State Department Needs a Tool to Scan Its Worldwide Network for Vulnerabilities

The State Department wants to make sure its security officials can keep up with vulnerabilities in its networks—an amalgam of sensitive and classified networks, hosted on-prem and in the cloud, in the U.S. and abroad—and is rethinking its Enterprise Vulnerability Scanning Solution in a new contract.

“The DOS Cyber Protection program requires the capability to rapidly scan, assess and report on the security posture of the department’s networks,” according to a draft performance work statement posted to beta.SAM.gov. “The department needs a solution that will provide analysis, monitoring, reporting, configuration, as well as policy and device management.”

In doing so, State is looking for a “lifecycle refresh” for its existing scanning program.

The new EVSS must be able to scan and report on a variety of infrastructure, platforms and software, segregated across varying clearance and sensitivity levels, in domestic offices and data centers and across the globe at all State Department embassies and posts. All told, the tool must be able to scan approximately 250,000 endpoints.

The department is looking for a full-service tool that can scan all of its disparate systems to identify cybersecurity weaknesses, map those to vulnerabilities recorded in the Common Vulnerabilities and Exposures library when appropriate, and produce a feed with real-time information, including “current, emerging and historical vulnerabilities and threats.”

That information must then be fed to security personnel for action, and the solution must be able to assign appropriate roles and restrictions to ensure sensitive vulnerability data goes to the right people.

Along with the data feed, security personnel must be able to run assessment reports on individual systems with customizable fields such as “hostnames, host pools/groups, internet protocol range, geographic location, time and date.”

The scans should be conducted at least twice per week, according to the solicitation, though officials want the flexibility to set different schedules for different networks and systems, “allowing for assessments of not only department domestic endpoints with Eastern to Pacific time zones, but also U.S embassies and posts overseas on local time and after business hours.”

State employees should be able to run customized ad hoc scans at any time, as well.

The department has several different types of infrastructure to work within, including on-prem—government-owned and operated—classified and unclassified networks and two cloud environments, one hosted by Amazon Web Services and the other by Microsoft Azure.

Department systems also contain multiple types of network environments, including, “air-gapped networks; dedicated internet networks; Demilitarized Zones hosted domestically and overseas, not connected to the enterprise network; and multiple, distinct cloud service providers such as Google Cloud, AWS Commercial, AWS GovCloud, Azure Commercial and Microsoft Azure Government.”

Contracting officers are interested in scanning solutions that can work across all of the infrastructure and platforms.

The new EVSS must also be able to integrate with existing risk management tools, including iPost, the department’s enterprise risk management system; CyberArk, the privileged access management tool; and Splunk, the tool used for data management and analytics.

In a Q&A document, contracting officials said the final request for proposals is forthcoming and the department hopes to make an award before the end of the fiscal year.