Continuous Monitoring and Risk Scoring (CMRS) Request for Information

The Defense Information Systems Agency (DISA), Cyber Program Executive Office (PEO Cyber), Endpoint Security Program Management Office (ID3) is seeking information from industry to assist with the development and planning of a potential new requirement. THIS IS A REQUEST FOR INFORMATION (RFI) NOTICE ONLY. THIS IS NOT A REQUEST FOR PROPOSALS (RFP). NO SOLICITATION IS AVAILABLE AT THIS TIME. OVERVIEW/PURPOSE/ DESCRIPTION OF PROCUREMENT: Continuous Monitoring and Risk Scoring (CMRS) is a suite of Government off-the-shelf (GOTS) based software solutions supporting rapid development and creating global and organizational views of inventory, compliance, vulnerability, and risk by enabling visualization of raw data, by running bulk analytics against data, and by applying mitigation, threat, and vulnerability-based scoring algorithms. The CMRS integrates Department of Defense (DoD) Enterprise Cybersecurity applications and tools (see list in Appendix A of current DoD/ Commercial

applications/tools) using National Institute of Standards and Technology (NIST) and DOD data standards to provide near-real time hardware and software inventories, patching and configuration compliance reporting from multiple DoD sensors (i.e. Assured Compliance Assessment Solution (ACAS), Trellix, Microsoft Defender Endpoint (MDE) + (MDE, Microsoft Configuration Manager (MCM), Intune, Active Directory (AD)), Tanium, Tychon, C2C, etc.). CMRS provides quantification and visualization of status across the DOD enterprise and at the individual program level. CMRS, by displaying an organization’s security posture, provides a risk-management approach to cybersecurity oversight. It provides increased visibility into assets by DODIN Area of Operations, Owning Organization or Owning Unit, Administration Unit, Cybersecurity Service Provider (CSSP), Combatant Command Area of Responsibility, Geolocation, and Authorization To Operate (ATO). CMRS leverages the use of automated data feeds to calculate patching and configuration compliance, ensure effectiveness of security controls, and enable prioritized mitigation decisions.Refer to Figure 1 in the Attachment for a systems view of CMRS. SCOPE OF EFFORT: The objective of CMRS is to assess and measure the state of the DoD Enterprise security controls such as software inventory, Security Technical Implementation Guide (STIG), patch compliance, anti-virus configurations, ESS Readiness, EOL, provide metrics to support the Secretary of Defense Cyber Security Hardening scorecard metric and enterprise software counts to the Federal IT Acquisition Reform Action (FITARA) scorecard. CMRS also helps the end user monitor their enclave for potential security weak points to include all aspects of assets within the DoD infrastructure. The CMRS PMO is seeking information from interested vendors of products capable of replacing the existing CMRS with the following core capabilities being demonstrated and operationalized today: a. Device/Asset data - 3,000,000 -10,000,000 Device records; 200-400 compliance rules reported per device per week; Software and patch inventory of 500-800 patches and applications per device, updated daily; 100 additional attributes tracked per device, updated weekly; Data maintained for 5 years or for the time period a device is present on the DOD Information Network (DODIN). b. Bulk analysis - The system must run a minimum of 1000 compliance checks against endpoint data in the system, including calculation of required patch compliance based on DOD Information Assurance Vulnerability Management (IAVM) directives, required endpoint product configurations, end of life operating system and software, device roles (e.g. domain controller, file server, etc.), suspected malicious software, or other properties present in collected data. Analytics may be calculated at runtime or in a batch processing job. c. Content Creation and Maintenance - The system must enable or provide content to include policies to be run during bulk analysis to include checks for configuration compliance and identification of vulnerable or high interest device functions or configurations. The system must also be updated as new software reaches end of life or approaches end of life so appropriate displays will remain accurate over time. d. Users/Accounts/RBAC/ABAC - The system will be accessible to all DoD users (2.5 - million personnel) The system must be scalable with a minimum of 20,000 user accounts and 200 concurrent users. The system must use PIV-compliant access tokens to authenticate and authorize users and restrict