Cyber QSMO Marketplace

Welcome to CISA’s Cybersecurity Quality Services Management Office (Cyber QSMO) Marketplace. This Marketplace is an online platform for acquiring high-quality, cost-efficient cybersecurity services. The Cyber QSMO centralizes, standardizes, and markets cybersecurity services on this platform, helping reduce the time and cost involved in sourcing and maintaining cybersecurity solutions across the federal civilian enterprise.

The Marketplace offers priority CISA services to help agencies manage cyber risk. In addition to CISA-offered solutions, the Cyber QSMO also partners with federal service providers to offer additional cybersecurity services that will meet or exceed government standards and requirements. This helps ensure that agencies receive best-in-class services for the best cost.

Looking Ahead: Plans are underway to expand services offered on the Cyber QSMO Marketplace. In fiscal year 2021, the Marketplace will feature the following CISA services, which the Office of Management and Budget (OMB) has specifically prioritized to enhance cyber resiliency across the federal civilian enterprise.

Vulnerability Disclosure Policy (VDP) Platform

CISACISA’s VDP Platform helps agencies streamline day-to-day operations when disclosing and managing cyber vulnerabilities. The VDP Platform serves as the primary point of entry for intaking, triaging, and routing vulnerabilities disclosed by the public (i.e., ethical hackers). The VDP Platform enhances information sharing across the federal enterprise by improving how agencies track, analyze, report, manage, and communicate potential vulnerabilities. Ultimately, the VDP Platform enables agencies to receive actionable vulnerability information and collaborate with the public to improve the security of their internet-accessible systems.


Security Operations Services

DOJCISA partners with the U.S. Department of Justice (DOJ) to offer a full spectrum of Security Operations Services, built on cybersecurity best practices, to provide agencies with intelligence-led, expert driven, 24x7 threat detection, hunting, and incident response services. This suite of services improves enterprise wide visibility into cyber vulnerabilities, incident discovery, and information sharing within the Federal Civilian Executive Branch (FCEB).

DOJ offers 23 cybersecurity services on the QSMO Marketplace, as listed below. Services are grouped by the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) category.

Asset Management

  • Security Posture Dashboard Report (SPDR) and Risk Scoring Validated Service

Awareness and Training

  • Anti-Phishing Training Program Support Validated Service

Detection Processes

  • Security Operations Center (SOC) Optimization Advisory Service Validated Service


  • Cybersecurity Policy Support Validated Service

Information Protection Processes and Procedures

  • Process Improvement Advisory Service Validated Service
  • Security Architecture and Engineering Service Validated Service
  • Enterprise Program Management Advisory Service Validated Service

Protective Technology

  • Custom Solutions / Security Software Development Service Validated Service
  • Justice Cloud-Optimized Trusted Internet Connection Service (JCOTS) Validated Service

Risk Assessment

  • Cyber Security Assessment and Management (CSAM) Validated Service
  • Cyber Security Assessment and Management (CSAM) Advisory Services Validated Service
  • Cyber Threat Intelligence Validated Service
  • High Value Asset (HVA) Assessment 
  • Independent Security Control Assessments Validated Service
  • Information System Security Officer (ISSO) Services - Assessment and Authorization (A&A) Support Validated Service
  • Information System Security Officer (ISSO) Services - Continuous Monitoring Validated Service
  • Penetration Testing Validated Service

Security Continuous Monitoring

  • Cyber Threat Hunt Assessment Validated Service
  • Security Operations Center as a Service (SOCaaS) Validated Service
  • Vulnerability Management - Vulnerability Scanning, Analysis, and Reporting Validated Service

Supply Chain Risk Management

  • Supply Chain Risk Assessments Validated Service
  • Supply Chain Risk Management (SCRM) Program Management and Advisory Support Validated Service
  • Supply Chain Threat Intelligence Validated Service


Protective Domain Name System (DNS) Resolver Service (New Updates!)

CISACISA’s Protective DNS Resolver (also known as DNS firewall) service neutralizes malicious DNS content used in cyberattacks using state-of-the-art DNS technologies and threat intelligence sources to secure query traffic, block government query traffic from reaching malicious domains, and alert security organizations within agencies when incidents occur. This service provides general name resolution services, supports modern DNS resolution protocols to protect data in transit, and overrides responses from public DNS records that threat intelligence sources identify as malicious.

May 12 Update:
On April 30, 2021, the Cybersecurity and Infrastructure Security Agency (CISA) and the General Services Administration (GSA) awarded the Protective Domain Name System (DNS) Resolver Service Task Order on the Alliant 2 Governmentwide Acquisition Contract (GWAC), in support of the Federal Civilian Executive Branch (FCEB) agencies. CISA is actively engaging with interested agencies willing to join the initial release of this CISA-funded, centrally managed service. Please reach out to for more information. Stay tuned for updates as we press forward to deliver this critical service!


Cybersecurity Services on the Marketplace: Select the “Services” and “Service Providers” links below for a list of initial cybersecurity services offered on CISA’s Cyber QSMO Marketplace and a list of our service provider partners, respectively. The Cyber QSMO formally validates services using an iterative validation process to ensure a service offering meets government recognized performance standards and requirements. Validated service offerings are indicated with a green checkmark Validated Service. For federal enterprise transparency we provide for agencies’ reference, a listing of additional current Federal Shared Service Providers that: 1) Do not currently align to a formal OMB designated area and 2) Have not yet been approved by the Cyber QSMO.


Service Providers


Have a Question? The Cyber QSMO is here to support your cybersecurity solutions needs and we want to hear from you. If you have a question about the Cyber QSMO and shared cyber services offered on the Marketplace, or are interested in becoming a federal shared service provider, please contact us at

Last Updated Date: November 8, 2021

Was this webpage helpful?  Yes  |  Somewhat  |  No