CISA CSD Industry Day 15-17NOV22 Vendor Questions.pdf


Original Source
Contract Opportunity
Jan. 26, 2023
Profiled People




Number Vendor Question(s)

Wanted to follow up on the fact sheet that Mike tried to send out
during the break-out session.
Thank you for the session today about CCIPP program. We are
interested in becoming part of the program. Kindly send us information
on how to participate in the program.

Could you please send over the CCIPP Program fact sheet that was
listed in the chat?
I did not have access to download the document directly from Teams.

Has CISA expressed an interest in tailoring the approved cyber model
(products required in the process of securing/mitigating system
vulnerability) to system location, purpose, and user set; if so, would the
Cyber Strategy call for a build out of models for matching a model to a
particular systems needs. (Are we moving away from one size, security
tool set, fits all and what is the Cyber Strategy to do that and retain a
secure posture).

Are you considering identity management solutions already in place
like through GSAs transform office?

The mission of Capacity Building Cybersecurity Oversight and
Enablement includes driving the implementation of policies and
practices through directives, guidance, and targeted engagement. Is
our understanding correct that this includes

Authoring and issuing Binding Operational Directives
Coordinating with OMB on the Annual Guidance on Federal
Information Security and Privacy Management Requirements
Authoring and issuing standards for federal civilian executive branch
(e.g., SCuBA, Zero Trust Maturity Model)
Can you please let me know who leads the TIES program? I am an
existing CISA CSD vendor and would appreciate your help.

Are there any efforts within CSD to address crypto security
vulnerabilities? along those same lines, are there any efforts to address
cybersecurity needs as agencies implement HPC and Quantum
Computing Platforms?

CISA Proposed Response
Please see the CCIPP Factsheet.pdf posted to
Please see the CCIPP Factsheet.pdf and email at ocso- CCIPP is currently not available within CISA
and is in its development stage. It will be announced once
interim option is available.
Please see the CCIPP Factsheet.pdf posted to

Under FISMA there are multiple approaches to tailoring
cybersecurity controls based on risk. The NIST Risk
Management Framework outlined in NIST SP800-37r2 outlines
a comprehensive 7 step process for managing risk to IT systems.
An example of CISA's use of this approach to tailor controls is
the High Value Asset Control Overlay which is intended to
address the special security needs of the most critical federal
systems (

CISA is aware of government identity management solutions
offered by federal agencies, including, and considers
them when making program decisions regarding identity and
access management- capabilities.

The Program Office has not made a determination yet.

Capacity Building (CB) leads the TIES program. Please keep an
eye on the Acquisition Planning Forecast System (APFS) to learn about CISA upcoming
requirements. Additionally, you may reach out to the CISA APFS
Team via email for updated
The Program Office has not made a determination yet. Please
keep an eye on the Acquisition Planning Forecast System (APFS) to learn about CISA upcoming
requirements. Additionally, you may reach out to the CISA APFS
Team via email for updated

Number Vendor Question(s)

We understand that CISA does not discuss specific procurement
actions or details during industry days. A search of the Acquisition
Planning Forecast System ( or does
not show any information about the upcoming CDM procurement
opportunities. Given recent media discussions on the next 10 years for
CDM, can CISA share more about their plans to continue to partner
with industry to accomplish the CDM mission?

Will a pre-solicitation conference be scheduled to review initial
requirements for CDM?
When does CISA plan to provide additional information on the
procurement schedule for CDM, to include release of a draft RFP, dates
for a pre-solicitation conference, or conducting a CDM specific industry
Will CISA describe the results of the market research RFIs (i.e., EDR,
Layer B) released in 2021?
Will CISA release any further RFIs related to CDM?

I have a question for the Threat Hunt team: Are there ways to
automate adversary threats currently in CISA's portfolio?

