Request for Information (RFI) -Services to Electronically Transmit Airline Data

Purpose: 

The Department of Homeland Security (DHS), U.S. Customs and Border Protection (CBP) is conducting market research to gain a greater understanding of the full range of available options for services for obtaining names and related information of passengers who are arriving and departing the U.S. on commercial airlines.  Equally important, CBP needs to obtain manifests of cargo being transported to the U.S.

THIS IS A REQUEST FOR INFORMATION (RFI) ONLY.  This RFI is issued solely for information and planning purposes – it does not constitute a Request for Proposal (RFP) or a promise to issue an RFP in the future.  This request for information does not commit the Government to contract for any supply or service whatsoever.  Furthermore, CBP is not, at this time, seeking proposals and will not accept unsolicited proposals.  Respondents are advised that the U.S. Government will not pay for any information or administrative costs incurred in response to this RFI.  All costs associated with responding to this RFI will be solely at the interested party’s expense.  Not responding to this RFI does not preclude participation in any future RFP, if any is issued.  If a solicitation is released, it will be forecasted on the DHS’ Acquisition Planning Forecast System (APFS) at https://apfs-cloud.dhs.gov, and then publicized on a Government-wide Point of Entry (GPE) which may include a synopsis on  https://SAM.gov .  It is the responsibility of an interested party to monitor these sites for additional information pertaining to this requirement.

Background:

U.S. Customs and Border Protection (CBP) is one of the Department of Homeland Security’s (DHS) largest and most complex components, with a priority mission of keeping terrorists and their weapons out of the United States (U.S.).  It also has a responsibility for securing and facilitating trade and travel while enforcing hundreds of U.S. regulations, including immigration and drug laws.

CBP clears millions of cargo shipments per year, collects more than $20 billion in revenue, processes more than 12 million formal entries, of which 55% involve merchandise subject to quota or other trade programs, and monitors an average of 10 million annual export shipments.  This broad mandate encompasses a wide range of law enforcement activities and responsibilities.

CBP has a critical need to obtain names and related information of passengers who are arriving and departing the U.S. on commercial airlines.  Equally important, CBP needs to obtain manifests of cargo being transported to the U.S.

Objective:

The U.S. Customs and Border Protection (CBP) Office of Information and Technology (OIT) Enterprise Infrastructure and Operations Directorate (EIOD) has a continuing requirement to electronically obtain Passenger Name Records (PNR), air cargo manifests, advance passenger information (API), passenger manifests, and other airline-related data and messaging to CBP in support of CBP’s mission, and statutory and regulatory requirements, to screen people and cargo entering, exiting, and overflying the United States of America and its territories.

CBP is evaluating transmission options for air carriers to use in compliance with these requirements.

• The vendor must have established connectivity with the airline community.
• The vendor must be able to test and certify with the air carriers, the vendor, CBP and Transportation Security Administration (TSA) as required.

Opportunity:

To gain a greater understanding of the full range of available options for Electronically Transmitting Airline Data services.  Additionally, gauge industry interest and see if those available sources would be interested in becoming approved providers. 

The following documents establish the requirements that must be met and processes that must be followed to adhere to applicable CBP and DHS regulations:

• CBP PNR Push Specification for Air Carriers affected by the 2011 U.S.-EU PNR Agreement (Sept. 5, 2013).
• Ongoing current Interconnection Security Agreement between the U.S. Department of Homeland Security (DHS) Customs and Border Protection (CBP) and the prospective vendor via the DHS Redundant Trusted Internet Connection (RTIC) CBP Advanced Passenger Airline System (APIS).
• Message Implementation Guideline for Airlines, UN/EDIFACT, PAXLST/CUSRES, Message Sets v3.5, January 3, 2011.

CBP currently has approved and provides four secure network options to support the establishment of network connectivity between the carrier industry partners and DHS: (1) CBP Multi-protocol Label Switching (MPLS) Network; (2) ARINC; (3) SITA; and (4) Internet Virtual Private Network (VPN).

The contractor shall provide the following to permit the electronic transmission of airline data to CBP’s computer network and host systems:

Managed Network and Messaging Services:

IP Network Access

Provide Ethernet Internet Protocol (IP) connections to the contractor’s private global network. CBP routers are located on vendor’s premises. Contractor provides physical space at their datacenter(s) to include ¼ communications rack to house DHS/CBP co-located equipment that connects to the contractor’s private global network. These network connections support the framework upon which MQ channels transfer/deliver messages bi-directionally between CBP and the contractor and their client airlines.

Socket to Socket Connections

Provide Socket to Socket TCP/IP Connections. Socket to Socket Connections for a two-way communication link between two users. Sockets provide the means through which ports are bound to the TCP layer to deliver data/messages to the endpoint application. This allows virtual end-to-end connectivity with CBP users across the contractor’s existing worldwide network.

