the ATF Agile methodology, covering the project lifecycle from Discovery/Sprint 0 through Release Integration testing.

While this document is an internal playbook and not a solicitation, it provides insight into the operational methodologies and processes that the ATF may employ for its projects. Understanding these agile practices, including Scrum, Kanban, and the various phases like Sprint Planning, Execution, Review, and Retrospective, can help potential bidders align their proposals and project management approaches with the ATF's expected workflows. It details team roles (Core Scrum Team, Supporting Team), their responsibilities, and the inputs, processes, and outputs for each stage of the agile lifecycle. This information can be valuable for vendors seeking to understand the ATF's project development and delivery environment.

Forms / Attachments / Pricing Sheets

This document is the "Style Guide_ Final Version.pdf" for the SPARTAN application, developed by the Bureau of Alcohol, Tobacco, Firearms and Explosives (ATF). It serves as a comprehensive guide for UI/UX design elements, ensuring consistency and adherence to brand standards across the application.

• Seal Symbolism and Mission Statement: Details the meaning behind the ATF seal and the mission of the SPARTAN Program Management Division (SPMD).
• Color Palette: Defines primary, secondary, banner, form state, and background colors with their corresponding HEX codes.
• Typography: Specifies the use of the Open Sans font family, including various weights, link styles, body text, and heading styles.
• UI Elements: Outlines the design and behavior of buttons (style, size, state), sidebar content, global navigation menus, checkboxes, radio buttons, form elements, work product templates, rich text editors, text boxes, date formats, tooltips, and pagination.
• Screen Structure: Details the 12-column grid system and minimum resolution requirements.
• Imagery: Provides examples of homepage and alternate background images.
• Application Header: Defines the design and measurement for the header and search bar.
• Iconography: Illustrates custom icons used for records, processes, licenses, and general system functions.
• Screen Instructions and Transitions: Guides on how to present information and instructions to users within the application, including milestone transitions and stage coach elements.

This style guide is crucial for any vendor involved in the development, maintenance, or integration with the SPARTAN application. It dictates the visual and interactive design standards, ensuring that all user interfaces are consistent with ATF's branding and user experience guidelines. Understanding these specifications is essential for creating compliant and cohesive digital products.

Form / Attachment / Pricing Sheet

This document outlines the "Definition of Done" (DoD) checklists for user stories and sprints related to the Bomb Arson Tracking System (BATS) Modernization project. It serves as a standard for when development tasks are considered complete.

Definition of Done User Story Checklist:

• Ensures each task within a user story is complete.
• Requires code review for all commits.
• Verifies acceptance criteria are met as provided by the Product Owner.
• Mandates implementation and testing of non-functional requirements (performance, maintainability, scalability, availability, operability), including specific performance criteria (e.g., page load times of 1-2 seconds).
• Confirms verification of key technical functionalities like data collection, Section 508 compliance, and security audit capabilities.
• Requires complete test coverage (unit, end-to-end, functional).
• Documents non-critical issues as technical debt.
• Includes updates to regression test suites and deployment steps.
• Requires updated documentation (SOPs).
• Mandates compliance with the attached 508-compliance checklist and successful Section 508 testing.
• Requires communication/demonstration to the Product Owner.
• Ensures code has no security vulnerabilities, with monthly security scans.
• Requires acceptance by the Product Owner and/or GTM.

Definition of Done Sprint Checklist:

• Confirms DoD for each user story in the sprint is met.
• Ensures all unit tests pass and all bugs are fixed.
• Outlines process for incomplete user stories (move to Product Backlog).
• Requires compliance with the 508-compliance checklist.
• Mandates updates to the Product Backlog.
• Confirms readiness of all environments for release (Dev/Staging, CI, automated regression tests).
• Specifies testing will occur in QA/Test environment, not Staging.
• States Production push will be from the Staging environment.

This checklist is crucial for bidders to understand the quality and completion standards expected for software development deliverables within the BATS Modernization project. It details the rigorous testing, compliance (including Section 508), security, and documentation requirements that must be met for user stories and sprints to be considered "done." Bidders should use this to gauge the complexity of development efforts and ensure their proposed approach aligns with these standards.

Other / Unclassified

This document is the Bureau of Alcohol, Tobacco, Firearms, and Explosives (ATF) Data Governance Handbook, Version 4.2. It establishes data standards and guidelines for the development, enhancement, and maintenance of systems containing databases within the ATF. The handbook details policies, procedures, and responsibilities for data management throughout the Systems Life Cycle (SLC), including database development, data administration, security, and naming conventions.

This handbook is relevant to potential bidders involved in developing or maintaining systems for the ATF that contain databases. It outlines the mandatory standards and best practices that must be adhered to, including:

• Data Governance Standards: Requirements for data integrity, quality, and confidentiality.
• Systems Life Cycle (SLC) Management: Processes for database development and integration within the SLC.
• Data Administration: Guidelines for data modeling, data dictionaries, and data naming conventions (e.g., ER Studio Data Architect usage, naming rules for tables, columns, etc.).
• Database Security: Standards for access control and auditing.
• Data Auditing and Forensics: Requirements for audit fields and tracking changes (e.g., CDC, Temporal Tables).
• Data Access Services (DAS) / APIs: Mandates for accessing enterprise data via standardized APIs.
• Common Data Elements (CDE): Encouragement to use CDEs and the National Information Exchange Model (NIEM).

Bidders should familiarize themselves with these standards to ensure their proposed solutions and development practices align with ATF's data governance requirements.