FAQs for Security Analytics Platform RFP

When and how can we schedule a demo? 

CIS will schedule a demo with qualifying vendors after all proposals have been reviewed. Demos will take place between 11/10/21 – 11/22/21.

When is our written portion of the RFP due?

Proposals are due to CIS by 3:00 PM EDT on 10/29/2021.

Who is the technical contact on the CIS end requesting the RFP and will be maintaining and running the product once the solution is implemented?  Are we able to reach out to them for questions as well? 

Christina Hilts is coordinating with our technical experts to provide the vendors with the requested feedback during the RFP process.

In mandatory requirements it indicates current levels of 38 events every hour. Please confirm this include all data ingested from all assets and various logs.

That is correct.

Are there projections available for year over year growth?

Not at this time.

Please advise the total number of Current assets. (servers, Work Stations, Devices – virtual and physical)

The number of CIS assets are not relevant because this solution is not to protect our assets, but that of our members. The RFP clearly states the volume and frequency of data ingestion that we currently have.

RFP Section Reference: 1.2/1.3

What type of customer member portal is CIS looking to integrate a SIEM with to allow customer access?
What level of access?
Would limited domain/tenant access directly to the SIEM suffice?

CIS is currently developing a proof of concept member portal which will integrate with our existing public website (CIS ). Members will undergo identity vetting and obtain credentials from CIS. Our requirement is that once members are authenticated and CIS determines what level of access and what tenant they belong, the members will be able to run predetermined queries against their own data within the Platform. The level of access will be read-only, with the option of adding only specific fields to a predefined set of queries (i.e., source or destination IPs, protocols, domains, etc.). CIS should be able to map a user to a security group within the Platform to provide domain / tenant level access.

Does CIS plan to migrate historical data from the Oracle database to the awarded platform?


Does CIS have stated Resiliency Point Objectives (RPO) or Recovery Time Objectives (RTO) metrics for resiliency and DR and the SIEM platform?

CIS has indicated in the RFP that the vendor must provide data that demonstrates an availability of the Security Analytics Platform that exceeds 99.5% measured monthly with no outages lasting longer than 30 minutes in duration, refer to section 3.1. CIS also requires the vendor to have a disaster recovery plan available to CIS for review upon request.

RFP Section Reference: 3.1

Would CIS prefer both AWS & Snowflake for archival storage, or one or the other?

CIS’s Snowflake instance is within AWS and it is our intention that the archival data remain within Snowflake and not separately within another AWS bucket.

What communications protocols/methods does the Snowflake data warehouse support in order for the proposed solution to receive/retrieve logs and events?

There are a number native integrations available. One of the popular connectors for streaming data is Kafka, which has a native connector. There are open APIs available as well that will flow through our Data Lake before going into Snowflake. If the SIEM does not have a native connection we can utilize the API’s to the data lake, then flow through the ETL process, then copied into the Data Warehouse.

Are the logs/events stored in Snowflake in their raw/native format as received from the original log source or have they been modified in some way?

Currently, logs/events are stored in native format within Snowflake.

What is the overall expected data ingestion rate from all sources?
What percentage of this would CIS like correlated in real time?
Does CIS have an expected year-over-year growth rate? If so, what is it?

From all sources, CIS currently ingests approximately 40 GB of data each day. It is expected that the 40 GB can be consumed throughout the day in near real-time, with ingestion, analysis, and correlation to occur within a maximum of five minutes at anytime.

What is the required live (online/hot) storage retention requirements?

CIS prefers 90 days of online/hot storage.

What is the required archived (offline/cold) storage retention requirements?

CIS must have the ability to query 180-days worth of event data. This may be stored within our data lake (Snowflake) or within the SIEM itself, depending on the selected vendor and capabilities. The data should not be “offline”, but having it on cold / slower storage for longer retention periods is acceptable as long as the ability to thaw the data is present.

Is the Jira integration bi-directional?


Is the Salesforce CRM integration bi-directional?