Messaging Queuing Services/ Message Queue Manager

Provide Messaging Queuing Services via IBM MQ to provide bi-directional messaging across MQ channels between Production and Test/Certification queue managers at CBP and the contractor’s MQ Queue Manager(s). CBP and the contractor shall host one or more MQ queues as deemed necessary by CBP applications. Such queues shall support messaging to and from the CBP Production and Test/Certification environments.

International Air Transport Association (IATA) Addresses:

Contractor shall support interactive messaging when 7-letter IATA Addressing is used by the Airlines.  Contractor shall mitigate the protocol mitigation in order to deliver messages sent to CBP systems, as well as messages originating at CBP and destined for delivery to the Airlines.

Test and Production Queues:

MQ Queues support the message exchange between CBP and the contractor. MQ Queues are defined within the MQ Queue Managers at the CBP and contractor’s endpoints. The number of queues defined at each endpoint will depend largely upon the needs of CBP applications. Queues shall be defined to support the requirements for both Production and Test/Certification platforms.

Unlimited Type B messaging:

Provide unlimited Type B messaging. Type B messaging is guaranteed, store-and- forward message delivery. Type B messages are an IATA standard. Type B messaging is widely used by airlines, and computer reservation systems and used by CBP to receive Advance Passenger Information, based on the International Air Transport Association (IATA)/Airlines for America (A4A) endorsed standard. It is a Messaging service that allows centrally controlled communication with every participant in the extensive Type B community and a Value added service that provides security, traceability, integrity, and sender and receiver identification on top of connectivity through one connection.

Connections between Dominican Republic (DR) and CBP and Barbados (BB) and CBP:

Provide MQ over Internet, contractor Connector, and Message Conversion. Connection across the contractor’s private global network between CBP and the Dominican Republic (DR) and CBP and Barbados (BB) to enable routing copies of Advance Passenger Information (API) to CBP.  The governments of the DR and BB have signed agreements to deliver API data to CBP. Targeting uses MQ connectivity over DHS’ Redundant Trusted Internet Connection (RTIC) infrastructure via contractor global private networks. The data feed is U.S. and United Nations Rules for Electronic Data Interchange for Administration, Commerce and Transportation (UN/EDIFACT) and originates from a version of ATSG installed at the Joint Rescue Coordination Centre (JRCC).  The JRCC is the competent authority which functions as an information and communications Centre for the capturing, processing and transmitting of Advance Passenger Information received seven days a week, twenty-four (24) hours a day to Law Enforcement, Border Control and Intelligence Agencies of the countries comprising the Single Domestic Space (14 Caribbean countries). Data is submitted by all aviation and maritime carriers notwithstanding size, via contractor to our telex address or through the JRCC Web Portal to the JRCC Servers where it is processed and security vetted. The relevant portion of the API is then disseminated to the respective destination Member State. Only the JRCC and the respective Destination State will have access to API. All APIs data is stored on JRCC Servers and Member States “dex” Client computers.  As required by CBP, a copy of the raw feed is delivered to PSPD and ATSP.

Optional Task - Service Order Changes:

Service order changes occur when CBP needs to adjust routing, add an IATA address, or add and implement a new queue.  This task is an optional task within the base period and all option periods. This task may be exercised multiple times for any amount up to the total ceiling value of the task for that contract period. The cumulative value of multiple optional exercises under this task will not exceed the total ceiling value within each contract period.

Responses Requested:

To assist CBP in gaining a greater understanding of the full range of options available for Electronic Transmittal of Airline Data, please provide responses to the following questions and requirements.

