DHS releases Hack DHS draft RFP

On April 26, the U.S. Department of Homeland Security (DHS) released the draft solicitation for Hack DHS: CrowdSourced Vulnerability Assessment Services (CVAS). Comments and questions are due by 10:00 a.m. Eastern on May 3.

The acquisition’s objective is to enhance DHS’s cybersecurity posture by leveraging existing commercial crowdsourcing expertise and best practices that are tailored to the Government’s requirements, sensitivities, and mission.

In accordance with Public Law 115-390, “SECURE Technology Act”, the Secretary of the Department of Homeland Security (DHS) approved a multi-year program to execute bug bounties using proven crowd-sourced cybersecurity assessment methodologies on December 14, 2021. A bug bounty is a crowd-sourced penetration test, where security researchers are incentivized to find vulnerabilities (bugs) in systems in return for financial payments (bounties). Bug bounties are tightly controlled and monitored engagements facilitated by a contractor and the DHS Chief Information Security Officer (CISO).

The SECURE Tech Act permits DHS to provide compensation to security researchers who evaluate DHS’s information systems by mimicking malicious behavior. The program draws from industry best practices and on lessons learned from the highly successful “Hack the Pentagon” program at the Department of Defense (DoD). DoD was the first Federal entity to launch this program, however, Bug bounties are commonly used as a best practice in the private sector, e.g., Facebook, Apple, Intel, and Goldman Sachs.

The Hack DHS program has been approved and authorized by the Secretary and DHS needs to procure services in support the program throughout future years. The procured services will assist in proactively protecting DHS’s computer networks and systems that support the mission essential and high valued assets that are critical both for daily business operations and activities. Maintaining the security and integrity of DHS networks and systems is a matter of national security and requires the continuous proactive activities to identify and remediate vulnerabilities that can be exploited by malicious cyber actors. As part of its responsibility to the public at large, DHS is constantly considering innovative and diverse approaches to meet this goal. To support DHS’s continual efforts to remain at the forefront of rapidly evolving technologies, and to maintain the highest levels of integrity and security required of its IT infrastructure, DHS has identified an emerging need to leverage a diverse pool of innovative information security researchers (herein referred to as “researcher”), via crowdsourcing, for vulnerability discovery, coordination, and disclosure activities.

The scope of work, under the resulting Indefinite Delivery Indefinite Quantity (IDIQ) contract vehicle, is to conduct crowdsourced vulnerability discovery and disclosure services across the full range of networks, systems, and information systems, including web applications, software, source code, hardware, software-embedded devices, and other technologies as solicited across the DHS Enterprise or other assets as deemed appropriate by the program office.

Review the full Hack DHS draft RFP.

Source: SAM

The right opportunity can be worth millions. Don’t miss out on the latest IC-focused RFI, BAA, industry day, and RFP information – subscribe to IC News today.