CISA Cybersecurity Division (CSD) Vulnerability Management (VM) Blue Teaming Industry Day Event

Dear Industry Partners,

The Department of Homeland Security (DHS) Office of the Procurement Operations (OPO) and the Cybersecurity and Infrastructure Security Agency (CISA) is hosting a Vulnerability Management (VM) Assessments Branch Operational Resilience (OR) Section Industry Day event virtually via Microsoft Teams on Tuesday, July 20, 2021 from 10:00AM to 11:30AM EST. The goal of the Industry Day event is to provide information on the upcoming Blue Team Contract (BTC). The BTC seeks to partner with industry for the purpose of conducting cybersecurity assessments on Information Technology (IT) and Operational Technology (OT) Infrastructure.

The VM Assessments Branch OR Section provides cybersecurity assessment services to Federal Departments and Agencies (D/As), State Local, Tribal and Territorial (SLTT) and private sector entities for IT and OT systems and networks. This requirement is for Subject Matter experts and operational assessment support with demonstrable experience across all 16 critical infrastructure sectors. The specified work includes the conductance of 200 300 assessment engagements per year, which consist of interview sessions and customer data analyses via penetration testing or data capture and network flow analysis. The interviews and penetration testing are conducted at customer facilities, which can include US and selected International sites. OR is looking to partner with the private sector to enhance the quality and quantity of their OT and IT assessments.

The current assessments include:

• High Value Asset (HVA) Interview and Pen Test - Assesses the security architecture of IT networks and systems to identify technical and procedural concerns that could expose the organization to risk. Through on-site testing, discovers and validates the security posture of the HVA evaluating its exposure to vulnerable software, configurations and potential exploit paths used by adversaries. The final report provides an organization with actionable remediation recommendations prioritized by risk.
• Validated Architecture Design Review (VADR) and optional Operational Technology (OT) Pen Test - A Validated Architecture Design Review (VADR) evaluates systems, networks, and security services to determine if they are designed, built, and operated in a reliable and resilient manner. VADRs are based on standards, guidelines, and best practices. As a future service enhancement, the OT pen test will discover and validate the security posture of the customer selected system/network evaluating its exposure to vulnerable software, configurations and exploits that can be used by adversaries to gain access to and modify OT operations.

After the Industry Day Event, CISA intends to release a Request for Information (RFI) to gather additional market research and vendor input for this upcoming procurement.

Registration Instructions:

Registration is required for each attendee. Industry partners are limited to no more than two (2) individuals per company.

If you are interested in attending the virtual Industry Day event, please register at the below link no later than July 18, 2021. Reservations through any other means will not be accepted or allowed.

Registration Link:

https://cvent.me/xk9GdR

For those vendors unable to attend the event in real-time, the Federal Government will post a recording of the event along with other resources/documents shared during the virtual Industry Day after the event's conclusion.