read access to records users are authorized to see. User access must dynamically adjust based on re-organizations, establishment of new Authorizations to Operate, and locations as a function of assignment of permissions to a node in organization, location, or system hierarchies. e. Aggregated data - The system must aggregate and fuse data from a variety of DoD endpoint sensors (Trellix, ACAS, MDE+, Tychon, Tanium, and C2C, etc.) and threat and vulnerability management tools (FireEye, ThreatQ, etc.) to provide users with insight into IT assets and data in the DoD organizations. f. Data Correlations - Correlation between multiple endpoint sensors, devices, and networks; hierarchical relationships between networks and subnets, devices and VDI, organizations, locations, and other required relationships; mapping technical findings to Cybersecurity controls. g. Business Logic - Ability to provide aggregate pictures of risk, compliance, or inventory roll up or drill down to appropriate DODIN Area of Operations, Owning Organization or Owning Unit, Administration Unit, CSSP, Combatant Command Area of Responsibility, Geolocation, and system ATO levels, rollup selectable; Ability to determine required inventory and compliance reports based on asset configuration and compute missing components; Ability to institute dynamically created rules to correlate assets reported by disparate sensors into single asset records; Ability to associate severity values with discrete findings to calculate risk/severity analogs on a per asset, organization, or system basis and include modifiers based on network zone, confidentiality, role, function, or other constraints to modify risk based on asset environments. h. System Interfaces - Implement, and operate web service interfaces to consume data published in multiple data format such as DoD Asset Reporting Format (ARF), Assessment Summary Results (ASR) format and successor formats either developed by the DOD or NIST using equivalent XML, JSON, and CSV; Implement and operate web service interfaces to provide federated query capabilities across DoD components; Ingest, parse, and update libraries of policies (based on benchmark, rule ID, description, Rule ID, Check ID, arbitrary “facts”, and associated identifiers). Vendors may propose alternate data collection and aggregation methodologies. Data collection and aggregation must provide capabilities for offline generation of data that can be provided to the system using manual uploads or through one-way data connections. i. Information Visualization - Present dynamically tailorable views of inventory, compliance, and risk at any given N-tiered level based on organization, location, and system affiliation; Provide reporting status updates and highlight endpoints either missing reports or not fully reporting required data; Provide graphs of inventory, compliance, and risk changes over time at any given N-tiered level; Provide automated normal-curve grading of organizations, locations, and systems at any given N-tiered level for elements related to inventory, compliance, and risk. Provide Business Intelligence (BI) functionality to enable users or system administrators to deploy complex reports with multiple rows and columns capable of hyperlinking to drilldown to lower level organizations, locations, or to device listings. j. System Performance - Support sustained data ingest to throughput of 2.5 Gbps to the enterprise data store; Ability to run large queries across data described above and return results in under 30 seconds or ability to dynamically pre-stage data to optimize query response; Ability for data layer to interface with multiple knowledge management platforms and application frameworks (e.g., JAVA, MS .Net, Ozone Widget Framework, MS SharePoint); Ability to update 100 percent of device data daily. TECHNICAL CHARACTERISTICS: Solution Characteristics: To meet the stated objectives, the DoD is requesting white papers describing existing commercial products that either fully meet DOD requirements, or that can be quickly and cost effectively modified to provide required functionality. The solution should have the following characteristics. F1 - Ability to assess employment of DoD mitigation and data collection and data integration capabilities ABAC/RBAC access control model where user permissions to view detailed data is aligned to the COAMS hierarchies either through direct COAMS integration, or by mapping COAMS hierarchies to existing access models. Central aggregation of data either in a single logical device, cloud implementation, or federated query functionality Enterprise scalability Manual or