DOCUMENT
CSD VM Blue Teaming Industry Day July 20 2021.pdf
OVERVIEW
Original Source
Contract Opportunity
Related Opportunity
Related Agency
Posted
July 27, 2021
Type
.pdf
Size
1.9MB
DOCUMENT PREVIEW
EXTRACTED TEXT
C I S A | C Y B E R S E C U R I T Y A N D I N F R A S T R U C T U R E S E C U R I T Y A G E N C Y
CYBERSECURITY AND
INFRASTRUCTURE SECURITY
AGENCY (CISA), CYBER SECURITY
DIVISION (CSD), VULNERABILITY
MANAGEMENT (VM)
OR BLUE TEAM CONTRACT
INDUSTRY DAY
July 23, 2021
Agenda
TLP:WHITE
1000 - 1015
1015 - 1045
1045 - 1100
1100 - 1125
1125 - 1130
Welcome / Opening Remarks
Review agenda and goals for event
Set expectations about the types of questions government personnel will be able to answer
Introduce all the presenters and panelists and define their role
Program Overview
How the Program supports the Agencys mission
Program stakeholders
Policy requirements
Programs specific needs
Other constraints
Procurement Information
Acquisition Strategy
Acquisition Timeline
Acquisition Requirements
Acquisition Procedures
Allow time for audience Questions and Answers via the online submission function
Question and Answer Period
Open to follow up questions from earlier topics or new issues
Document all questions and answers
Formal Event Close
At a minimum, provide an email address that participants can use to submit questions that will be answered
publicly (e.g., via SAM.gov) after the event has wrapped up
Welcome / Opening Remarks
TLP:WHITE
Hillary Carney, Section Chief Operational Resilience
Steven Pozza, Deputy Section Chief Operational Resilience
Kirk Lawrence, Senior Advisor to Vulnerability Management Subdivision
July 23, 2021
Ground Rules
TLP:WHITE
Industry Day is part of Market Research for the Assessments
Branch, Operational Resilience (OR) section Blue Team Contract
(BTC) requirement. The purpose is to foster understanding and
dialogue between Assessments Branch OR and Industry. All
materials being presented are in draft form and may change in
whole or in part prior to the issuance of a Request for Proposal
(RFP). Questions received from Industry as a result of the Industry
Day will be considered in the formulation of the final acquisition
strategy. Potential offerors, while gaining insight into the BTC
requirement, must rely on any potential RFP or its amendment(s)
as the sole source of accurate information pertaining to the BTC.
All comments made by presenters are within the scope of Market
Research and should not be used as the basis of proposal
creation.
Grounds Rules Contd
No Classified Information will be shared during this session
This session is being recorded
Questions can be submitted in the Team Q&A Function
TLP:WHITE
Information provided by Industry, unless marked proprietary will be considered
releasable
The slides will be posted to SAM.gov no later than 72 hours after the conclusion of
this event
A firm does not have to be present at the Industry Day to
participate in the solicitation process for the BTC
Questions are welcomed and will be addressed in the last segment
July 23, 2021
Disclaimer
TLP:WHITE
Information being presented on subsequent slides is CISAs current intent
for the Blue Team Contract (BTC)
Draft requirement documents are subject to change
This is not a commitment by CISA to purchase any of the services
described in this brief
CISA will use the information from industry Day and Request for
Information (RFI) and other market research sources to help determine its
approach to meeting the goals and requirements of the BTC
July 23, 2021
CISA External Stakeholders
TLP:WHITE
CUSTOMERS
Federal Civilian Executive
State, Local, Tribal, and
Critical Infrastructure and
Branch (FCEB) Agencies
Territorial Governments
Private Sector Partners
STAKEHOLDERS
Department of Homeland
Office of Management
Security
and Budget
National
Security Council
July 23, 2021
CISA External Stakeholders
TLP:WHITE
Program Overview
TLP:WHITE
Source Policies and Guidance
TLP:WHITE
DHS BODs
OMB memorandums
NIST Frameworks and Special Publications
DHS Guidance
White House Executive Orders
National Critical Infrastructure Sector Specific Plans
Vendor Best practices
July 23, 2021
Cyber Assessments Overview
Our Mission: Enhance situational awareness and enable efforts to
reduce risk and increase national resilience
Expertise and a history of success providing services to Unclassified
Information and Operational Technology (IT and OT) environments
Proactive services to government and critical infrastructure clients to
assess and improve cybersecurity posture, understand risk, and
identify operational strengths and weaknesses
Services are
provided at no
cost to our
customers
Our payment is
authorization to use
anonymized, non
attributable, data to
enhance national
situation awareness
and enable our
stakeholders to
make data driven
decisions
July 20, 2021
Core Capabilities
Assessments Goals
TLP:WHITE
Operational Resilience
TLP:WHITE
The Vulnerability Management (VM) Assessments Branch Operational
Resilience (OR) Section provides cybersecurity assessment services to
Federal Departments and Agencies (D/As), State Local, Tribal and
Territorial (SLTT) and private sector entities for information
technology (IT) and operational technology (OT) systems and
networks. This solicitation is for Subject Matter experts and operational
assessment support with demonstrable experience across all 16 critical
infrastructure sectors. The specified work includes the conductance of
200 300 assessment engagements per year, which consist of
interview sessions and customer data analyses via penetration testing
or data capture and network flow analysis. The interviews and
penetration testing is conducted at customer facilities, which can
include US and selected International sites. Operational Resilience is
looking to partner with the private sector to enhance the quality
and quantity of their OT and IT assessments.
