Cyber QSMO Services

Below is a list of initial service offerings, grouped by the National Institute of Standards and Technology (NIST) Cybersecurity Framework (CSF) category. Browse the list to find a service and get connected with federal shared service providers to acquire a service. Please visit the Cyber QSMO Marketplace again as we continue to onboard and validate additional services.

Anomalies and Events

Services that detect anomalous activity and help understand the potential impact of events.

Asset Management

Services and tools that allow the agency to track hardware and software assets throughout the enterprise, including the asset's physical location and configuration.

Awareness and Training

Services that provide cybersecurity awareness education to the organization’s personnel and partners, and train them to perform their cybersecurity-related duties and responsibilities consistent with related policies, procedures, and agreements.

Business Environment

Services that enable understanding and prioritization of an organization's mission, objectives, stakeholders, and activities to inform cybersecurity roles, responsibilities, and risk management decisions.

Data Security

Services that help manage information and records (i.e., data) consistent with the organization’s risk strategy to protect the confidentiality, integrity, and availability of information.

Detection Processes

Services that help monitor the information system and assets to identify cybersecurity events and verify the effectiveness of protective measures.


Services that support the creation, development, and standardization of policies, procedures, and processes to manage and monitor cybersecurity risks.

Identity Management and Access Control

Services that help limit and manage access to physical and logical assets and associated facilities to authorized users, processes, and devices, consistent with the assessed risk of unauthorized access to authorized activities and transactions.

Information Protection Processes and Procedures

Services that help maintain and use security policies (i.e., addressing purpose, scope, roles, responsibilities, management commitment, and coordination among organizational entities), processes, and procedures to manage the protection of information systems and assets.


Services that help prevent expansion of an event, mitigate its effects, and resolve the incident.

Protective Technology

Services that help manage technical security solutions to ensure the security and resilience of systems and assets, consistent with related policies, procedures, and agreements.

Recovery Planning

Services that help execute and maintain recovery processes and procedures to ensure restoration of systems or assets affected by cybersecurity incidents.

Risk Assessment

Services and tools that support the agency's assessment of cybersecurity risks. Risk assessments help the agency to understand the cybersecurity risks to the agency's operations (i.e., mission, functions, image, or reputation), organizational assets, and individuals.

Risk Management Strategy

Services that support the agency's development of a cybersecurity risk management strategy. Risk management strategy services help establish and use the organization's priorities, constraints, risk tolerances, and assumptions to prioritize and implement risk-based decisions.

Security Continuous Monitoring

Services that help monitor information systems and assets to identify cybersecurity events and verify the effectiveness of protective measures.

Supply Chain Risk Management

Services and tools that help establish an organization's priorities, constraints, risk tolerances and assumptions, and support risk decisions associated with managing supply chain risk.


Last Updated Date: February 2, 2021

Was this webpage helpful?  Yes  |  Somewhat  |  No