CISA Seeks Information for Potential Cyber Threat Intelligence Platform

The General Services Administration filed a request for information on behalf of the Cybersecurity and Infrastructure Security Agency on the availability of Threat Intelligence Enterprise Services—or TIES—to help the agency in its development of cyber threat intelligence—or CTI—capabilities.

According to CISA, there are existing barriers to the federal cyber ecosystem throughout the CTI lifecycle, such as fragmented threat information—which impacts analysts’ abilities to efficiently make informed decisions about these risks—as well as CTI currently existing across various feeds in different data formats. Participants in that intelligence-sharing environment also have various cyber maturity levels. 

CISA added that the federal cyber ecosystem needs to improve CTI tools and services and their procurement, while developing CTI maturity assessments and roadmaps. The ecosystem also needs to create awareness and centralization of CTI requirements. As a result, CISA is working to create TIES to provide customers with CTI services, standards and guidance related to CTI generation, use and sharing. 

Thursday’s RFI will help the government perform market research to identify potential offers and gain industry feedback. As noted in the RFI, industry would help develop or configure a cyber threat intelligence exchange platform and then integrate it with customized CISA applications and a feed for commercial threats. The cyber threat intelligence capabilities will be “offered as a compendium of enterprise services to federal, intelligence community, state and law enforcement customers.”

Specifically, the imagined exchange platform would give stakeholders streamlined CTI ingestion and sharing, as a “one stop integration point for analysts and infrastructure to receive, share and collaborate on relevant and timely CTI, enabling teams to protect their environments and others,” according to the RFI. In particular, the platform would ingest and aggregate CTI from CISA’s Automated Indicator Sharing, commercial threat intelligence feeds and other sources. The CTI platform would allow analysts to collaborate and customers to use a centralized, interoperable platform to examine CTI for cybersecurity risks. 

According to the RFI, the platform should: support the Structured Threat Information Expression—or STIX—data exchange format and the Trusted Automated Exchange of Intelligence Information—or TAXII—data transfer mechanism; provide a REST API—or representational state transfer—to allow external clients automated access to data and workflows in the platform; allow for the ingestion, tagging and correlation of multiple threat-related data sets; and support native data types for STIX Domain Objects in addition to being able to index and query the such objects.

Responses regarding industry capabilities and recommendations are due on Dec. 19.