Quality Services Management Office (QSMO)

Cybersecurity and Infrastructure Security Agency (CISA) Quality Services Management Office (QSMO) is a government storefront of cybersecurity services that ensures quality, alignment with cross-government strategy requirements, and cost savings.  With a long-term vision for modernizing the Federal Government and improving mission support functions.  The mission of QSMO is to reduce duplication, improve accountability, increase aggregate expertise, and improve Federal Shared Services offerings. The Cyber QSMO aids governments agencies prevent, identify, and manage cybersecurity risks affecting their mission, while creating greater government and workforce efficiencies.

Security Training

Security and Awareness Training

Security and Awareness Training (SAT) Federal Shared Service Providers (FSSPs) provide common suites of information systems security training products and services for the federal government. SAT FSSPs provide standardized skills and competencies in order to align with nationally recognized credentials, such as the National Institute of Standards and Technology (NIST) guidance and the National Initiative for Cybersecurity Education (NICE), for government Information System Security (ISS) roles. The FSSPs provide a repository of government sponsored or approved training products and sources that will reach all levels of government executives.

The current offerings are organized into two training tiers:

Tier I: General Security Awareness Training Services and Content

Security Awareness Training consists of basic security training that is mandated for all personnel in government. There are currently three designated Federal Shared Services Providers that provide this service to the federal government:


For learning management systems (LMS) integrations information, please visit the FAQ Repository (log-in required)

Tier II: Role-Based Security Training

The goal of the Tier II training is to provide specific Information Systems Security professionals with education targeted to their roles. Additionally, SAT Tier II will help agencies fulfill training requirements and ensure a skilled and capable workforce is able to perform its tasks and meet the role-based training requirements originally mandated by FISMA (2002) and OPM CFR 930.301 (2004) while following the guidance published by the Committee of National Security Systems (CNSS), NICE, and NIST. There are currently four designated Federal Shared Service Providers for role-based training:


For more information, please contact

Situational Awareness and Incident Response

The Situational Awareness and Incident Response (SAIR) program provides federal enterprise awareness and incident response capabilities through Blanket Purchase Agreements setup for quick access to products and services that address gaps in the long-term security posture of the federal government. SAIR tools and practices complement existing programs by providing viable solutions that ensure consistent implementation of security standards across the government.

Specifically, the SAIR program provides:

  • Affordable alternatives for smaller agencies to be served by a larger agency to assist with information security without the large cost to maintain the capability locally;
  • A uniform service approach, as the work will be mapped to a standard method for conducting the activity--thus improving the consistency across government;
  • Aggregate requirements for tools and services, offering a choice of solutions to meet specific needs or proven practices; and
  • Shared experience among agencies, with a product or service prior to making purchasing decisions


This suite of SAIR security solutions is designed to provide better cybersecurity protection to local, tribal, state, and federal governments.

These products were developed as a direct result of cross-government collaboration efforts help identify and define requirements for baseline configuration management, network mapping/path discovery, and vulnerability management.

SAIR Tier I security solutions have been awarded under the General Services Administration's (GSA) SmartBuy program and are available currently on GSA Advantage or on GSA's updated e-Buy system.

Network Mapping and Discovery Provides:

  • Asset Management
  • Rogue Asset Detection
  • Physical Inventory Maintenance
  • Software License Inventory

Vulnerability Scanning Provides:

  • Software Flaw Scanning
  • Patch Scanning
  • Software Flaw Database
  • Patch Remediation
  • Patch Enforcement

Baseline Configuration Management Provides:

  • Configuration Scanning
  • Mis-configuration Database
  • Policy Framework
  • Mis-configuration Remediation

For more information, please contact:


Risk Management Framework (A&A) Service Offerings

The Risk Management Framework (RMF) Federal Shared Services Providers (FSSPs) were established to facilitate the implementation of common RMF solutions for areas that many agencies are missing when striving to achieve greater efficiencies in executing the RMF Assessment and Authorization (A&A) process.

FSSPs are intended to improve quality of service and reduce the costs of completing assessment and authorization on systems across the Federal Government. RMF A&A FSSPs are complemented by the RMF A&A Private Industry Service Blanket Purchase Agreements (BPAs) by way of the General Services Administration’s Industry Service Acquisition Program.

QSMO RMF Assessment and Authorization Federal Shared Services Providers (with hyperlink to drop down list)

SSC Contacts

Please contact QSMO@hq.dhs.gov for additional information.

Related Resources


Was this document helpful?  Yes  |  Somewhat  |  No