Incident Response

In coordination with the Government Task Monitor, there is a need for Contractor support for the Treasury s Security Operations Incident Response Team (SecOps IRT) in the performance of security programs tasks and day-to-day operations, as required. The program manager requires strong technical resources capable of providing vulnerability analysis and hands-on security support for various public-facing systems. Additionally, the Contractor shall assist in the development and maintenance of security documentation in support of maintaining the authorization of OCIO systems.

1. Incident Response Management

The Contractor shall manage all Incident Response tickets to include the development, updates, and closure of tickets. The Contractor will only focus on the security incidents reported into Enterprise Application EBS Incident Response (IR) portal. The contractor will respond to the incidents following a pre-defined Service Level Agreement (SLA), conduct log investigations, escalate incidents as needed, and completing the after-action reports to ensure all incidents are resolved timely. The Contractor will create incident detection dashboards in Department SIEM and help SecOps develop, updated and maintain SecOps IR processes. In CY 23, Incident Response received 220 incidents. Out of the 220, 116 were security incidents that the incident response team actioned and resolved.

1. Detection and Analysis
   The Contractor shall analyze incidents/events to validate their legitimacy and assess the impact on government systems using detection (such as Trellix) or SIEM tools (such as Splunk). In the event of a security incident, provide guidance and support during the incident response process. Assist in identifying and investigating the incident, analyzing log data for forensic purposes, and conducting investigations to determine the root cause and extent of the incident. The contractor shall determine risk assessments, threat trends, and follow the general performance of the IR Plan s execution.
2. Communication and Stakeholder Engagement
   The Contractor shall communicate and collaborate with stakeholders (ISSOs and System Owners/ System Admin/ Program Managers) on open tickets to track progress and ensure necessary action items are achieved to meet incident closure requirements.
3. Incident Response and Mitigation Coordination
   The Contractor shall liaison with relevant system owners and technical teams to inform, notify, and generally monitor and assist in the mitigation process. The contractor shall verify through Independent Verification and Validation (IV&V) that vulnerabilities have been mitigated.
4. Reporting
   The Contractor shall coordinate the completion of the IR after-action report (AAR) after every incident. The Contractor shall maintain detailed records of all incidents, actions taken, and outcomes. Records should include trend analysis, response effectiveness, and recommendations for program maturation.
5. Technical Expertise
   The Contractor shall demonstrate extensive knowledge in current and emerging cybersecurity threats, and incident response. This involves staying updated on emerging threats, security trends, and industry best practices to accurately validate, categorize submissions and make recommendations to mature the program.