automated data upload to support OOB or non-NIPR systems Web service interfaces to eMASS, IAVM, NVD, and other systems as required F2- Asset Management/Hardware Inventory Computing devices Network devices, IOT, etc. Online vs. offline/lab devices Computation of device totals per operating system or device type per organization, location, system, sensor to derive denominator values for inventory, risk, and compliance measures Device correlation of data received from different sensors to include identification of unique devices, software inventory, vulnerabilities, compliance measures, and configuration values F3 - Software Inventory Installed software with version details and installed/removed timestamps Installed patches with version details and installed/removed timestamps Internet Browser and Application Add-ons and extensions Software not included in add/remove programs Data deconfliction between multiple sensors F4 - Ability to assess deployment of DoD mandated patches and updates Patching/IAVM compliance evaluation and presentation. CVE open or patched status evaluation and presentation Compliance checking for common security product deployment and configuration, association of arbitrary identifiers with devices containing specific software combinations and/or configuration settings. Combination of multiple compliance calculations using Boolean logic to arrive at measures such as compatibility with Windows 11 hardware requirements, compliance with supported operating systems or installation of extended security update (ESU), and similar calculations based on measured or computed configuration or reported compliance measures Data deconfliction between multiple sensors reporting the same data sets, but at different times and different confidence levels F5 - Ability to assess employment of DoD mandated configurations Security Technical Implementation Guides (STIGs) Others to include vendor and government or commercial standards body measures, e.g. Center for Internet Security (CIS) benchmarks Data deconfliction between multiple sensors reporting compliance data for the same measures Ability to mediate between reported compliance measures using alias lookup tables F6 - Ability to assess employment of DoD mandated baseline security controls Endpoint Protection Platforms (EPP), ACAS, MDE, MCM, Intune, AD and other DoD Sensors baseline ESS Readiness Dashboard or Data-Centric/Vendor Agnostic Readiness Dashboard F7 - Ability to assess employment of DoD mandated anti-malware capability F8 - Ability to assess employment of DoD mandated anti-virus capability Date of the anti-virus signature F9 - On-demand queries and utilize Business Intelligence tool (i.e., Power BI, Tableau, SSRS, etc.) for: Hardware Software Patching (posture of specific STIGs and IAVAs, CVEs) Configuration Security Baseline Anti-virus Others F10 - Drilldown and show vulnerability status from different vantage points COAMS functionality enabling N-Tier/N-Dimension rollup, drilldown, filtering, and grouping at arbitrary echelons A&A, Enclave, ISSM By owning org, areas of operation, admin org, accreditation boundary, geographic location, Combatant Command (COCOM), Area of Operations (AO) By sensor (e.g., ESS/HBSS, ACAS, Tanium, MDE, MCM, Intune, Tychon, or other DoD censors as appropriate) Device (all information applicable to a particular device in one view) F11 - Measure of Risk (Global and Local) that factors: Network topography Mission criticality Active threats By accredited system By DODIN Area of Operations, Owning Organization or Owning Unit, Administration Unit, CSSP, Combatant Command Area of Responsibility, Geolocation, and system ATO levels By Device F12 - Historical Trending CVSS/CCSS - (use CCRI algorithm from DRSI), customizable as required IAVA STIG ESS/HBSS, ACAS, MDE, MCM, Intune and other DoD Sensors baseline implementation ESS Readiness Dashboard or Data-Centric/Vendor Agnostic Readiness Dashboard Identified Significant Publishing/Reporting Deviations DoD Component Score/Performance over time F13 - Prioritize and display vulnerability data prioritized by Intelligence Community severity inputs F14 - Sensors / Additional data inputs into CMRS. Examples include: Digital Policy Management System (DPMS) - Policy content in eXtensible Configuration Checklist Description Format (XCCDF) Enterprise Mission Assurance Support Service (eMASS) ATO package attributes Command Cyber Operational Readiness Inspection (CCORI/CCRI) - STIG Viewer, SCAP Compliance Checker (SCC) C2C (i.e., Forescout, Cisco ISE, Aruba, etc.) Tanium Tychon FireEye MDE MCM Intune AD F15 - Implementable in stand-alone laboratories and on