Elements of the Automated Intrusion Detection Capability

* Monitoring services — must continuously monitor messages or audit information

from a subscriber's network. This may include data indicating an active

breach or the vulnerability of a subscriber's network security. The system

may be able to filter security events for relevance.

* Device support — must be able to support multivendor intrusion-detection

systems, firewalls, routers and other security products.

* Communication services — must transport event data to a security

operations center through encrypted and authenticated methods, with no

other connections being permitted.

* Security operations center — will receive, process and analyze data.

* Event processing — performed by hardware, software and security analysts

supplied by the vendor. Analysts will monitor security data and quickly

identify instances of suspected attacks, violations, weaknesses or malicious

activity across an agency's information enterprise. The vendor must be able

to determine the severity of the attack, provide vulnerability analysis

and notify FedCIRC and the agency subscribing to the service, including

providing recommendations for action and resolution. If the analysts determine

that an incident can harm or penetrate the agency's systems, the contractor

must notify the agency and FedCIRC immediately.

Source: GSA draft request for proposals for AIDC