Key Takeaways OR Mission
TLP:WHITE
Customer Base: Federal D/A, SLTT, Commercial entities
Assessment Types: IT and OT cybersecurity architecture reviews
Personnel Required: Mix of SME and mid-level personnel
Experience Required: Demonstrable cybersecurity in support of all
16 CI sectors
Expected Assessment volume: ~ 200-300* assessments per year
**Assessment metrics are calculated by VM/ Assessments on an annual basis and may increase due to
operational demand
July 23, 2021
Operational Resilience - Today
TLP:WHITE
Assessment
Assessment Purpose
High Value Asset (HVA) Assessment: Semi-
structured interview and pen test
Validated Architecture Design Review (VADR) :
Semi-structured interview, OSI and traffic
analysis with optional Operational Technology
(OT) pen test
Assesses the security architecture to identify technical and
procedural concerns that could expose the organization to
risk. Through on-site testing, discovers and validates the security
posture of the HVA evaluating its exposure to vulnerable software,
configurations and potential exploits paths used by adversaries. The
final report provides an organization with actionable remediation
recommendations prioritized by risk.
A Validated Architecture Design Review (VADR) evaluates your
systems, networks, and security services to determine if they are
designed, built, and operated in a reliable and resilient manner.
VADRs are based on standards, guidelines, and best practices. As a
future service enhancement, the OT pen test will discover and
validate the security posture of the customer selected
system/network evaluating its exposure to vulnerable software,
config and exploits that can be used by adversaries to gain access
to an modify OT operations.
July 23, 2021
HVA Assessment - Current
TLP:WHITE
Assessment
Component
Target
Detail
Tier I Federal D/A High Value Assets (can include systems,
networks, mainframe, mobile, client-server, web
application, cloud, ICS and multi-system assessments)
Team Composition
1 Federal Assessment Lead
1 Contractor Cyber practitioner
1 Contractor Pen Test operator
Assessment Length
1-week onsite testing, 90 days overall (60 planning, 1-week
execution and 3 weeks reporting)
Subject Areas
10 Discussion topic interview sessions + pen test
Volume
100 + (based on operational need and fluctuation in
Federal HVA inventory)
July 23, 2021
HVA Assessment Process
TLP:WHITE
SME Interviews
10 cyber topics
Documentation
Review
Cyber to
business risk
Service
discovery
SW vuln
discovery
Targeted pen
Vulns
Exploits
Incident
Response
Eval Cyber Ops people, process, tech
July 23, 2021
HVA Assessment Process
TLP:WHITE
Induction
Induction
Planning
Planning
Execution
Execution
Post
Execution
Verify Legal documentation has been signed and received
ROE
Meet & greet with identified POC
Establish needs for planning stage
Assign ctr team members
Establish tickets for assessment tracking
July 23, 2021
HVA Assessment Process
TLP:WHITE
Induction
Induction
Planning
Planning
Execution
Execution
Post
Execution
Post
Execution
Review supplied Agency documentation
Confirm Assessment Scope & Negotiate Appendix A
Research HVA and provide outputs to Lead
Plan for On-Site Assessment Logistics
Conduct kick-off
July 23, 2021
HVA Assessment Process
TLP:WHITE
Induction
Planning
Execution
Post
Execution
HVA On-Site Assessment Overview
Interviews with Key Personnel
Pen Test of HVA system
Out Brief
July 23, 2021
HVA Assessment Process
TLP:WHITE
KEY INTERVIEW AREAS
On-site interviews with key personnel will include the following domains:
Identity and Access Management
System Description
Network Protections Application Security
Host Based Security
Service Continuity
Risk Management
Incident Management Continuous Monitoring
Dependencies
CYBERSECURITY AND
INFRASTRUCTURE SECURITY
AGENCY (CISA), CYBER SECURITY
DIVISION (CSD), VULNERABILITY
MANAGEMENT (VM)
OR BLUE TEAM CONTRACT
INDUSTRY DAY
July 23, 2021
Agenda
TLP:WHITE
1000 - 1015
1015 - 1045
1045 - 1100
1100 - 1125
1125 - 1130
Welcome / Opening Remarks
Review agenda and goals for event
Set expectations about the types of questions government personnel will be able to answer
Introduce all the presenters and panelists and define their role
Program Overview
How the Program supports the Agencys mission
Program stakeholders
Policy requirements
Programs specific needs
Other constraints
Procurement Information
Acquisition Strategy
Acquisition Timeline
Acquisition Requirements
Acquisition Procedures
Allow time for audience Questions and Answers via the online submission function
Question and Answer Period
Open to follow up questions from earlier topics or new issues
Document all questions and answers
