What is Cybertorch MDR?

Cybertorch is Quzara's FedRAMP High Authorized Managed Extended Detection and Response (MXDR) platform. It provides 24/7 security monitoring, threat detection, incident response, and vulnerability management staffed entirely by U.S. citizens on Azure Government infrastructure.

How does Cybertorch help with CMMC compliance?

Cybertorch allows defense contractors to inherit FedRAMP High Authorized security controls rather than building their own SOC. This accelerates CMMC Level 2 compliance by satisfying continuous monitoring, incident response, and security operations requirements with a proven, audited platform.

Is Cybertorch FedRAMP authorized?

Yes. Cybertorch is FedRAMP High Authorized and operates on Azure Government, authorized for DoD Impact Level 4. It supports Microsoft GCC High environments and meets CMMC, FISMA, and NIST SP 800-171 requirements.

AZ2UBWHMwbMkldGhvcwF1Q-AZ2UBWHMtBBy6hZDK-vaOg

Federal MDR Requirements

Federal buyers face procurement criteria that commercial MDR buyers do not. FedRAMP authorization, U.S.-citizen analyst staffing, DoD Impact Level coverage, GCC High and Azure Government support, inheritable controls, and contract vehicle access narrow the qualified-vendor list to a small percentage of the MDR market. This guide lays out the criteria, why each matters, and how to verify a vendor meets them.

The market filter

Why Federal MDR Is a Smaller Market

Commercial MDR has hundreds of providers. Federal MDR has a small fraction of that count. The reason is a stack of procurement criteria that filter the market: FedRAMP authorization, U.S. citizenship, DoD Impact Level coverage, GCC High and Azure Government support, inheritable controls, and contract vehicle access. Each criterion eliminates a meaningful portion of providers.

Federal buyers should treat these criteria as gates, not preferences. A vendor missing one or more of them may still bid, but cannot reasonably deliver against a federal contract scope. The cost of discovering a gap mid-engagement is significant. The cost of discovering it after award can be irrecoverable. This guide lays out the criteria so federal buyers can filter the vendor list before issuing the RFI.

Five gate requirements

What Defines Federal-Capable MDR

Federal MDR requirements concentrate around five gates. Each filters the qualified-vendor list.

FedRAMP authorization for the service

The service itself must hold FedRAMP authorization, not just the underlying cloud. FedRAMP Marketplace verification at fedramp.gov/marketplace is the test. Authorization level (Moderate, High) should match the customer's data classification. FedRAMP High is the standard for sensitive federal workloads. Without service-level authorization, inheritable controls cannot flow to the customer authorization boundary.

U.S.-citizen-only analyst staffing

All SOC analyst tiers must be staffed by U.S. citizens. Some federal agencies and DoD program offices additionally require clearance-eligible staffing. The provider should furnish citizenship verification documentation as part of the contract package. Mixed staffing (some U.S., some offshore) does not satisfy citizenship-required environments.

DoD Impact Level coverage

Customer environments classified at DoD IL-2, IL-4, or IL-5 require the service to carry the matching IL authorization. IL-4 is the typical federal civilian standard; IL-5 is required for controlled unclassified information in DoD environments. The IL authorization is separate from the underlying cloud's IL; both must match.

GCC High and Azure Government native support

Federal customer environments often run on Microsoft 365 GCC High or Azure Government. The MDR service must natively integrate with these environments. Native Microsoft Defender XDR support is the standard. Providers requiring middleware or commercial-cloud bridges to reach GCC High should be ruled out.

Inheritable control documentation

A FedRAMP-authorized MDR provider must furnish a Customer Responsibility Matrix mapping NIST SP 800-53 Rev 5 controls to provider versus customer responsibility. The document should be available at RFI stage. A provider that cannot produce it on request is signaling readiness gaps.