CISA Proposed Response
The Program Office has not made a determination yet. Please
keep an eye on the Acquisition Planning Forecast System (APFS) to learn about CISA upcoming
requirements. Additionally, you may reach out to the CISA APFS
Team via email for updated

Yes. Presently, Threat Hunting automates threat information
through the use of a Threat Intelligence Platform (TIP). The TIP
is a critical part of this effort that integrates knowledge,
information, and data from a variety of partners, to include the
U.S. Intelligence Community (IC), state, local, tribal, and
territorial (SLTT) governments, private sector, international
partners, U.S. critical infrastructure, and computer network
defense communities. In addition to the TIP, Threat Hunting is
continuously looking for ways to improve the automation and
use of Adversary information to drive cyber defensive

Question was asked live, yet; the concept of Threat Assessment was
misunderstood as about CTT. Cyber table top is not the required
written report developed in four stages of Mission Threat, Threat
Assessment Mission, Threat Assessment Cyber and Threat Assessment
System. What about the research and reporting for the Threat
Assessment report?

A: The Program Office has not made a determination yet and
is still undergoing market research. Please keep an eye on the
Acquisition Planning Forecast System (APFS) https://apfs- to learn about CISA upcoming requirements.
Additionally, you may reach out to the CISA APFS Team via
email for updated information.

In support of the DHS instruction 102-01-012 I have seen Programs
have been hesitant to step forward to staff or fund Threat Assessment
stages past Mission Threat. Components have not had personnel to
allocate to Threat Assessment development, would rules be broken if
Threat Assessment development and reporting were outsourced?

Does CISA have needs for automating across security domains, Cross-
domain-solutions and possibly automating VM results for example
take low-side/open source results then automatically send those
results up to a high side where automation can link / enrich with
intelligence and then take subsequent automated actions or is this
beyond how CISA wants to deploy intelligent automation?

Yes, in fact, we do desire more automation when it comes to
sharing VM data. We are also interested in enriching our low
side blue space visibility data with high side analytics, so that
we may be able to provide meaningful Intel to the icy
community. Towards that end, we are looking to partner with
other agencies who may already have high site environments to
build pathways for better data collaboration. Any tools and
services which could help us to advance those objectives would
be of interest to CSD and VM. The timeframe for exploring
these technology horizons is over the next two years.

Number Vendor Question(s)

In day one, session one it was stated response teams which were
typically sent as boot on ground to attacks such as large impact
ransomware were being redirected to become hunting teams to
identify and locate adversaries to stop the root cause as opposed to

Does CISA have plans to change other reaction mechanisms in place to
similar where a lesser ROE also be exchanged for same energy higher
yield? Is there action or strategy that CISA can indicate to vendors to
assist in changing the reactive landscape to proactive?

CISA Proposed Response
CSD has developed plans, such as the Operational Visibility
Strategy (OVS) and the Joint Collaborative Environment (JCE)
Strategy, to significantly increase our access to and use of data
to improve visibility across the terrain we are accountable to
safeguard. Through implementation of these strategies, this will
enable strategic advances in visibility, scalability, and the
provision of capabilities to reduce cyber risk to the nation. Our
intent is to maximize available data across our entire portfolio
of capabilities to prioritize the threats we pursue and apply
rapidly evolving information to our defensive measures.
Prioritizing scalable services shall allow us to better understand
the attack surface and reduce risk, as well as identify and
respond to threats. Finally, we will work closely with our many
partners to stop threat actors from achieving their objectives by
building joint operational capabilities and transitioning towards
collaborative, proactive risk reduction.

RE: POAM resolution for POAM affected by Critical infrastructure
providers. Can CISA or does CISA have the right to establish a process
or method to require a vendor validate the "not possible" because
affecting other customers. Is it really not possible or is that an excuse
to not deal with the vul findings hurting the agency using that

While CISA can establish best practices and a methodology to
support POAMs, verification of a vulnerability, etc, CISA is not a
regulatory entity and therefore can not direct vendors