1. Designing, implementing, and sustaining a comprehensive AI-driven Cyberspace Security Continuous Monitoring System that can execute two primary functions:

A. Function 1: Parse monitored system artifacts such as EMASS scans (typically from ACAS) and network maps as inputs to generate a risk-based prioritized list of log events that can be analyzed to detect anomalies and threat activity related to the five core categories listed below (as outputs). The generated list should articulate prioritization and categorization of the events to be analyzed and formatted for function two ingest and prosecution. For example, if themonitored system consists of windows hosts and servers’, function one would generate a list of events that should be monitored in order to detect activity that meets the criteria in the five categories listed below.

B. Function 2: Connect to monitored system SEIM, API or File System and analyze log events specified in the outputs above to detect and report anomalies, malicious behavior, and change detection over a period within the five core threat activity categories listed below. At detection, disseminate confidence-bound time sensitive alerts and periodic reports that describe the detected activity while periodically updating analytic thresholds and model weights. Near real-time adjustment for the monitored systems functional drift (which includes drift of AI model(s) and underlying data distribution shift) should occur over a defined period.

2. Five threat detection activity categories: The Continuous Monitoring capability must be able to detect anomalous activity and categorize malicious activity. Detections must include confidence ratings to quantify uncertainty of estimations related to the following activities by analyzing the monitored system logged events as specified in Function one for function two ingest and prosecution.

A. Initial Access: Initial Access consists of techniques that use various entry vectors to gain their initial foothold within a monitored system.
B. Lateral Movement: Lateral Movement consists of techniques that adversaries use to enter and control adjacently positioned, remote systems on a given networked architecture.

C. Malicious Command and Control (C2): Command and Control consists of techniques that adversaries may use to communicate with systems under their control within a victim network.
D. Illicit Data Exfiltration: Exfiltration consists of techniques that adversaries may use to steal data from the monitored system and egress the data across the network.

E. Credential Theft or Misuse: This consists of techniques for stealing credentials like account names and passwords and giving them access to systems, making adversary activity harder to detect.

3. Integrating threat intelligence feeds to enhance threat detection capabilities. Monitored System Scope:

1. The monitored systems will consist of enterprise information technology (IT). The continuous monitoring system must analyze event logs consistent with IT systems such as Linux and Windows client and server hosts, Antivirus, NetFlow and DNS.

2. The continuous monitoring system will connect to the monitored systems event log repository/SEIM remotely via API (e.g., S3 Bucket, Elasticsearch, Splunk query).

Performance Thresholds:
We expect the proposed system to achieve the following performance thresholds:

1. Detect known malicious activity within the five categories listed above with an overall effectiveness of 70% using a documented statistical confidence bound. When using AI, Machine Learning models, or algorithms affirm an F1-score of at least 50% and documented statistical bound for detected anomalous activity within

the five categories. All performance thresholds should convey a documented false- positive minimization approach.

2. Alert Generation: Generate risk-based, prioritized alerts within five minutes of identifying a potential threat or incident within the five-core threat detection categories specified above. Alerts must be transmitted securely via email or an approved communication technology.

3. Report Generation: Generate at least two periodic summary reports focused on activity related to the five threat categories listed above. Generate a 24-hour, 7-day and optionally 30-day coverage report that describes monitored system activities highlighting anomalous or malicious activity that was alerted to during the previous reporting period. The report should also contain details describing the activity of the note that did not meet the threshold of alerting but was of significance. The report should summarize activities that may span multiple monitored environments in a single report.

4. Scalability: The system should accommodate the ability to scale the continuous monitoring system to monitor multiple systems while periodically updating analytic thresholds, model weights and maintaining optimal performance.

5. System Uptime: Ensure a minimum system uptime of 90% while describing how you would address redundancy and failover mechanisms. Describe system uptime percentages during model re-training, system maintenance, and in various degraded state operations.

6. Integration Capabilities: Describe, at a high level, how your proposed system would integrate with our existing security infrastructure, tools, and platforms (e.g., reporting, and ticketing systems).

7. Threat Intelligence Utilization: Leverage threat intelligence sources to enhance threat detection accuracy by at least 20%. Define the baseline and methodology applied to determine threat detection accuracy above 20% to affirm consistent measurement.

8. Describe how this system will be deployed globally and what impact on measures of effectiveness may be incurred.
U.S. Army Cyber Command operates and defends Army networks and delivers cyberspace effects against adversaries to defend the nation with over 16,500 Soldiers, civilians, and contractors working 24/7 across the globe. In today's rapidly

evolving threat landscape, we recognize the importance of continuous monitoring as a foundational component of our cyberspace security ecosystem. The Army requires the ability to automatically continuously monitor systems to maintain ongoing awareness of information security, vulnerabilities, and threats to facilitate risk-based, operational decision making. Automation is required to analyze the high volume and variety of data elements associated with successful continuous monitoring. Because of functional drift, a monitored systems analytic thresholds and weights must be automatically updated to reduce the propensity for false positive alert notifications while accurately indicating when anomalous or malicious cyber activity occurs.

***U.S. Citizens Only