Integrated Security is Core Feature of EIS Solutions
Cybersecurity has been a concern for federal agencies for a long time, but many have struggled to impose sufficient security in a timely and cost-effective manner. The EIS contract is one of the principal vehicles through which the Trump Administration is planning to boost security governmentwide.
A report to the president on federal IT modernization, published in August 2017, laid out several ways EIS will help. In particular, it said, it can help smaller agencies, who often lack the expertise of bigger agencies to fully manage their information security programs, which in turn impedes a full understanding of the risk to all federal networks.
“EIS will allow agencies the flexibility to choose a la carte the managed security services tools they need to comply with MTIPS (Managed Trusted Internet Protocol Services) requirements, while still being protected by the intrusion and prevention capabilities DHS provides,” the report said.
Networx, the EIS predecessor that is still in force to spring 2020, offers MTIPS along with specific security services such as anti-virus management, intrusion detection and prevention and others. However, those agencies that don’t have their own Trusted Internet Connection (TIC) capabilities, and therefore must get them through Networx, have to buy the full MTIPS suite of services. They can’t pick and choose.
EIS Cybersecurity Services takes security a step further by providing those services fully integrated with other EIS infrastructure services. The scope of the EIS contract allows IT-related products and services to be acquired through EIS “only if they are associated to an infrastructure or telecommunications solution acquired through EIS.”
All services provided under EIS comply with all Federal Information Security Management Act (FISMA), DOD, and Intelligence Community requirements where applicable, according to Amando Gavino, director of the Office of Telecommunications Services at the GSA Federal Acquisition Service. Also, multiple memoranda from the Office of Management and Budget (OMB) require government departments and agencies to enter into “legally sufficient” agreement with the Department of Homeland Security (DHS) relating to deployment of the EINSTEIN intrusion protection system.
Agencies have a choice to use services offered through EIS for this, Gavino said, or get them through other procurement vehicles. The EIS contract nevertheless allows for a wide range of infrastructure security. Examples GSA cites include such things as MTIPS and traffic aggregation services that are integrated with an agency’s specific IP transport services, or Managed Security Services (MSS) — which comprises managed prevention, vulnerability scanning and incident response — applied to an agency’s network architecture that can include such things as Voice-over-IP, Ethernet transport, or IP services.
However, although there is a relatively high level of security included in EIS and more expected in the future, agencies shouldn’t assume that the security they need now, such as data forensics, is automatically provided when they buy telecom and IT services.