THIS IS A REQUEST FOR INFORMATION (RFI) ONLY. This RFI is issued solely for information and market research planning purposes; it does not constitute a solicitation or a promise to issue a solicitation. Furthermore, those who respond to this RFI should not anticipate feedback with regards to its submission; other than acknowledgment of receipt - ONLY IF a request for an acknowledgement is requested by the submitter. This RFI does not commit the Government to contract for any supply or service. The Department of Homeland Security (DHS) is not seeking proposals at this time. Responders are advised that the U.S. Government will not pay any costs incurred in response to this RFI. All costs associated with responding to this RFI will be solely at the interested party's expense. Not responding to this RFI does not preclude participation in any future solicitation.

The information provided in this RFI is subject to change and is not binding on the Government. All submissions become the property of the Federal Government, and will not be returned.

Proprietary information, if any, MUST BE CLEARLY MARKED. To aid DHS, please segregate and mark proprietary information. Please be advised that all submissions become the property of the Federal Government, and will not be returned.


1.0 DESCRIPTION

DHS is seeking information from industry on its capacity to provide broadly scalable cyber security solutions at an affordable cost to Small and Medium Businesses (SMB) in support of adoption of the NIST Framework for Improving Critical Infrastructure Cybersecurity (NIST Cybersecurity Framework). SMBs have a need for strong cyber security capabilities as they face cyber security threats and challenges with limited resources, capacity, and/or personnel. DHS seeks to understand the landscape of capabilities available to SMBs and ways to encourage economies of scale so SMBs can benefit from the rapid advances in cyber security and technology. At the same time, DHS hopes to drive the markets to innovate creatively toward solutions that enable provision of high levels of cyber security affordably to all entities with attractive business returns that keep the markets active. One key goal is for business interests to be served for providers and consumers through stronger cyber security.

2.0 Background

For the purposes of this RFI, DHS is referring to cyber security solutions outsourced to a service or technology provider. These solutions may include but are not limited to managed security services, network security monitoring, continuous diagnostics and mitigation, management of intrusion detection/prevention systems and firewalls, web application monitoring, email filtering, secure cloud, etc.

3.0 Requested Information

Answers are sought for the following questions

3.1 Is there a viable marketplace for providing cyber security services at a low, affordable price for SMBs in support of the NIST Cybersecurity Framework?

3.2 Would NIST Cybersecurity Framework adoption by an SMB make them a more attractive customer and potentially eligible for more advantageous pricing?

3.3 How can the government help reinforce the value of affordable cyber security solutions to SMBs?

3.4 What security products and/ or services would you envision being able to offer and how might those be communicated in terms of the NIST Cybersecurity Framework's core functions (Identify, Protect, Detect, Respond, Recover)?

3.5 How would you characterize SMBs for the purpose of identifying applicable services, eligible customers, etc.?

3.6 Does DHS/government have a role in helping establish the guidelines for capability providers to determine what adoption of the NIST Cybersecurity Framework is?

3.7 Are there technical or policy impediments that inhibit the marketplace from providing cyber security solutions at a low, affordable price for SMBs?

3.8 Are there ways in which economies of scale could be used to make a market for SMBs cyber security solutions more attractive and financially viable for both buyers and sellers? If so, how could these economies of scale best be fostered?

4.0 SUBMISSION INSTRUCTIONS

4.1 Submissions should be in a Microsoft Word (.doc or .docx) file in the following format:

4.1.1 Section 1: Cover page to include company name, individual POC name, business address, email address and contact number. (Limit: One page).

4.1.2 Section 2: Answers to all the questions in Section 3 above. Do not include classified information in this response (Limit: 3 pages).

4.2 Submissions should be in 12-point font and 1 inch margins on 8.5 by 11 inch paper. Submissions should be emailed as an attachment to Joseph.Hatzipanagiot@hq.dhs.gov. Please refer to "Cyber Security Solutions for SMBs" in the subject line, and in all correspondence. SUBMITTER'S ARE STRONGLY ENCOURAGED TO CAREFULLY MARK PROPRIETARY DATA IN RESPONSE TO THE RFI, SO THAT DHS REVIEWERS CAN ENSURE PROPER HANDLING.

5.0 Industry Discussions

Because DHS anticipates a large response to this request, we will not be engaging in individual telephonic discussions, presentations or meetings. DHS does intend to convene a conference and/or future discussions with the community based on responses.

6.0 Disclaimer and Important Notes:

DHS appreciates your assistance with this market research and emphasizes that this is for planning purposes only. This is not an invitation for bid, request for proposal or other solicitation and in no way obligates DHS to award a contract. The sole intent of this RFI is to obtain feedback and suggestions on the cyber security solution marketplace.