Notice ID: 24-031-OITA
The Internal Revenue Service (IRS) has a requirement for Security Advisory Alerting Service.
Note: The Request for Information will be available on April 11, 2024, and will be distributed through NASA SEWP and through the Government Wide Point of Entry (GPE) SAM.gov. All future information about this Request for Information, will also be distributed through NASA SEWP and through the Government Wide Point of Entry (GPE) SAM.gov.
Background. The Internal Revenue Service (IRS) has invested significant resources in securing operational Information Technology (IT) Infrastructure and protecting its critical data. However, even the best information security infrastructure cannot guarantee that intrusions or other malicious acts will not happen. When computer security incidents occur, it is critical for the IRS to have an effective means of managing and responding to them. The speed with which an organization can recognize, analyze, prevent, and respond to an incident will limit the damage done and lower the cost of recovery. The greatest action to preventing network intrusion is timely and meaningful security patching of IT relevant software, hardware, application, appliance, IT platform, operating system, network device and/or developmental toolkit. The key to patch management is notification of all security vulnerabilities.
The IRS Computer Security Incident Response Center (CSIRC), within Cyber Threat Fusion Center (CTFC) serves as a mechanism for receiving and/or disseminating security incident information and provides a consistent capability to respond to and report on incidents. The IRS Computer Security Incident Response Center (CSIRC) maintains a 24X7X365 incident response capability serving as the focal point for all coordinated cyber incident response and tracking within the IRS. The CSIRC monitors host based and network-based intrusion detection systems correlating alerts, events, malware analysis, and performs incident response accordingly. The CSIRC also provides network situational awareness. The tools used by the CSIRC for monitoring the network are traditional measures of defense against security breaches and cyber security incidents but have limitations that prevent complete root cause malware analysis of identified events/incidents. The tools are only as good as the content that is delivered to them. They do not capture all of the information required for determining the complete scope of the incident.
Additionally, the IRS IRM 10.8.50 requires the CTFC VAC receive all vendor related security advisories that may affect the IRS enterprise for severity, risks, relevance and dissemination to requisite business units within the enterprise. Publication of security notification is critical to ensure removal of known vulnerabilities from the enterprise. This first step to patch management starts with timely notification of IT vendors’ security vulnerability releases.
Scope of Work. To improve the ability to respond to critical, high, medium and low priority software/hardware vulnerabilities that potentially affect operations within the enterprise, the IRS seeks redundancy with notification of security vulnerabilities via a subscription-based vulnerability alerting services. In short, the IRS has need for subscription-based email services notifying CTFC VAC about vulnerabilities, Zero-Days, and Known Exploited Vulnerabilities (KEVs) potentially affecting all relevant software, hardware, applications, appliances, IT platforms, operating systems, network devices and/or developmental toolkits used in the IRS environment. These email notifications will provide vulnerability details to include vendor-recommended remediations, mitigations and/or security best practices.
- Improve and enhance the capabilities of the IRS CTFC VAC to publish Tiered level approach to distribution of relevant security Advisories, Bulletins, and Alerts to affected Business Units for quick response and patching activities.
- Advisories must include a short description/title, impact, whether the vulnerability can be exploited remotely or locally, all relevant CVE #s, the affected OS or software to include versions affected, a description to include some detail about the vulnerability, a solution to include upgrade versions, configuration requirements and any temporary mitigation steps if a full remediation is not yet available.
- Advisories should also provide all relevant Common Vulnerability Exposure (CVE) information related to the specified software (application, appliance, hardware, platform) flaw, base and any vendor-specific Common Vulnerability Scoring System (CVSS) scoring and Base Metric data, NVD Criticality, release date, last update date (if applicable), change log (if applicable), and links to vendor-related advisories, fixes, guidance, etc.
- The requirement is for an email only service. This service should not be part of a suite and no unique IRS network access is required. This should be one-way email traffic to the IRS. 3.0 Deliverables
- Timeliness of these cybersecurity notifications is essential. Email notifications should not be a daily or period roll-up. The advisory notifications should be received as the vendor releases them …
The PoP consists of 1 Base Year with 3 Option Years from the time of award.
Want to get involved with OS AI? - A small number of Sponsorship Opportunities are now available here. Starting at $500.