GSA RFI: CISA Endpoint Detection and Response

Notice ID 47QFRA22K0001


CISA intends to galvanize agency security operations center (SOC) operations by getting as close to 100% coverage as possible on Agency selected and CISA validated, EDR platforms through a “gap-fill” strategy.

A key objective of this EDR RFI is to solicit expertise from industry to validate and/or inform the Government on best practices in process or functionality that should be considered within the context of EDR activities being currently executed (outlined above).

Another key objective of this RFI is to inform a longer-term strategy as to how EDR tools should be maintained across Federal networks over a longer-term horizon based on industry input regarding future capabilities under development, evolution of the market based on customer requirements, and novel strategies being employed by advanced threat actors.

Finally, the information provided by industry may be used by CISA to continuously modernize baseline requirements for CISA’s EDR capability to ensure that a Government baseline for EDR platforms is set at a level that is consummate to the evolving advanced threats that target Federal networks, and tailored against unique requirements of the Federal Civilian Enterprise (e.g. staffing and resource constraints, supply chain considerations, open-standards and interoperability, etc.).


CISA’s CDM program defines the EDR capability as providing cybersecurity monitoring and control of endpoint devices for Federal Agencies. EDR spans the full cybersecurity lifecycle, from the detection of events (observable occurrences in a network or system) and incidents (events that have been determined to have an impact on the organization, prompting the need for response and recovery) on endpoint devices (i.e., workstations, servers, laptops, thin clients, and virtual desktops) and users, to attack responses and incident follow-up and analysis. EDR will also enforce Federal Agency’s EDR administrator access policy based on user attributes and provide for delegation of administrative tasks.

The following are high level (key) functions expected of solutions validated against the requirements of the CDM EDR capability. The below descriptions are high-level functional descriptions of the CDM EDR capability, and additional detail (and decomposed requirements) can be referenced in the most recent CDM Technical Requirements Volume Two posted on GSA’s website.

  1. Configure EDR Security Policy enables authorized users to implement and update agency EDR policy, including, for example, enterprise-wide alert and detection rules, automatic endpoint response actions, and endpoint agent scanning details. Custom plug-ins and scripts may also be configured and deployed to specific endpoints or groups of endpoints. The policy includes the desired state information to support the PDP and PEP.
  2. Collect and Manage Cybersecurity-Relevant Endpoint Events collects, organizes, and records cybersecurity-relevant endpoint event information and data artifacts (see requirements for a list of information collected).
  3. Maintain Endpoint Visibility provides alerts…”

Read more here.


This topic contains 0 replies, has 1 voice, and was last updated by  Jackie Gilbert 1 month, 3 weeks ago.

  • Author
  • #140102

    Replies viewable by members only


You must be logged in to reply to this topic.


Questions?. Send us an email and we'll get back to you, asap.


©2021 MileMarker10, LLC all rights reserved | Community and Member Guidelines | Privacy Policy | About G2Xchange FedCiv

Opportunities. Starting Points.

About our Data

The Vault is a listing of expiring contracts, task orders, etc. within a certain set of parameters, to include:

  • Have an initial total estimated contract value of $10 million or above
  • Federal Civilian Only – DHS, Transportation, Justice, Labor, Interior, Commerce, Energy, State, and Treasury Actions
  • NAICS codes include: 511210, 518210, 519130, 519190, 541511,
    541513, 541519, 541611, 541618,
    541690, 541720, 541990
  • Were modified within the last 12 calendar months
  • The data represented is based on information provided by the government

Who has access? Please note that ALL G2Xchange FedCiv Members will receive access to all basic and much of the advanced data. G2Xchange FedCiv Corporate Members will receive access to ALL Vault content (basic and advanced).

Feedback/Suggestions? Contact us at and let us know what you think. 

G2Xchange FedCiv

Log in with your credentials for G2Xchange FedCiv

Forgot your details?