Specifications include, but are not limited to: • Provide or utilize COTS (commercial off-the-shelf) SIEM products in the solution. The technical
solutions included in the service should have a commercially or field-proven operational history.
• Be capable to provide an average mean-time-to-detect (MTTD) for critical events of less than 7
days after the service enters production status and after initial tuning event completes. The
MTTD should be reduced through the life of the engagement with the goal of and average
MTTD of less than 24 hours within 12 months.
• Be capable to provide an average mean-time-to-respond (MTTR) for detected critical events in
a reasonable timeframe. This may include service level agreements (SLAs). Guidelines
• Low = < two (2) weeks or better
• Medium = < one (1) week or better
• High = < 48 hours or better
• Critical = < 24 hours or better