Formal Event Close
At a minimum, provide an email address that participants can use to submit questions that will be answered
publicly (e.g., via SAM.gov) after the event has wrapped up
Welcome / Opening Remarks
TLP:WHITE
Hillary Carney, Section Chief Operational Resilience
Steven Pozza, Deputy Section Chief Operational Resilience
Kirk Lawrence, Senior Advisor to Vulnerability Management Subdivision
July 23, 2021
Ground Rules
TLP:WHITE
Industry Day is part of Market Research for the Assessments
Branch, Operational Resilience (OR) section Blue Team Contract
(BTC) requirement. The purpose is to foster understanding and
dialogue between Assessments Branch OR and Industry. All
materials being presented are in draft form and may change in
whole or in part prior to the issuance of a Request for Proposal
(RFP). Questions received from Industry as a result of the Industry
Day will be considered in the formulation of the final acquisition
strategy. Potential offerors, while gaining insight into the BTC
requirement, must rely on any potential RFP or its amendment(s)
as the sole source of accurate information pertaining to the BTC.
All comments made by presenters are within the scope of Market
Research and should not be used as the basis of proposal
creation.
Grounds Rules Contd
No Classified Information will be shared during this session
This session is being recorded
Questions can be submitted in the Team Q&A Function
TLP:WHITE
Information provided by Industry, unless marked proprietary will be considered
releasable
The slides will be posted to SAM.gov no later than 72 hours after the conclusion of
this event
A firm does not have to be present at the Industry Day to
participate in the solicitation process for the BTC
Questions are welcomed and will be addressed in the last segment
July 23, 2021
Disclaimer
TLP:WHITE
Information being presented on subsequent slides is CISAs current intent
for the Blue Team Contract (BTC)
Draft requirement documents are subject to change
This is not a commitment by CISA to purchase any of the services
described in this brief
CISA will use the information from industry Day and Request for
Information (RFI) and other market research sources to help determine its
approach to meeting the goals and requirements of the BTC
July 23, 2021
CISA External Stakeholders
TLP:WHITE
CUSTOMERS
Federal Civilian Executive
State, Local, Tribal, and
Critical Infrastructure and
Branch (FCEB) Agencies
Territorial Governments
Private Sector Partners
STAKEHOLDERS
Department of Homeland
Office of Management
Security
and Budget
National
Security Council
July 23, 2021
CISA External Stakeholders
TLP:WHITE
Program Overview
TLP:WHITE
Source Policies and Guidance
TLP:WHITE
DHS BODs
OMB memorandums
NIST Frameworks and Special Publications
DHS Guidance
White House Executive Orders
National Critical Infrastructure Sector Specific Plans
Vendor Best practices
July 23, 2021
Cyber Assessments Overview
Our Mission: Enhance situational awareness and enable efforts to
reduce risk and increase national resilience
Expertise and a history of success providing services to Unclassified
Information and Operational Technology (IT and OT) environments
Proactive services to government and critical infrastructure clients to
assess and improve cybersecurity posture, understand risk, and
identify operational strengths and weaknesses
Services are
provided at no
cost to our
customers
Our payment is
authorization to use
anonymized, non
attributable, data to
enhance national
situation awareness
and enable our
stakeholders to
make data driven
decisions
July 20, 2021
Core Capabilities
Assessments Goals
TLP:WHITE
Operational Resilience
TLP:WHITE
The Vulnerability Management (VM) Assessments Branch Operational
Resilience (OR) Section provides cybersecurity assessment services to
Federal Departments and Agencies (D/As), State Local, Tribal and
Territorial (SLTT) and private sector entities for information
technology (IT) and operational technology (OT) systems and
networks. This solicitation is for Subject Matter experts and operational
assessment support with demonstrable experience across all 16 critical
infrastructure sectors. The specified work includes the conductance of
200 300 assessment engagements per year, which consist of
interview sessions and customer data analyses via penetration testing
or data capture and network flow analysis. The interviews and
penetration testing is conducted at customer facilities, which can
include US and selected International sites. Operational Resilience is
looking to partner with the private sector to enhance the quality
and quantity of their OT and IT assessments.
