State, Local, Tribal and Territorial (SLTT) Indicators of Compromise – Automation Pilot | DHS 20 CISA 128 SLT001

Frequently Asked Questions (FAQs)

What is the SLTT Indicators of Compromise (IOC) - Automation Pilot?

The State, Local, Tribal and Territorial (SLTT) Indicators of Compromise (IOC) - Automation Pilot is a Department of Homeland Security (DHS) cooperative agreement managed under CISA. It is designed to continue an already-awarded project so it can be implemented and tested in real SLTT operating environments, with a focus on measurable improvements in how quickly and consistently SLTT organizations can act on cybersecurity threat indicators.

Is this a new open grant competition?

No. The opportunity is described as an extension of a previously selected grant recipient, not a brand-new open competition. It continues work already underway (referenced as DHS-19-CISA-128-SLT001) to support implementation and operational outcomes.

What is the main goal of this pilot?

The central goal is to speed up how SLTT governments evaluate, prioritize, and respond to Indicators of Compromise by automating key steps that are often manual. The pilot aims to shrink the timeline from receiving an IOC to taking action to minutes rather than hours or days.

What are Indicators of Compromise (IOCs) in this context?

IOCs are artifacts that may indicate malicious activity. Examples mentioned include suspicious IP addresses, domains, file hashes, email indicators, or behavioral patterns observed in logs.

What problems in SLTT cybersecurity operations is the pilot trying to address?

The pilot targets common manual workflows such as reviewing indicator emails or reports, copying indicators into tools, running lookups, correlating across systems, and deciding whether to block, contain, or investigate. The intent is to reduce repetitive, low-value manual effort and improve response timelines and consistency.

What does "automation" mean here?

Automation in this pilot refers to making IOC handling more immediately usable and less manual by standardizing and automating steps like validation, enrichment, and scoring. It also includes building repeatable workflows that can move from intake to response actions under approved policies and oversight.

What kinds of automated steps are emphasized?

The opportunity highlights automating validation, enrichment, and scoring. Examples provided include pulling context from threat intelligence sources, adding asset criticality context, and rating the confidence and severity of an indicator to help prioritize action.

Which parts of the IOC lifecycle does the pilot cover?

The work targets the full IOC lifecycle, including receipt of IOCs, enrichment and scoring, remediation and response actions, and the feedback loop that improves future handling.

What is SOAR, and why is it central to this pilot?

SOAR stands for Security Orchestration, Automation, and Response. The pilot explicitly highlights using SOAR capabilities with information sharing to build repeatable workflows (playbooks) that can ingest indicators, query data sources, correlate with local telemetry, and trigger approved response actions.

What are "playbooks" in this pilot?

Playbooks are repeatable workflows that automate steps such as ingesting indicators from partners or feeds, enriching and correlating them using internal and external data sources, and triggering response actions aligned with SLTT policies and procedures.

What types of response actions are mentioned as outcomes of automation?

Examples include blocking a domain, quarantining an endpoint, creating or updating a ticket, notifying relevant staff, or escalating an incident for deeper investigation.

How does the pilot balance automation with oversight and governance?

A major theme is identifying repetitive tasks suitable for orchestration and automation while maintaining appropriate oversight and governance. The pilot is intended to show how automation can reliably handle routine steps while still operating within sustainable government policies and procedures.

Is the work only technical integration, or does it include operational changes?

It includes both. The opportunity emphasizes operational alignment so SLTT organizations can apply consistent playbooks and decision logic across teams and, where feasible, across jurisdictions. It also calls out developing model processes, methods, and sustainable policies and procedures.

What does "orchestration" mean in the pilot description?

Orchestration refers to coordinating the broader set of cyber defense activities so they work together end-to-end: sensing (collecting data and indicators), understanding (analysis and correlation), decision-making (triage and prioritization), and acting (response and remediation).

How many SLTT participants can be involved?

Participation is limited. The grant recipient may select up to five states and/or localities to participate in the pilot.

Does the pilot include Tribal and territorial governments as participants?

The pilot is framed for SLTT organizations broadly (state, local, tribal, and territorial). However, the participation detail provided states the recipient may select up to five states and/or localities to take part in the pilot.

What is expected to come out of the pilot for broader SLTT use?

A key outcome is reusable guidance: model processes, methods, and policies and procedures that help make automation sustainable in government environments. The pilot aims to document what works in real environments and improve the consistency and actionability of shared cyber data so other SLTT organizations can adopt approaches later.

How does information sharing fit into the pilot?

The pilot combines SOAR with information sharing so indicators distributed among partners or feeds can be ingested and acted upon in a predictable, repeatable way rather than being handled ad hoc by each organization.

What is the funding mechanism for this opportunity?

This is a discretionary DHS funding opportunity offered as a cooperative agreement, managed under CISA.

What does it mean that this is a cooperative agreement?

The opportunity notes that a cooperative agreement typically implies substantial federal involvement or collaboration during execution compared to a standard grant.

What is the funding activity category?

The funding activity category is listed as science and technology and other research and development, reflecting that the pilot is intended to develop, test, and demonstrate operationally relevant automation methods rather than simply purchasing routine services.

What is the opportunity number and CFDA number?

The opportunity number is DHS 20 CISA 128 SLT001, and the CFDA number is 97.128.

How much funding is available, and how many awards are expected?

The award ceiling is $500,000, and DHS expected to make one award.

What are the posted dates for this opportunity?

The posting shows an original creation date of July 20, 2020, and an original closing date of August 10, 2020. The narrative indicates the purpose is to extend a previously awarded project rather than run a new multi-award competition.

What does success look like for participating jurisdictions?

Based on the description, success is reflected in practical, measurable operational improvements such as reduced manual workload, faster response timelines (moving toward minutes), and more consistent application of standardized playbooks for IOC handling and response.

How does this pilot help with prioritization of threats?

The pilot emphasizes enrichment and scoring so IOCs can be evaluated with added context (for example, threat intelligence context and asset criticality) and assigned confidence and severity ratings. That information is intended to help jurisdictions triage and prioritize actions more quickly and consistently.

Why does the opportunity emphasize "real-world SLTT environments"?

The stated intent is to apply automation in practical operating environments, not just in theory, and to demonstrate implementation approaches that align with how SLTT agencies actually operate under their policies and procedures.