The State Department is turning to the private sector for more information on leveraging managed security services with each of its cloud architectures, including Software As A Service (SAAS), Platform As A Service (PAAS), and Infrastructure As A Service (IAAS).

In a Sept. 14 request for information (RFI) posted on Beta.Sam.Gov, the Department of State explained it has made substantial investments in migrating software, services, and IT operations to cloud service providers (CSPs). A handful of State Department’s component agencies – the Bureau of Diplomatic Security (DS), Directorate of Cyber and Technology Security (CTS), Office of Cyber Monitoring and Operations (CMO) – are seeking to identify managed security services technical capabilities and conduct market research.

  • Specifically, they are looking for more information on the following areas for a multi-cloud environment:
    • Providing managed security services to cloud platforms, to include:
    • centralized information technology (IT) security event monitoring and incident detection/response capabilities;
    • incident detection to facilitate timely responses to cyber threats preventing widespread propagation of malicious activity;
    • threat information collection and analysis with the cloud environment, potentially augmented with USG provided threat intelligence;
    • threat and vulnerability analysis to ensure systems protection from internal and external threats that would compromise the confidentiality, integrity, or availability of department information, infrastructure, and systems;
    • analysis of cybersecurity events to identify intrusions, malware, maintain metrics, and produce reports for management, IT security officials, federal defenders and cyber incident responders; and
    • penetration test services for new and expanding on and off-prem environments.
  • Comparative decision points as they relate to Bring Your Own Tech (BYOT) and Provider provided tools.
  • Industry insight as to managed security service provider tools and/or data architecture/s for SAAS, PAAS, and IAAS respectively with customer requirements for maximum services value to the Department.
  • Ensuring seamless coordination and partnership with the mature Department Cyber Incident Response Team (CIRT).
  • Providing additional consulting services to continuously improve the multi cloud cybersecurity program.

The State Department its objective with the RFI is to explore “whether a partner or partners that have a catalogue of security capabilities for cloud environments to satisfy required security controls is in the best interests of the government.” The department noted that it as seen a “dramatic increases” in bureaus leveraging cloud services to meet their mission. According to the RFI, the CMO has identified a need to provide a method for procuring security services to meet Authority to Operate requirements and to inherit security controls from CMO.

Currently, the department explained, the CMO believes a Managed Security Services Provider (MSSP) model in which service providers are “vetted and have established operations procedures with CMO from which system owners and/or CMO can procure services potentially serves the department’s interests by rapidly scaling security services for cloud implementations.”

The RFI includes a lengthy list of questions for the private sector centered around a handful of topics. The department is looking for more information on:

  • Data Protection;
  • MSSP capabilities;
  • Issues related to the department’s Cyber Incident Response Team;
  • What managed security services or consulting services the contractor can provide;
  • Details regarding the Service Level Agreements;
  • What contract vehicle(s) may be available to the department to access the services of the potential offerors; and
  • Any concerns the contractor may have about the project.
Read More About
More Topics
Kate Polit
Kate Polit
Kate Polit is MeriTalk's Assistant Copy & Production Editor covering the intersection of government and technology.