State Department Releases RFI for Cloud Mission Support

The State Department is turning to the private sector for more information on leveraging managed security services with each of its cloud architectures, including Software As A Service (SAAS), Platform As A Service (PAAS), and Infrastructure As A Service (IAAS).

In a Sept. 14 request for information (RFI) posted on Beta.Sam.Gov, the Department of State explained it has made substantial investments in migrating software, services, and IT operations to cloud service providers (CSPs). A handful of State Department’s component agencies – the Bureau of Diplomatic Security (DS), Directorate of Cyber and Technology Security (CTS), Office of Cyber Monitoring and Operations (CMO) – are seeking to identify managed security services technical capabilities and conduct market research.

  • Specifically, they are looking for more information on the following areas for a multi-cloud environment:
    • Providing managed security services to cloud platforms, to include:
    • centralized information technology (IT) security event monitoring and incident detection/response capabilities;
    • incident detection to facilitate timely responses to cyber threats preventing widespread propagation of malicious activity;
    • threat information collection and analysis with the cloud environment, potentially augmented with USG provided threat intelligence;
    • threat and vulnerability analysis to ensure systems protection from internal and external threats that would compromise the confidentiality, integrity, or availability of department information, infrastructure, and systems;
    • analysis of cybersecurity events to identify intrusions, malware, maintain metrics, and produce reports for management, IT security officials, federal defenders and cyber incident responders; and
    • penetration test services for new and expanding on and off-prem environments.
  • Comparative decision points as they relate to Bring Your Own Tech (BYOT) and Provider provided tools.
  • Industry insight as to managed security service provider tools and/or data architecture/s for SAAS, PAAS, and IAAS respectively with customer requirements for maximum services value to the Department.
  • Ensuring seamless coordination and partnership with the mature Department Cyber Incident Response Team (CIRT).
  • Providing additional consulting services to continuously improve the multi cloud cybersecurity program.

The State Department its objective with the RFI is to explore “whether a partner or partners that have a catalogue of security capabilities for cloud environments to satisfy required security controls is in the best interests of the government.” The department noted that it as seen a “dramatic increases” in bureaus leveraging cloud services to meet their mission. According to the RFI, the CMO has identified a need to provide a method for procuring security services to meet Authority to Operate requirements and to inherit security controls from CMO.

Currently, the department explained, the CMO believes a Managed Security Services Provider (MSSP) model in which service providers are “vetted and have established operations procedures with CMO from which system owners and/or CMO can procure services potentially serves the department’s interests by rapidly scaling security services for cloud implementations.”

The RFI includes a lengthy list of questions for the private sector centered around a handful of topics. The department is looking for more information on:

  • Data Protection;
  • MSSP capabilities;
  • Issues related to the department’s Cyber Incident Response Team;
  • What managed security services or consulting services the contractor can provide;
  • Details regarding the Service Level Agreements;
  • What contract vehicle(s) may be available to the department to access the services of the potential offerors; and
  • Any concerns the contractor may have about the project.
Kate Polit
About Kate Polit
Kate Polit is MeriTalk's Assistant Copy & Production Editor covering the intersection of government and technology.