1. Does your Company have established connectivity with the airline community?
2. Is your Company able to test and certify with the air carriers, CBP and TSA as required?
3. Does your company provide a Wide Area Network solution using IBM's MQ series and IP Network products to transport airline passenger and trade information?  Airline data includes passenger name records (PNR), air cargo manifests, advance passenger information (API), passenger manifests, and other airline-related data and messaging in support of CBP’s mission to screen people and cargo entering and exiting the U.S.
4. Does your company provide internetworking, telecommunications circuits, logical connections, and data services permitting CBP to interconnect to your network, to obtain access to airline data?
5. Does your company provide an available global private network primarily used by the aviation industry to enable the aviation industry to send/receive API, PNR, and other information to CBP and other entities?
6. Does your company provide the managed network and messaging services listed in the previous section above to permit the electronic transmission of airline data to CBP’s computer network and host systems?
7. Will your company provide Ethernet Internet Protocol (IP) connections by hosting CBP routers located on your premises?  This would require physical space at your datacenters to include ¼ communications rack to house DHS/CBP co-located equipment that connects to your global private network. These network connections support the framework upon which MQ channels transfer/deliver messages bi-directionally between CBP, your company and your client airlines.
8. Does your company provide Socket to Socket TCP/IP Connections for a two-way communication link between two users?  Sockets provide the means through which ports are bound to the TCP layer to deliver data/messages to the endpoint application. This allows virtual end-to-end connectivity with CBP users across your worldwide network.
9. Does your company provide Messaging Queuing Services via IBM MQ in order to provide bi-directional messaging across MQ channels between Production and Test/Certification queue managers at CBP and the contractor's MQ Queue Manager(s)?   Both CBP and your company shall host one or more MQ queues as deemed necessary by CBP applications. Such queues shall support messaging to and from the CBP Production and Test/Certification environments.
10. Does your company support interactive messaging when 7-letter IATA Addressing is used by the Airlines and mitigate the protocol mitigation in order to deliver messages sent to CBP systems, as well as messages originating at CBP and destined for delivery to the Airlines?
11. Does your company provide MQ Queueing to support the message exchange between CBP and your endpoints?  The number of queues defined at each endpoint will depend largely upon the needs of CBP applications. Queues shall be defined to support the requirements for both Production and Test/Certification platforms.
12. Does your company provide unlimited Type B messaging, thus guaranteeing, store-and- forward message delivery?  Type B messages are an IATA standard and Type B messaging is widely used by airlines, computer reservation systems and used by CBP to receive Advance Passenger Information, based on the International Air Transport Association (IATA)/Airlines for America (A4A) endorsed standard. It is a Messaging service that allows centrally controlled communication with every participant in the extensive Type B community and a Value-added service that provides security, traceability, integrity, and sender and receiver identification on top of connectivity through one connection.
13. Does your company provide MQ over Internet via your connector with Message Conversion to reach the Dominican Republic (DR) to allow DR to route copies of Advance Passenger Information (API) to CBP?  The Government of the DR has signed an agreement to deliver API data to CBP. Targeting requires MQ connectivity over DHS’ RTIC infrastructure via the contractor's global private network. The data feed is US and UN/EDIFACT and originates from a version of ATSG installed at the Dominican Republic Department of Immigration. As required by CBP, a copy of the raw feed is delivered to a PSPD and ATSP.
14. Does your company support service order changes which will occur when CBP needs to adjust routing, add an IATA address, or add and implement a new queue?
15. Does your company provide and support a notification system that will notify the CO and the COR of any service order changes that would have on impact on the message traffic traversing your company's/CBP’s connection?
16. Will your company, at no additional cost to the Government, accommodate Government Property in the following manner?

• Housing CBP-provided network routers at your company’s data centers?
• The Government will provide the contractor with the specific router make and model number to be used by the contractor.
• The contractor shall furnish a ¼ rack at the contractor's location(s) to house CBP equipment.
• The facilities housing the CBP equipment must include air conditioning, uninterrupted power supply (UPS), raised floors, main power, telecom distribution panels, and controlled and secured access; and
• CBP and its agents shall be provided access to the contractor’s facilities upon request with at least 48 hours advance notice.

17.Does your company provide global aviation industry expertise and customer service that offers 24/7 integrated local and global support of your provided services?

18. Does your company comply with administrative, physical and technical security controls to ensure that the Government’s security requirements are met (i.e. not use, disclose, or reproduce data, which bears a restrictive legend, other than as required in the performance of the contract)?

19. Does your company comply with following DHS encryption standards?

1. FIPS 197 (Advanced Encryption Standard (AES)) 256 algorithm and cryptographic modules that have been validated under FIPS 140-2;
2. National Security Agency (NSA) Type 2 or Type 1 encryption; and
3. Public Key Infrastructure (PKI) (see paragraph 5.5.2 of the DHS 4300A SENSITIVE SYSTEMS HANDBOOK.

20.Does your company provide a continuous monitoring strategy and methods or capability that include the following?

1. Asset Management.
2. Vulnerability Management.
3. Configuration Management.
4. Malware Management.
5. Log Integration.
6. Security Information Event Management (SIEM) Integration.
7. Patch Management; and
8. Providing near-real-time security status information to the DHS SOC.

21. Does your company provide specific protections that are to include, but are not limited to the following?

• Security Operations
• Computer Incident Response Services
• Physical and Information Security and Monitoring
• Vulnerability Assessments
• Patch Management
• Log Retention

Instructions and Response Guidelines:

RFI responses are due by 11:59pm on March 13, 2026 and shall be limited to a total of 4 pages, not including foldouts and full-size page charts.  Page size is limited to 8.5x11 inches, 12-point font, with 1-inch margins in Microsoft Word format.  Both sides of the paper may be used but each side shall be included in the page count unless intentionally left blank.  Responses shall be submitted via email to Ronetta Sweeney at ronetta.m.sweeney@cbp.dhs.gov .  The subject line of email responses shall read: CBP Services to Electronically Transmit Airline Data. 

Please provide the information you deem relevant to respond to the specific inquiries of the RFI.  To support budget and planning purposes, you may also include rough cost estimates based upon the objectives outlined in the RFI.  Information provided will be used solely by CBP as market research and will not be released outside of CBP.  This RFI does not constitute a Request for Proposal (RFP), Invitation for Bid, or Request for Quotation, and it is not to be construed as a commitment by the Government to enter into a contract, nor will the Government pay for the information submitted in response to this request.  All information contained in this RFI is preliminary as well as subject to modification and is in no way binding on the Government.  NO SOLICITATION EXISTS AT THIS TIME.