A. The proposed ASM tool must be hosted, and its data must be contained and stored,solely in CONUS. B. The proposed ASM tool must: 1. Conduct comprehensive attack surface scans from the outside of an entity’s ecosystem: • Scans must run daily or on a schedule set by the Department. • Scans must be non-intrusive and otherwise not cause target entity security systems to raise alarm. • Scans must monitor the security posture of 1) the Department; 2) regulated entities; and 3) significant service providers; and help Department examiners prepare for cybersecurity and IT risk examinations of regulated entities. The Department will not have logins, passwords, or insider access to regulated entities or significant service provider information systems. • Scans must monitor 3,000 or more entities simultaneously. • Scans and related reports must include the relevant ASM data so the Department can analyze each entity’s attack surface within the portfolio in isolation and can assess entities’ attack surface relative to other entities.