U.S. Citizenship, Clearance, and Impact Levels

Citizenship and clearance requirements vary by federal customer. Three categories cover most cases. First, U.S.-citizen-only with no clearance. Federal civilian agencies and most DIB contractors handling CUI require U.S. citizenship verification for all analysts but do not require active security clearances. This is the most common requirement and the easiest to satisfy. Second, U.S.-citizen with clearance eligibility. Some federal customers, particularly DoD program offices, require analysts to be clearance-eligible (able to obtain a Secret or Top Secret clearance through standard adjudication). The provider should be able to confirm clearance-eligibility for all analyst tiers. Third, U.S.-citizen with active clearance. The most restrictive category. Active Secret or Top Secret clearances are required for analysts handling classified telemetry. Few commercial MDR providers staff this tier; expect significant premium pricing. DoD Impact Levels work in parallel. IL-2 covers public and non-controlled unclassified information. IL-4 covers controlled unclassified information for non-national security systems. IL-5 covers controlled unclassified information for national security systems and mission-critical workloads. The provider's service IL authorization must match the customer environment's IL classification.

Which contract vehicles federal MDR buyers should consider

Federal Contract Vehicles for MDR Procurement

Federal MDR can be procured through several contract vehicles. Each has different administrative implications and competitive dynamics.

GSA Multiple Award Schedule (MAS) IT Schedule 70

The primary federal IT services vehicle. Most federal MDR providers carry MAS contracts. GSA MAS supports direct task orders, BPAs, and multi-award competitions. Set-asides for 8(a), WOSB, and HUBZone are available. Lead time is short relative to other vehicles.

GSA Highly Adaptive Cybersecurity Services (HACS)

A specialized GSA SIN within MAS focused on cybersecurity. HACS includes the Incident Handling and Emergency Management (IHEM) SIN, which is the most relevant for MDR procurement. HACS pre-qualifies vendors for cybersecurity work, reducing source-selection overhead.

CIO-SP4 and CIO-SP3

NITAAC (NIH) vehicles for federal IT services. CIO-SP4 succeeds CIO-SP3 in 2024 and includes cybersecurity scope. Civilian agencies frequently use CIO-SP4. Task order competition can be lengthy; vehicle access matters.

SEWP V

NASA-managed government-wide acquisition contract focused on IT products and solutions. SEWP V includes cybersecurity scope through select primes. Lower task-order administrative burden than CIO-SP4 in many cases.

OASIS+

The successor to OASIS. Multi-domain federal vehicle covering professional services including cybersecurity. Useful for combining MDR with broader compliance advisory work in a single task order.

Agency-specific BPAs and IDIQs

Many federal agencies maintain their own BPAs and IDIQs for cybersecurity services. Examples include DHS CDM, Treasury BPAs, and DoD ESI agreements. For agencies with established vehicles, this is often the fastest procurement path.

Pre-RFI checks

How to Verify a Federal MDR Vendor Meets the Requirements

Most of the verification work can be done before issuing the RFI. Nine concrete checks separate qualified vendors from non-qualified.

Check the FedRAMP Marketplace for the service-level authorization Visit fedramp.gov/marketplace and search by vendor name. Confirm the authorization is for the service itself, not just the underlying cloud. Note the authorization level (Moderate, High) and the agency sponsor. A FedRAMP authorization in the Marketplace is the definitive verification.

Request the Customer Responsibility Matrix in advance Ask for the NIST SP 800-53 Rev 5 Customer Responsibility Matrix during pre-RFI conversations. The matrix should be available on request. Vendors that take weeks to produce it are signaling readiness gaps; their authorization documentation is likely not well maintained.

Verify citizenship policy with HR documentation Ask the vendor to confirm in writing that all analyst tiers are U.S. citizens. Some vendors will furnish HR policy language; others will reference SOC operating procedures. Either is acceptable as a contractual basis.

Confirm DoD Impact Level authorization match Verify the IL authorization on the service, not the underlying cloud. The DoD Cloud Authorization Services site lists IL authorizations. Match the IL classification to the customer environment.