DOD networks (unclassified/classified/disconnected) Must be deployable on a traditional hardware or virtual server, in GovCloud (up to IL6), DISA-hosted VMWare virtualization environments Must be deployable to test/dev environments without requirements for additional licensing Must enable distribution and deployment of software and content updates using sneakernet methodologies F16 - Ability to synchronize with the Cyber Operational Attribute Management System daily to adjust organization, location, data publisher, and system names to reflect new display names, acronyms, and parent-child relationships in reporting hierarchies Adjust rollup, drilldown, grouping, and filtering of device populations to match updated hierarchies Automatically adjust ABAC to add or remove user and subscribing system access to device information based on addition or removal of device organizations, locations, or system ATOs from the respective hierarchy or on re-designation of device owning, administration, defending organizations, locations, or ATO package REQUESTED INFORMATION: Based on the information provided in the previous sections, interested vendors should provide the following in response to the RFI: I. Describe the proposed CMRS solution, to include product functionality, compliance with technical characteristics, and assessments of development timelines, scope, and cost to enhance the solution to fully meet DOD requirements. State whether the proposed solution is a complete or partial replacement for the existing CMRS capabilities. II. Describe the interfaces supported by the tool that can be leveraged by other users and tools to perform data submission and extraction. III. Describe the maturity and existing deployments of the proposed CMRS solution, along with existing vendor integrations supported in the off-the-shelf versions of the software. IV. Describe if the DOD will be able to use the proposed CMRS solution with the existing ARF data feeds until/unless the DOD is able to transition to the vendor’s “native” data interface V. Describe any controls a proposed CMRS solution implements to provide confidentiality and access control to enable users to view populations of endpoints that can be reasonably expected to contain endpoints which are either already attributed to their respective organizations, locations, or systems, or which contain endpoints they need to assign that attribution data to. VI. Describe the pricing methods for the suggested solution to include the costs of software, training, and operational support. If SME support will be included or proposed, describe this information (Enterprise/Subscription license solution or phased implementation). VII. Describe content updates provided as part of the solution. VIII. Describe helpdesk, application patching/maintenance, and engineering support services included with licensing or available to be purchased separately, along with costs. IX. Describe if the solution/vendor can meet NIAP, STIGS, Assessment and Authorization, 508, FIPS 140-2, and other relevant DOD and Federal policy requirements. X. Discuss your solution or company offering for training on the software. XI. Describe how your product is licensed or purchased. XII. Describe what existing vehicles the Government can procure the solution, if any. XIII. Provide POC information for organizations with similar scope and requirements to the DOD that have successfully deployed and used the proposed product that can provide demonstrations or corroborate vendor claims. XIV. Please also submit the following non-technical information: a. Company Name b. CAGE/DUNS Number under which the company is registered in beta.sam.gov c. Company Address d. Technical and Contracts Points of contact information e. Are you a small business under an NAICS 541519 size standard $27.5M f. If a small business, what type of small business are you (e.g. SDVOSB, SDB, etc.)? XV. Status as a reseller of maintenance and software for all the software titles proposed. Response Guidelines: Interested parties are requested to respond to this RFI with a white paper. Submissions cannot exceed 15 pages, single spaced, 12-point type with at least one-inch margins on 8 1/2” X 11” page size. The response should not exceed a 5 MB e-mail limit for all items associated with the RFI response. Responses must specifically describe the contractor’s capability to meet the requirements outlined in this RFI. Oral communications are not permissible. SAM.gov will be the sole repository for all information related to this RFI. Companies who wish to respond to this RFI should send responses via email no later than Friday, March 