Secrets Management Services

The vendor is required to provide a secrets management solution that can securely store, access and manage sensitive data such as API keys, database credentials, identity and access management (IAM) permissions, secure shell (SSH) keys, and certificates across development, build, deployment, and operational stages.
- solutions that can address challenges related to secrets management, including security asset ownership, automation, secure access, and integration with existing platforms including azure, amazon web services (AWS), google cloud platform (GCP) and on-premises data centers.
- It is only intended for shared accounts, applications or automated accounts that require secure Secrets Management.
- Short-term: Implement an audit compliant solution to provide a single pane of glass for centrally managing all secrets through the full lifecycle.
- Long-term: Establish automated secrets lifecycle management with audit capabilities to meet compliance requirements.
- Disaster Recovery Requirements: The solution should meet the following disaster recovery requirements:
• Backup and Recovery: The solution should provide mechanisms for regular backups of secrets and configurations, with clear processes for restoring data in case of a disaster.
• High availability: the solution should support high availability configurations across multiple regions or availability zones to ensure uninterrupted access to secrets.
• Recovery time objective (RTO) and recovery point objective (RPO): vendors should specify the recovery time objective (RTO) and recovery point objective (RPO) for their solution during a disaster scenario.
• Failover capabilities: the solution should include automatic failover capabilities to minimize disruptions during failures.
- Key management audit standards: the solution should adhere to the following key management audit standards:
• Audit logging: the solution should provide comprehensive audit logging for key creation, access, rotation, and deletion activities.
• Periodic key reviews: the solution should support periodic reviews of keys to ensure they are still valid and required.
• Report generation: the solution should be capable of generating audit reports for internal security reviews or external compliance audits.
- Expected integration methods: the solution should support the following integration methods:
• API integration: the solution should offer a comprehensive restful API for integration with existing applications, ci/cd (continuous integration/continuous deployment) pipelines, and infrastructure automation tools.
• Infrastructure-as-code (IAC) integration: the solution should support integration with infrastructure-as-code (IAC) tools such as terraform, Ansible, and cloud formation.
• SDKS (software development kits): availability of SDKS in multiple programming languages (e.g., python, java, JavaScript) to facilitate easier integration into existing workflows.
• Plugin support: the solution should support plugins or extensions to common ci/cd tools such as azure DevOps, Jenkins, GitLab ci, and GitHub actions.
• Secrets injection: ability to securely inject secrets into applications running in environments such as cabernets or other container orchestration platforms.
- Key management: the solution should meet the following key management requirements:
• Secure key generation, rotation, and storage should be provided to ensure the integrity and security of encryption keys.
• Automatic key rotation should be supported to minimize the risks associated with compromised keys.
• The solution should support integration with cloud-based key management services, including but not limited to amazon web services (AWS) key management service (KMS), azure key vault, or google cloud platform (GCP) cloud KMS.
• Compliance with FIPS 140-3 (federal information processing standard) or CSE cryptographic module validation program (CMVP) for key handling and storage.
- Compliance standards: the solution should meet relevant security and compliance standards, such as:
• Data encryption standards: the solution should adhere to the following encryption standards:
1. AES-256 (advanced encryption standard with 256-bit keys) for data at rest.
2. TLS (transport layer security) 1.2 or higher for securing data in transit.
3. FIPS 140-3 (federal information processing standard) compliance for cryptographic modules, if applicable.
• SOC 2 (system and organization controls 2): to ensure data security, availability, processing integrity, confidentiality, and privacy.
• ISO 27001: for information security management systems.
• NIST (national institute of standards and technology): to provide guidelines on managing information security risks.
- Questions/Inquires Deadline: March 31, 2025