The primary use case is to populate email alerts and other content from Salesforce CRM (e.g., contact information of customers) with the SIEM. However, bi-directional may be needed in future use cases.

In the following statement, what is the definition of “Index”?
“Ability to have at least two separate indexes for the Platform to segment data and report on indexes separately”

An index in this context is a repository of data. CIS would like to be able to segment incoming data into separate repositories to allow for metric collection / consumption based on the type of customers as well as rapid filtering of data based on how we want to segment the data.

In the following statement, what is the definition of “events” – incidents or true event logs from data sources?
“… MS-ISAC SOC receives 38 events every hour, or 912 events each day …”

This definition of event is something that has risen to the level of necessitating human interaction and analysis. Some may call this an “alert”. It is suspected anomalous or malicious activity that must be confirmed by an analyst before being labeled a false positive or escalated as an actual incident.

In reference to the following statements in section 3.1, please clarify which is preferred.
A: “Platform must have the ability to use single sign-on (SSO) and integrate with CIS’s Active Directory (AD) environment for internal employee authentication and for the creation of security groups”
B: “Platform shall integrate with Okta for single sign-on and multifactor authentication”

Preferred is Okta as this is how CIS integrates with AD.

With respect to supplying a Disaster Recovery plan and required testing, does this mean CIS is interested in having the SIEM platform managed by the vendor or someone other than CIS representatives?

CIS is not planning on outsourcing the management of the SIEM. The disaster recovery (DR) is for the underlying infrastructure (e.g., software, servers, storage, network, data center, physical buildings, employees, etc.) that will support the SIEM.

Please specify which requirements or specific regulations must be met to accommodate the Govcloud resident statement.

If a FedRAMP offering is not available, minimum requirements include that all data must reside within the Continental US, including backups and disaster recovery sites, that all employees with access to CIS data and infrastructure are U.S. Citizens, and that employees undergo background checks initially and periodically. Additionally, all access to CIS infrastructure and data is logged, audited, and notification is made to CIS for any access.

RFP Section Reference: 4.0

How many managed customers (tenants) does CIS expect to start with and grow into?

CIS expects to immediately begin with 1,000 tenants and we expect that number to grow by several hundred throughout 2022.

In regard to reporting, what specific report output types does CIS require?
In regard to report distribution, are there specific methods CIS requires?

Report output should include, at a minimum: .docx, .xlsx, .pdf, .txt, .csv, .html, .json

Report distribution should include, at a minimum: direct email of alert/event content in the body of an email, as an attachment to an email with Outlook integration, via API to other platforms and applications, direct upload ability to cloud-hosted providers (e.g., OneDrive, Amazon S3, etc.).

What IAM platform currently in use ?


Can you specify the log format structure for the proprietary Albert IDS platform ? Is it a standard format?


What kind of API is supported by TIP(Analyst1)?

STIXX/TAXII 2.1 direct APIs to Analyst

Will the SLT member organizations need their own instances of the solution, also will they need their own access into the Management portal?

The SLTT organizations will not need their own instance of the solution, however will need the ability to login to a portal that will show only the data within our solution that they are given permissions to see.

How many employees is CIS?


What is CIS’ current events per second (EPS)?

As stated in the RFP, our average is 38 events per hour. This equates to .011 events per second.

Do you need professional services for implementation?  Will it be okay for us to introduce you to one of our trusted partners that will handle the services portion?

Yes. See RFP section 6.4(b)(IV) Professional Services.

Are you needing additional level of support with this solution?  More than just 24/7 break-fix? 

Please see RFP page 17, “Provide details on the costs associated with vendor support for the Platform and the different tiers of support available to CIS. Provide details of the responsiveness and escalation options in the different support tiers.”

One section mentions that our employees must be US citizens if they are offering support to CIS for this solution.  Does that include our support teams post sale? 

Yes, as stated within the RFP, page 10, “Due to the sensitive nature of the MS/EI-ISAC and the relationship with DHS/CISA, any employee, contractor, or consultant that will be part of the implementation engagement or follow on support of this platform must be a United States citizen.” Follow on support would include post sale.