22, 2024 at 12:00 PM CST to Kenric L. Phillips at kenric.l.phillips.civ@mail.mil and Tara S. Simmons-Gulck at tara.s.simmons-gulck.civ@mail.mil. Industry Discussions: DISA representatives may choose to meet with potential offerors and hold one-on-one discussions. Such discussions would only be intended to obtain further clarification of potential capability to meet the requirements, including any development and certification risks. Questions: Questions regarding this announcement shall be submitted in writing by e-mail to Kenric L. Phillips at Kenric.l.phillips.civ@mail.mil and Tara S. Simmons-Gulck at tara.s.simmons-gulck.civ@mail.mil NLT 12:00 PM CST Friday, March 8, 2024. Verbal questions will NOT be accepted. Answers to questions will be posted to SAM.gov. The Government does not guarantee that questions received after 12:00 PM CST Friday, March 8, 2024 will be answered. The Government will not reimburse companies for any costs associated with the submissions of their responses. Disclaimer: This RFI is not a Request for Proposal (RFP) and is not to be construed as a commitment by the Government to issue a solicitation or ultimately award a contract. Responses will not be considered as proposals nor will any award be made as a result of this synopsis. All information contained in the RFI is preliminary as well as subject to modification and is in no way binding on the Government. FAR clause 52.215-3, “Request for Information or Solicitation for Planning Purposes”, is incorporated by reference in this RFI. The Government does not intend to pay for information received in response to this RFI. Responders to this invitation are solely responsible for all expenses associated with responding to this RFI. This RFI will be the basis for collecting information on capabilities available. This RFI is issued solely for information and planning purposes. Proprietary information and trade secrets, if any, must be clearly marked on all materials. All information received in this RFI that is marked “Proprietary” will be handled accordingly. Please be advised that all submissions become Government property and will not be returned nor will receipt be confirmed. In accordance with FAR 15.201(e), responses to this RFI are not offers and cannot be accepted by the Government to form a binding contract. Appendix A - DoD / Commercial Systems/Applications CMRS Data Sources and Consumers (List is not comprehensive for DoD) Commercial-Off-The-Shelf (COTS) Antivirus/Antispyware - Antivirus and Antispyware products for DoD Assured Compliance Assessment Solution (ACAS) - SCAP validated network vulnerability assessment tool (Tenable Nessus, Nessus Agents, Security Center, Passive Vulnerability Scanner, and eIAVM) Endpoint Security Solution (ESS) Trellix - ePolicy Orchestrator (ePO), Rogue System Detect (RSD), Policy Auditor (PA), Policy Auditor Advanced Host Assessment (PA-AHA), ePolicy Orchestrator (ePO) Rollup. MDE+ (MDE, MCM, Intune, AD) - An enterprise endpoint security platform that helps defend against advanced persistent threats. Government-Off-The-Shelf (GOTS) Digital Policy Management Service (DPMS) - Consolidated system to manage the creation, maintenance, and distribution of STIGs, IAVMs, SCAP content, Patches, HIPs rules and signatures. Combining and merging partial capabilities of IAVM System, Patch Service. Cyber Operational Attribute Management System (COAMS) - “Operational Attributes” are data about a person, device, network, or other entity. The Enterprise User Management (EUM) - A central repository of user accounts and attribute-based access control assertions. Enterprise Mission Assurance Support Service (eMASS) - RMF support web application, to support the NIST Risk Management Framework. Asset Publishing Service (APS) - Trellix module to publish compliance and inventory data to enterprise consumers using WS Notification and DoD data reporting standards. Operational Attributes Module (OAM) - HBSS module to perform assignment of operational attributes to host records. Trellix Policy Auditor - SCAP validated, agent-based tool that assesses host security compliance. IAVM System - Collaborative IAVM pre-coordination web site for CC/S/A to input information related to pending IAVM issuances. Enterprise Patch Management Service (EPMS) - Enterprise patch distribution web server and Windows patch service and hosting of Windows and 3rd party patches for the DoD enterprise. Ports, Protocols, and Services (PPSM DB) - Web application to track risk associated with well-known network ports, protocols, and services (PPS). Supports the registration and tracking of approved application PPS.