DOD DISA PEO Cyber RFI: Continuous Monitoring and Risk Scoring (CMRS)

Notice ID:  832469087

The Defense Information Systems Agency (DISA), Cyber Program Executive Office (PEO Cyber), Endpoint Security Program Management Office (ID3) is seeking information from industry to assist with the development and planning of a potential new requirement.

The objective of CMRS is to assess and measure the state of the DoD Enterprise security controls such as software inventory, Security Technical Implementation Guide (STIG), patch compliance, anti-virus configurations, ESS Readiness, EOL, provide metrics to support the Secretary of Defense Cyber Security Hardening scorecard metric and enterprise software counts to the Federal IT Acquisition Reform Action (FITARA) scorecard. CMRS also helps the end user monitor their enclave for potential security weak points to include all aspects of assets within the DoD infrastructure. The CMRS PMO is seeking information from interested vendors of products capable of replacing the existing CMRS with the following core capabilities being demonstrated and operationalized today:

1. Device/Asset data – 3,000,000 -10,000,000 Device records; 200-400 compliance rules reported per device per week; Software and patch inventory of 500-800 patches and applications per device, updated daily; 100 additional attributes tracked per device, updated weekly; Data maintained for 5 years or for the time period a device is present on the DOD Information Network (DODIN).
2. Bulk analysis – The system must run a minimum of 1000 compliance checks against endpoint data in the system, including calculation of required patch compliance based on DOD Information Assurance Vulnerability Management (IAVM) directives, required endpoint product configurations, end of life operating system and software, device roles (e.g. domain controller, file server, etc.), suspected malicious software, or other properties present in collected data. Analytics may be calculated at runtime or in a batch processing job.
3. Content Creation and Maintenance – The system must enable or provide content to include policies to be run during bulk analysis to include checks for configuration compliance and identification of vulnerable or high interest device functions or configurations. The system must also be updated as new software reaches end of life or approaches end of life so appropriate displays will remain accurate over time.
4. Users/Accounts/RBAC/ABAC – The system will be accessible to all DoD users (2.5 – million personnel) The system must be scalable with a minimum of 20,000 user accounts and 200 concurrent users. The system must use PIV-compliant access tokens to authenticate and authorize users and restrict read access to records users are authorized to see. User access must dynamically adjust based on re-organizations, establishment of new Authorizations to Operate, and locations as a function of assignment of permissions to a node in organization, location, or system hierarchies.
5. Aggregated data – The system must aggregate and fuse data from a variety of DoD endpoint sensors (Trellix, ACAS, MDE+, Tychon, Tanium, and C2C, etc.) and threat and vulnerability management tools (FireEye, ThreatQ, etc.) to provide users with insight into IT assets and data in the DoD organizations.
6. Data Correlations – Correlation between multiple endpoint sensors, devices, and networks; hierarchical relationships between networks and subnets, devices and VDI, organizations, locations, and other required relationships; mapping technical findings to Cybersecurity controls.
7. Business Logic – Ability to provide aggregate pictures of risk, compliance, or inventory roll up or drill down to appropriate DODIN Area of Operations, Owning Organization or Owning Unit, Administration Unit, CSSP, Combatant Command Area of Responsibility, Geolocation, and system ATO levels, rollup selectable; Ability to determine required inventory and compliance reports based on asset configuration and compute missing components; Ability to institute dynamically created rules to correlate assets reported by disparate sensors into single asset records; Ability to associate severity values with discrete findings to calculate risk/severity analogs on a per asset, organization, or system basis and include modifiers based on network zone, confidentiality, role, function, or other constraints to modify risk based on asset environments.
8. System Interfaces – Implement, and operate web service interfaces to consume data published in multiple data format such as DoD Asset Reporting Format (ARF), Assessment Summary Results (ASR) format and successor formats either developed by the DOD or NIST using equivalent XML, JSON, and CSV; Implement and operate web service interfaces to provide federated query capabilities across DoD components; Ingest, parse, and update libraries of policies (based on benchmark, rule ID, description, Rule ID, Check ID, arbitrary “facts”, and associated identifiers). Vendors may propose alternate data collection and aggregation methodologies.
9. Data collection and aggregation must provide capabilities for offline generation of data that can be provided to the system using manual uploads or through one-way data connections.
10. Information Visualization – Present dynamically tailorable views of inventory, compliance, and risk at any given N-tiered level based on organization, location, and system affiliation; Provide reporting status updates and highlight endpoints either missing reports or not fully reporting required data; Provide graphs of inventory, compliance, and risk changes over time at any given N-tiered level; Provide automated normal-curve grading of organizations, locations, and systems at any given N-tiered level for elements related to inventory, compliance, and risk. Provide Business Intelligence (BI) functionality to enable users or system administrators to deploy complex reports with multiple rows and columns capable of hyperlinking to drill down to lower-level organizations, locations, or to device listings…

Read more here.

🔊 Listen to Story