The Defense Innovation Unit wants to begin annual penetration testing, red teaming and cybersecurity training to ensure its own networks are compliant with federal standards.
The agency’s Washington Headquarters Services Acquisition Directorate seeks quotes from small businesses for 12 months of services. Businesses worth $27.5 million or less qualify, and the fixed-price order requires offers to stay firm for 120 days after the Sept. 16 deadline.
As the Pentagon’s innovation arm, DIU procures commercial solutions to rapidly improve national security. In this case, it’s looking to help itself. Services will be delivered in three phases, the first being penetration testing of key information technology complete with vulnerability scans, a systems audit using a series of attacks and a final report. The winning vendor is expected to have more than 10 years of penetration testing experience.
Phase two involves red teaming — simulated, real-world attacks that will expose weaknesses in DIU’s information security program and document evidence of compromises with screenshots and video of physical or electronic breaches.
The final phase, team training, will use the data gathered from the first two phases to enhance cyber defenses and mitigate vulnerabilities while training staff on current attack techniques. A multi-staged, skill-enhancement program will be developed including blind spot analysis and cyber hygiene training.
The performance work statement calls for “designing and assisting in the creation of supporting processes that allow for a series of systems that enable DIU to actively manipulate the operating environment of a potential attacker. This may include designing and implementing systems that provide additional operational awareness.”
Systems will deploy deception- and decoy-based cyberdefenses to slow attacks. The solutions are expected to work with other technologies like Google Drive, Amazon Cloud Services, Azure Active Directory and VMWare tools.
The end goal is “to help shift the organization to a highly mature defensive position by transitioning from being unaware of certain types of threats, to being aware, to being reactive, and finally to being proactive on the defensive front,” reads the statement. “This includes mapping actions required to achieve the highest level of defensive posture available within a given budgetary range.”