Request for Information: Automated Cryptographic Discovery and Inventory (ACDI) Tool

Other / Unclassified

This document outlines the Cybersecurity and Infrastructure Security Agency's (CISA) strategy for migrating to automated Post-Quantum Cryptography (PQC) discovery and inventory tools. It details the purpose, background, scope, and goals related to assessing Federal Civilian Executive Branch (FCEB) progress in adopting PQC.

This strategy document is relevant to vendors who may be developing or providing tools for cryptographic discovery and inventory. It outlines the government's approach to identifying and inventorying cryptographic systems vulnerable to quantum computing threats. Key aspects include:

• Approach to Data Collection: Details methods for collecting inventory data, including the use of Automated Cryptography Discovery and Inventory (ACDI) tools, Continuous Diagnostics and Mitigation (CDM) Program integration, and manual collection methods.
• Key Data Items: Specifies the nine data items required for reporting cryptographic systems, with a focus on those discoverable by automated tools (e.g., algorithm, service provided, key length, software package details, operating system).
• Tool Development and Integration: Outlines steps for developing and integrating ACDI tools with existing government systems like CDM and CyberScope.
• Required Actions and Timeline: Provides a high-level schedule and specific actions for CISA, NIST, and FCEB agencies regarding PQC transition, tool development, and reporting.

Vendors offering solutions in cryptography, cybersecurity tools, or asset inventory management may find this document useful for understanding current and future government requirements and opportunities in the PQC space.

Statement of Objectives (SOO)

This document outlines the objectives for procuring an Automated Cryptographic Discovery and Inventory (ACDI) capability for the U.S. Department of Health and Human Services (HHS). The ACDI tool is intended to address the growing threat posed by quantum computing to existing cryptographic systems and to support HHS's transition to Post-Quantum Cryptography (PQC) in compliance with federal mandates (NSM-10, OMB M-23-02).

• Automated Discovery: The solution must automatically discover cryptographic implementations across enterprise environments (on-premises, cloud, applications, networks, data-at-rest) using active scanning and passive monitoring.

• Cryptographic Identification: Identify algorithms (symmetric, asymmetric, hash), protocols, certificates, key lengths, and hybrid cryptography instances.

• Inventory Management: Maintain a centralized repository, associating implementations with system details, and supporting tagging, deduplication, and historical tracking.

• Risk Assessment: Identify deprecated, weak, non-compliant, or quantum-vulnerable cryptography, providing contextual risk analysis based on system exposure, data sensitivity, and mission criticality.

• Prioritization: Support prioritization of remediation activities based on risk level.

• Implementation Support: Track remediation and modernization activities, integrating with existing workflows.

• Continuous Monitoring: Provide continuous or periodic discovery, detect changes, and alert on new or changed assets.

• Reporting: Offer dashboards and reports on cryptographic inventory, vulnerable cryptography, certificate lifecycle, remediation progress, and compliance status. Export reports in standard formats (CSV, Excel).

• Technical Requirements: Support deployment in various environments, scalable architecture, distributed scanning, agent-based and agentless discovery, and integration with enterprise systems (CMDB, SIEM, etc.). Must enforce role-based access control and support SSO. Must achieve or have a path to ATO/FedRAMP High authorization.

• Tasks: Include project management, contract kick-off, PMP development, regular meetings, technical documentation, software deployment/implementation, testing/validation, operational readiness reporting, bi-weekly reporting, and training.

• Contract Type: Firm-Fixed-Price (FFP)

• Period of Performance: 12-month base period + four (4) 12-month option years.

• Specific submission instructions are not detailed in this SOO, but a detailed schedule of deliverables and due dates is provided.

• Not specified in this document.

• The document references National Security Memorandum 10 and OMB Memorandum M-23-02 as key drivers for this acquisition.

• A detailed Deliverables Table is included, outlining specific tasks and their due dates.