“The scope of this contract is to provide CISA and participating FCEB agencies access to an existing, commercially available SaaS platform, which will to facilitate the submission and tracking of vulnerabilities discovered in internet-accessible information systems, termed FCEB systems, of the FCEB agencies, including Independent Agencies and all Boards, Commissions, and Committees (Chief Financial Officers (CFO) ACT and Non-CFO Act Agencies). In addition, as an optional functionality, the Platform shall provide agencies the ability to provide financial incentives (termed “bug bounties”) for valid submissions. Participation in the Platform will be voluntary for FCEB agencies, and therefore the platform needs to scale to support a potentially varying number of agencies at any time. FCEB agencies currently participating in the Platform are captured in the FCEB Agencies List (Attachment A). The FCEB Agencies List will be updated throughout the period of performance of this contract.
The Platform service provider, termed “Service Provider”, shall provide the Government with project management support services including robust platform reporting, effectively securing the platform, and managing the administration and operation of the platform, including its security. The service provider shall provide triage services that ensure submitted vulnerability reports are valid and provided to the impacted FCEB agency. The service provider shall assist agencies that desire a bug bounty program with the means to facilitate financial payment to vulnerability reporters who submit valid reports for FCEB agency systems.
Remediation of identified vulnerabilities on FCEB systems is the responsibility of the appropriate FCEB agency, and not the service provider or CISA.”
“The service provider shall perform the following tasks:
Task 1: Manage, Operate, and Administer the Platform
Task 2: Triage, Route, and Track Vulnerability Reports
Task 3: Facilitate Bug Bounty Program…”