I'm preparing to write an RFP for an OT Antivirus or EDR solution that needs to be compatible across all operating systems, including Windows and Linux. The solution must not disrupt critical business processes or negatively impact our OT/IOT environment. Additionally, it should meet minimum cybersecurity requirements. What key factors and considerations should I focus on when drafting this RFP to ensure we select the most suitable solution? Is there are any tool can help in writing the RFP?

Clearly specify the need for compatibility across all operating systems used in your environment, including various versions of Windows (legacy included) and Linux distributions, also ask how the agents are installed.
specify compliance requirements and ask for certs such as IS027001,Define requirements for integration with your SIEM and SOAR solutions to streamline alerts and incident handling,do they have a centralised management console, ask for information on automation capabilities for handling routine tasks like updates and patch management, particularly in remote or difficult-to-access environments.What implementation support is available (if required) , ongoing maintenance, training & support.NIST’s framework, along with SP 800-82, provides guidelines for protecting OT environments and can serve as a reference for key cybersecurity requirements to include in your RFP.  I can also if you like introduce you to a few colleagues who have issued tenders and would be willing to give advice / best practice tips.

I don’t have a lot of experience with IoT / Operational Technology systems, but they might look at virtual patching as one feature to provide some low impact, cross platform functionality.

Solutions that inspect traffic and modify traffic to interrupt an exploit in progress could be thought of as antivirus in that regard.

I don’t see EDR as having the same capabilities since the D & R in “Endpoint Detection and Response” almost implies an on-device agent that can take action to respond, provide additional detail during an investigation, etc. Those functions are going to be difficult to apply “across all operating systems” as the question states. Now if that is a bit of an exaggeration and the request is really to support many versions of Linux and Windows, then there are certainly offerings that can work.

I guess I would ask / suggest that the RFP be specific about the known operating systems that need to be supported, and include that in the RFP.

The reference to “minimum cybersecurity requirements” is also very vague.

I would suggest the poster refine the RFP requirements a bit and ask for respondents to list the operating systems that they support, the cybersecurity frameworks they use in designing their functionality, etc.

Maybe start with identifying specific regulations their organization *must* comply with, add in any frameworks they *choose* to use and list them as questions in the RFP (e.g. “Please describe how your service aligns with ”

Also identify specific technologies the solution must support – is all network communications IP based? V4 and or V6? What operating systems (including known embedded ones) must be supported?

When supporting an OS, do you require an agent on each device? How is it installed / configured?

Things like that will provide insight for the selection process.

One other thing I would recommend is to establish some decision metrics before the RFP goes out – are there “absolute must have” vs “nice to have” features?

Support is also an area that is easily overlooked in a technical RFP. Ask questions around how support works for things like patches, updates, etc. How is the product tested across the supported operating systems *before* a patch is released?

If the customer has an issue, what escalation paths are available?

Are there guaranteed response times / SLAs that can be put in the contract?

Are there financial / contractual penalties if the supplier fails to meet the terms?

Is there a convenience “out” (or is the supplier willing to agree to an exit clause without penalty?
Some of these are more business / procurement focused, but I think they are important to capture even at the initial RFP stage.

When responses come back, getting the group together that wrote (or at least reviewed and approved) the RFP to independently “grade” the responses, then meet and discuss / agree on the final recommendation.

FYI, some tools say they are compatible with Linux, but their agent needs to be installed in a way that will violate your Linux baselines, so make sure you understand how the agent gets installed and how deep into the OS/Kernel it needs to be embedded.  We just went through a selection process for our entire SOC suite of tools. Here are some of the questions we sent over to vendors during our evaluation.  At the end of the day, your RFP will need to be focused on your organizations requirements, so I'd expect you not to care about some of these, and to have your own to add to the list.  I've left off some of the more detailed technical questions specific to my organization.  You'll also need to develop review/scoring criteria around what you consider to be acceptable answers to any of the questions/requirements you put into your RFP.
EDR vendor questions:

Description of EDR tool(s) you provide or support
Platforms your EDR tool supports (e.g. windows, mac, Linux, ios, etc.) Is it supported on virtual servers?
What is the detection framework used? Signatures? Behavior examination? Use of AI?
What is the scope of scans/detections?
What is the timing of detection/scanning activities? Real-time analytics?
Device policy management. Grouping into different policies.
Whitelisting/blacklisting capabilities. Granularity of exceptions. Script management.
Endpoint Visibility - Runs as admin process on system to view and manage endpoints.
Installation, configuration, update, and remote management mechanisms.
Agent vs agentless.
Frequency of updates.
Remote management. Cloud-based management or on-prem server?
Control of updates pushed?
Detection of devices not actively running the EDR tool or not updating properly?
Central collection of EDR data. Where is it stored?
Ability to search/report on information from the EDR (for example search for hashes found on hosts)
Alerting and notifications
Integrations with SIEM and other tools
Do you have a home use licensing program for antivirus?

If it has to do with OT with Windows and/or Linux, it will be beneficial to understand which Protection Ring the solution is sitting at or interacts with.