Key Takeaways OR Mission
TLP:WHITE
Customer Base: Federal D/A, SLTT, Commercial entities
Assessment Types: IT and OT cybersecurity architecture reviews
Personnel Required: Mix of SME and mid-level personnel
Experience Required: Demonstrable cybersecurity in support of all
16 CI sectors
Expected Assessment volume: ~ 200-300* assessments per year
**Assessment metrics are calculated by VM/ Assessments on an annual basis and may increase due to
operational demand
July 23, 2021
Operational Resilience - Today
TLP:WHITE
Assessment
Assessment Purpose
High Value Asset (HVA) Assessment: Semi-
structured interview and pen test
Validated Architecture Design Review (VADR) :
Semi-structured interview, OSI and traffic
analysis with optional Operational Technology
(OT) pen test
Assesses the security architecture to identify technical and
procedural concerns that could expose the organization to
risk. Through on-site testing, discovers and validates the security
posture of the HVA evaluating its exposure to vulnerable software,
configurations and potential exploits paths used by adversaries. The
final report provides an organization with actionable remediation
recommendations prioritized by risk.
A Validated Architecture Design Review (VADR) evaluates your
systems, networks, and security services to determine if they are
designed, built, and operated in a reliable and resilient manner.
VADRs are based on standards, guidelines, and best practices. As a
future service enhancement, the OT pen test will discover and
validate the security posture of the customer selected
system/network evaluating its exposure to vulnerable software,
config and exploits that can be used by adversaries to gain access
to an modify OT operations.
July 23, 2021
HVA Assessment - Current
TLP:WHITE
Assessment
Component
Target
Detail
Tier I Federal D/A High Value Assets (can include systems,
networks, mainframe, mobile, client-server, web
application, cloud, ICS and multi-system assessments)
Team Composition
1 Federal Assessment Lead
1 Contractor Cyber practitioner
1 Contractor Pen Test operator
Assessment Length
1-week onsite testing, 90 days overall (60 planning, 1-week
execution and 3 weeks reporting)
Subject Areas
10 Discussion topic interview sessions + pen test
Volume
100 + (based on operational need and fluctuation in
Federal HVA inventory)
July 23, 2021
HVA Assessment Process
TLP:WHITE
SME Interviews
10 cyber topics
Documentation
Review
Cyber to
business risk
Service
discovery
SW vuln
discovery
Targeted pen
Vulns
Exploits
Incident
Response
Eval Cyber Ops people, process, tech
July 23, 2021
HVA Assessment Process
TLP:WHITE
Induction
Induction
Planning
Planning
Execution
Execution
Post
Execution
Verify Legal documentation has been signed and received
ROE
Meet & greet with identified POC
Establish needs for planning stage
Assign ctr team members
Establish tickets for assessment tracking
July 23, 2021
HVA Assessment Process
TLP:WHITE
Induction
Induction
Planning
Planning
Execution
Execution
Post
Execution
Post
Execution
Review supplied Agency documentation
Confirm Assessment Scope & Negotiate Appendix A
Research HVA and provide outputs to Lead
Plan for On-Site Assessment Logistics
Conduct kick-off
July 23, 2021
HVA Assessment Process
TLP:WHITE
Induction
Planning
Execution
Post
Execution
HVA On-Site Assessment Overview
Interviews with Key Personnel
Pen Test of HVA system
Out Brief
July 23, 2021
HVA Assessment Process
TLP:WHITE
KEY INTERVIEW AREAS
On-site interviews with key personnel will include the following domains:
Identity and Access Management
System Description
Network Protections Application Security
Host Based Security
Service Continuity
Risk Management
Incident Management Continuous Monitoring
Dependencies
Show All