CybrIQ for government · Evaluation checklist
CybrIQ
Government/Use cases/Evaluation checklist
Procurement evaluation

What to ask any device-visibility vendor before a task order.

This is not a CybrIQ-tailored checklist. It's the list of questions a federal or SLED evaluator should ask any vendor in this category — and CybrIQ's posture on each, with the trade-offs surfaced where they exist. If you're evaluating multiple vendors, the answers should be comparable across all of them.

A vendor-agnostic five-category evaluation scorecard for device-visibility candidates. Category 1 — Authorization and posture: FedRAMP status (Authorized vs In Process vs not held), where does data live (vendor cloud vs customer-installed), outbound required (air-gap capable y/n), vendor access (inbound vendor connectivity y/n), certifications held (SOC 2, ISO 27001, 27017, 27018, NIAP, FIPS). Category 2 — Network and architecture: network access required (SNMP r/o, SSH, scope), SPAN / mirror / tap (y/n), packet inspection (DPI at any layer y/n), agents on endpoints (for primary vs optional features), inter-component communication (SSL, tunnel, internal vs external), switch impact (config changes required y/n). Category 3 — Identification capability: approach (Layer-1 fingerprint, reference library), false-positive rate (events per port per week), detection cadence (polling interval, real-time vs batch), Section 889 capability (covered hardware, relabel-resistant), OT coverage (SCADA, PLC, HMI, RTU, IED, sensors), reference corpus (device library size). Category 4 — Integration and reporting: SIEM integration (Splunk, Sentinel, QRadar, Elastic), NAC integration (ISE, Forescout, ClearPass), CDM structure (HWAM field alignment), eMASS / SSP attach format, audit-trail format (signed CSV / JSON with SHA-256), reporting cadence (CIO summary, oversight pack, FISMA, IG). Category 5 — Trade-offs every vendor has: what is NOT covered (software attacks, identity attacks, traffic anomalies, patch state), where does it stop (honest gaps named on page, not hidden), if they will not name gaps, leave. Use this against any candidate, including CybrIQ; the score that should worry you is the vendor who answers yes to everything.

Authorization and posture

  • What's your FedRAMP status? CybrIQ: no FedRAMP status today — not Authorized, not "In Process," no Marketplace listing. The customer-installed deployment shape does not require FedRAMP for FISMA-authorized, on-premise, SCIF, or air-gapped environments.
  • What other certifications do you hold? CybrIQ: SOC 2 Type II, ISO/IEC 27001, ISO 27017 (cloud security), and ISO 27018 (PII in cloud). Reports and certificates available on request under MNDA. Not NIAP-validated and not FIPS 140-3-validated (rationale: customer-installed software, no embedded cryptography in the data path beyond TLS). Product-side controls: TLS 1.2 in transit, AES-256 at rest, MFA, SAML 2.0 SSO, RBAC, regular third-party pen testing, DISA STIG vulnerability remediation. Azure Marketplace listing and ServiceNow Store certified application are live; Carahsoft is the federal channel partner for GSA MAS, SEWP, CIO-SP3, 2GIT, and NASPO routes.
  • Where does the customer data live? CybrIQ: on customer-controlled hardware. No vendor cloud is in the path by default.
  • Does the vendor require outbound connectivity? CybrIQ: no. The deployment can run fully disconnected; reference-library updates ship as signed offline packages.
  • Does the vendor have access to customer data? CybrIQ: no. Vendor staff cannot reach the deployment unless the customer explicitly grants it.

Network and architecture

  • What network access does it need? CybrIQ: read-only switch access via SNMP. No SNMP write. The customer's network team controls the credentials.
  • Does it require SPAN, mirror ports, or inline taps? CybrIQ: no.
  • Does it inspect packet contents? CybrIQ: no.
  • Does it place agents on endpoints? CybrIQ: no, for the primary device-discovery feature. The optional USB-protection feature ships a small Windows/Linux workstation agent — that's separate and opt-in.
  • How is data transmitted between components? CybrIQ: over SSL, inside the customer network. No vendor tunnel.

Identification capability

  • What's the identification approach? CybrIQ: Layer-1 fingerprint (Device DNA™) from 5 switch-side signal classes, matched against a 750-million-device reference library.
  • What's the false-positive rate? CybrIQ: roughly 1 event per 100 ports per week at default thresholds in stable production. Tunable per VLAN.
  • What's the detection cadence? CybrIQ: polls every 30 seconds by default; tunable. Device change on a port surfaces in the next poll, not on a nightly batch.
  • Can it identify covered telecom hardware (Section 889)? CybrIQ: yes, via the reference library — including relabeled and unmarked devices.

Integration and reporting

  • How does data reach the agency's SIEM? CybrIQ: syslog (RFC 5424) and REST. Supported SIEMs include Splunk (including Splunk Cloud for Government), Sentinel for Government, IBM QRadar, Elastic.
  • How does it integrate with the agency's NAC? CybrIQ: direct integrations with Cisco ISE, Forescout, Aruba ClearPass. Event payload includes the fields the NAC quarantine workflow needs.
  • How is data structured for the CDM dashboard? CybrIQ: field names aligned with HWAM expectations. The CDM dashboard simply sees more rows.
  • What's the audit-trail export format? CybrIQ: CSV, JSON, and PDF. Signed at the control plane with SHA-256.

Trade-offs to ask about explicitly

Every vendor in this category has trade-offs. The honest CybrIQ ones:

  • Not FedRAMP Authorized today. No FedRAMP status of any kind — no Marketplace listing, no "In Process" designation. For agencies whose procurement gates on Authorized status, that is the gating concern; for FISMA-authorized environments, on-premise, SCIF, and air-gapped enclaves, the customer-installed path proceeds without FedRAMP.
  • Not NIAP Common Criteria / FIPS 140-3 validated. Rationale: customer-installed software, no embedded cryptography in the data path beyond TLS. For environments that mandate NIAP or FIPS for embedded crypto, the briefing call covers whether the customer's TLS implementation satisfies the requirement.
  • Read-only by default means no enforcement. CybrIQ identifies; the customer's NAC enforces. If the agency does not have a NAC, CybrIQ does not substitute for one.
  • USB protection requires the workstation agent. Switch-side detection cannot see what's plugged into a host's USB port. The optional Windows/Linux agent is the trade-off for that visibility.
  • Continuous monitoring lives in the live log. Long retention is the customer's decision; we don't store agency data centrally.

Walk this checklist with us

30 minutes: we walk every question above against your environment and trade-off priorities, and we hand you a comparison shape you can use with other vendors.

Schedule briefing