The State Department is turning to the private sector for more information on leveraging managed security services with each of its cloud architectures, including Software As A Service (SAAS), Platform As A Service (PAAS), and Infrastructure As A Service (IAAS).
In a Sept. 14 request for information (RFI) posted on Beta.Sam.Gov, the Department of State explained it has made substantial investments in migrating software, services, and IT operations to cloud service providers (CSPs). A handful of State Department’s component agencies – the Bureau of Diplomatic Security (DS), Directorate of Cyber and Technology Security (CTS), Office of Cyber Monitoring and Operations (CMO) – are seeking to identify managed security services technical capabilities and conduct market research.
- Specifically, they are looking for more information on the following areas for a multi-cloud environment:
- Providing managed security services to cloud platforms, to include:
- centralized information technology (IT) security event monitoring and incident detection/response capabilities;
- incident detection to facilitate timely responses to cyber threats preventing widespread propagation of malicious activity;
- threat information collection and analysis with the cloud environment, potentially augmented with USG provided threat intelligence;
- threat and vulnerability analysis to ensure systems protection from internal and external threats that would compromise the confidentiality, integrity, or availability of department information, infrastructure, and systems;
- analysis of cybersecurity events to identify intrusions, malware, maintain metrics, and produce reports for management, IT security officials, federal defenders and cyber incident responders; and
- penetration test services for new and expanding on and off-prem environments.
- Comparative decision points as they relate to Bring Your Own Tech (BYOT) and Provider provided tools.
- Industry insight as to managed security service provider tools and/or data architecture/s for SAAS, PAAS, and IAAS respectively with customer requirements for maximum services value to the Department.
- Ensuring seamless coordination and partnership with the mature Department Cyber Incident Response Team (CIRT).
- Providing additional consulting services to continuously improve the multi cloud cybersecurity program.
The State Department its objective with the RFI is to explore “whether a partner or partners that have a catalogue of security capabilities for cloud environments to satisfy required security controls is in the best interests of the government.” The department noted that it as seen a “dramatic increases” in bureaus leveraging cloud services to meet their mission. According to the RFI, the CMO has identified a need to provide a method for procuring security services to meet Authority to Operate requirements and to inherit security controls from CMO.
Currently, the department explained, the CMO believes a Managed Security Services Provider (MSSP) model in which service providers are “vetted and have established operations procedures with CMO from which system owners and/or CMO can procure services potentially serves the department’s interests by rapidly scaling security services for cloud implementations.”
The RFI includes a lengthy list of questions for the private sector centered around a handful of topics. The department is looking for more information on:
- Data Protection;
- MSSP capabilities;
- Issues related to the department’s Cyber Incident Response Team;
- What managed security services or consulting services the contractor can provide;
- Details regarding the Service Level Agreements;
- What contract vehicle(s) may be available to the department to access the services of the potential offerors; and
- Any concerns the contractor may have about the project.