RFI - Phishing-Resistant Multi-Factor Authentication (MFA) for Mainframe Platforms & Applications

The IRS is seeking a qualified vendor to enhance and enforce phishing-resistant multi-factor authentication (MFA) and personal identity verification (PIV) across its IBM and Unisys mainframe platforms under its IT Cybersecurity Continuous Diagnostics & Mitigation Program. The objectives include aligning with federal security mandates, securing high-value assets against cyber threats, and addressing recent audit findings. The IRS aims to transition to a zero-trust security model, improve software procurement processes, and ensure compliance with federal security standards, including those set by OMB and DHS. The IRS relies on InfoConnect brand products as its COTS MFA solution, necessitating custom implementations for true interoperability. The focus on advanced cybersecurity measures reflects a commitment to enhancing the Agency's overall security posture and protecting sensitive taxpayer information, with funding enabled by the Inflation Reduction Act. Achieving these goals is critical to modernizing IRS systems and improving service delivery while ensuring the integrity and confidentiality of its information assets.

The IRS has issued a Request for Information (RFI) regarding the implementation of phishing-resistant Multi-Factor Authentication (MFA) for its mainframe platforms and applications. The RFI, designated as RFI2526APMO, seeks to gather information from technically-competent vendors who can enhance and enforce MFA and personal identity verification (PIV) capabilities, specifically targeting IBM and Unisys mainframe platforms. Vendors are required to demonstrate their qualifications by providing detailed company profiles and technical capability responses in three parts. The complexity of the project involves questions about company registration, security compliance, prior experience with similar federal implementations, as well as product-specific inquiries. The IRS emphasizes the importance of adherence to federal security standards and protocols, particularly regarding supply chain security and software certifications. Responses to the RFI are due by March 13, 2025, with questions accepted until February 26, 2025. It is clear that the IRS is in the market research phase and not yet committed to a solicitation, thus seeking feedback and information to aid in future decision-making regarding cybersecurity enhancements. Vendors must ensure their submissions are complete and clearly marked, as no proprietary sensitive information should be included unless properly identified.