Verify GCC High and Azure Government compatibility If the customer environment runs on GCC High or Azure Government, confirm the MDR tooling natively supports these environments. Microsoft Defender XDR is the standard; other tooling should be verified vendor-by-vendor.

Check the FedRAMP POAM status FedRAMP-authorized providers publish their POAM status. A clean POAM (few open findings, all remediation plans on schedule) signals operational maturity. A POAM with many overdue findings is a risk indicator.

Verify contract vehicle holdings Confirm the vendor holds the contract vehicles relevant to your procurement (GSA HACS, CIO-SP4, SEWP, agency BPAs). Vehicle holdings affect how quickly the contract can move and what flexibility exists for modifications.

Check small business set-aside eligibility For 8(a), WOSB, EDWOSB, HUBZone, or other set-aside categories, verify the vendor's certification status on SAM.gov. The certification must be current; expired certifications cannot be relied upon.

Confirm continuous monitoring artifact delivery cadence FedRAMP continuous monitoring requires monthly POAM updates, quarterly SAR submissions, and annual assessments. Confirm the vendor delivers these artifacts on the standard cadence. Delayed continuous monitoring is a common audit finding.

Common Questions: Federal MDR Requirements

Is FedRAMP Moderate sufficient or do I need High? FedRAMP High is the standard for federal workloads handling sensitive data. FedRAMP Moderate covers less sensitive workloads. The data classification of the customer environment determines the required authorization level. Federal civilian high-impact systems and DoD IL-4/IL-5 environments require High.

What if the vendor is FedRAMP In Process rather than Authorized? FedRAMP In Process is a status, not an authorization. The vendor has begun the authorization process but cannot yet inherit controls to a customer authorization boundary. For a federal contract that requires inherited controls, In Process is insufficient.

Can a vendor without FedRAMP authorization still bid? Yes, but they cannot deliver inheritable controls. Some federal contracts permit non-FedRAMP vendors in narrow circumstances (specific exemptions, pre-authorization work). The default expectation is FedRAMP authorization.

How do I verify U.S. citizenship enforcement at the vendor? Request the vendor's hiring policy in writing, ask for SOC operating procedures that specify citizenship requirements, and include a citizenship verification clause in the contract. Audit rights for citizenship verification can be negotiated.

What is the difference between IL-2, IL-4, and IL-5? IL-2 covers public and non-controlled unclassified information. IL-4 covers controlled unclassified information for non-national security systems. IL-5 covers controlled unclassified information for national security systems and mission-critical workloads. The DoD Cloud Computing Security Requirements Guide defines each level.

Does the vendor's cloud authorization count as the vendor's authorization? No. The cloud (Azure Government, AWS GovCloud) and the service running on the cloud are separately authorized. A vendor running on a FedRAMP-authorized cloud is not itself FedRAMP authorized unless the service has its own ATO.

What contract vehicle is fastest for federal MDR procurement? GSA HACS IHEM and direct task orders against GSA MAS are typically the fastest. CIO-SP4 and SEWP V have longer task-order administrative timelines. Agency-specific BPAs vary.

Does CMMC Level 2 require the same MDR criteria? CMMC Level 2 inherits much of the federal MDR requirements set, particularly U.S. citizenship and FedRAMP-aligned control implementation. DIB contractors handling CUI under CMMC Level 2 should apply the same vendor filter.

Can a foreign-owned company hold FedRAMP authorization? FedRAMP authorization is not directly conditioned on company ownership, but national security review (CFIUS, FOCI mitigation) can complicate the path. For federal customers, vendors with U.S. ownership and clean FOCI profiles are preferred.

What should I include in the RFI to filter on these requirements? Include explicit requirements for FedRAMP authorization level, U.S.-citizen-only analyst staffing, DoD Impact Level authorization, GCC High or Azure Government support, inheritable control documentation, contract vehicle access, and POAM status. Vendors that cannot answer cleanly should be deprioritized.