CISA seeks threat hunting tracker

On January 22, the Cybersecurity and Infrastructure Security Agency (CISA) posted a request for information (RFI) for a threat hunting task tracking system. Responses are due by 5:00 p.m. Mountain on February 2.

The purpose of this RFI is to solicit information directly from industry for capabilities and architectures that would provide a secure work management tracking system. Preferably, the work tracking system has been previously accredited by the Department of Homeland Security (DHS) or the Department of Defense (DOD). This would be a service contracted and directed by DHS Cybersecurity and Infrastructure Security Agency (CISA) and executed by a commercial service provider.

To better secure the Federal government’s information technology enterprise, CISA is interested in contracting commercial services to provide an incident management work tracking system. CISA Threat Hunting (TH) requires a solution that provides data resiliency for the incident management system. The desired solution should have redundancy, failover, load balancing, rate limiting, and the option to scale to the cloud. The desired system should meet the minimum level of encryption 140-2. The system should handle full account logging (successful/unsuccessful) to all assets in the system and integrate with existing SIEM architecture. In addition, the system should allow full host-based logging from all assets in the system and integrated with an existing SIEM architecture.

  • The system must migrate historical data from a customer previously used incident management tracking system
  • The system must allow for domain mapping (i.e. priority matrix modeling)
  • The system should include a threat scoring module or allow development and customization of one
  • The system should support incident, problem, change, and release management
  • The system must include an email functionality for internal and external communications
  • The system must include an API or feed into customer SIEMs
  • The system should have capability to autogenerate a ticket via an email to the system
  • System should be capable of updating tickets via email to the system
  • The system should have a resident metrics engine for asset, basic, advanced and enterprise reporting

Full information is available here.

Source: SAM