DHS expects the BPA to be worth $6 billion over the life of the contract, which has a one-year base and four one-year options.
“This acquisition will provide DHS, federal government departments/agencies, and state, local, tribal and territorial governments with specialized information technology services and tools to implement DHS’ continuous diagnostic and mitigation program,” the RFQ stated. “The CDM program seeks to defend federal and other government IT networks from cybersecurity threats by providing continuous monitoring sensors (tools), diagnosis, mitigation tools and continuous monitoring-as-a-service to strengthen the security posture of government networks.”
GSA is charging a 2 percent fee to agencies using the BPA.
Among the CDM tools DHS wants vendors to provide are:
Hardware-asset management, which includes discovering unauthorized or unmanaged hardware on the agency’s network.
Software-asset management, which is looking unauthorized or unmanaged applications on the network.
Vulnerability management, which will discover and fix holes in the network.
Managing trust in people granted access to the network, which focuses on the insider threat by looking for potential network abuses, such as deleting information or removing data that doesn’t belong to them.
Managing operation security, which would prevent hackers from exploiting weaknesses by using functional and operational control limits, especially around systems that are most vulnerable to attacks.
Along with the functional areas, DHS is asking for 11 task areas under continuous monitoring-as-a-service.
Among the services DHS wants are:
The support of CDM dashboards to show the status of network security.
To provide specified tools and services, such as hardware or software inventory management or account access management.
To operate CDM tools and sensors
To provide training and consulting in CDM governance, which includes designing a scoring system to compare performance of agencies, assessing risks and priorities among systems and other services.
To support independent verification and validation, and system certification of the security tools and sensors.
DHS and GSA also included a sample task order so vendors can have an idea what to expect from agencies issuing requests against the BPA.