EGBA, "External Attack Surface Management (EASM) Tool" RFI

Background
The State of Colorado's Office of Information Technology (OIT) is responsible for providing IT resources to Executive branch agencies and other State government entities. This includes technology infrastructure, software, hardware, storage, telecommunication, public safety radio, cyber security, and related professional services.

The purpose of this Request for Information (RFI) is to understand the market for External Attack Surface Management (EASM) tools and solutions.

Work Details
The State of Colorado is interested in the following requirement categories for EASM tools: Detection, Integration, Configuration, Reporting, Process Improvement, and Usability. Specific requirements include:

Detection:
- Identification of unknown assets both Internal and Internet Facing
- Detect typosquatting/Spoofed web portals
- Detect certificates
- Detect vulnerabilities
- Detect misconfigurations/risk & compliance issues
- Detect open ports
- Continuous monitoring
- Monitors a wide range of technology (e.g., IoT/Scada/webcams)
- Supply chain monitoring
- Internal/external attack surface monitoring (BSA) (combines internal and external)

Integration:
- Integration with asset management tools
- Integration with other tools for alert reporting and interoperability with other systems.

Configuration:
- Group based on agency including both consolidated and non-consolidated. Ability to add/configure domains and IP addresses to monitor without relying on the vendor.

Reporting:
- Clear & concise data, actionable data, low false positives, alerting capabilities, good dashboards and reporting features including scheduled reporting.

Process Improvement:
- Breach attack simulation, awareness of vendor risk where they manage services, flexibility to prioritize findings, ability to execute lateral movement attack BSA, outage monitoring during attack simulation BSA.

Usability:
- Multi-tenant capabilities, unlimited discovery licensing, easy cleanup of old or non-related assets, clearly shows discovery paths for assets and issues discovered.

Period of Performance
This RFI is intended for market research purposes only; no award will result from any response to this RFI. The timeline for activities includes solicitation publication on July 3rd, 2024; written inquiry deadline on July 19th, 2024; state response to inquiries by July 23rd, 2024; and vendor response submission deadline by August 1st, 2024.

Place of Performance
Responses should be submitted electronically via the Colorado Vendor Self Service page at www.colorado.gov/vss.