CMS award for cybersecurity raises red flags

Just as the Department of Health and Human Services and the Centers for Medicare and Medicaid Services are ramping up for the 2017 open enrollment under the Affordable Care Act, a contract award for cybersecurity services is causing a bit of a stir in the federal community.

Multiple sources confirm that CMS awarded Iron Vine Security a $67.6 million contract to provide information security and privacy support services.

According to the award announcement obtained by Federal News Radio, CMS chose Iron Vine, a small firm in Washington, D.C., from 11 bids for the request for quote under GSA’s Schedule 70 as a small business set-aside.

Sponsored content: Is your agency prepared to defend the next cyber attack? Download the results of 2016 network security survey.

One industry source, who requested anonymity in order to talk about the award that CMS has not yet announced, said they believe the agency is taking a huge risk. The source, whose company didn’t bid on the project, said it appears CMS took a lowest price, technically acceptable (LPTA) approach to a complex cyber environment.

The statement of work says the vendor will provide agencywide program management support for cybersecurity and privacy services as well as its Health Insurance Marketplace Security Operations Center under the ACA across eight task areas.

Among the services to the marketplace Iron Vine will provide are the ability to:

  • Monitor, defend and protect every perimeter interface for malicious network traffic;
  • Monitor, defend and protect every host within each FISMA boundary for malicious activity or activity that could indicate lateral movement within the environment
  • Perform advanced network analysis of egress and ingress traffic;
  • Monitor security events, information correlation from data center feeds and CCIC functional areas to identify incidents, issues, threats, and vulnerabilities;
  • Conduct initial triage, containment, categorization, and escalation for suspicious events and incidents;
  • Provide compromise response activities as necessary.

The industry source said the transition to the new contractor ahead of the open enrollment that starts Nov. 1 is one big concern because after Oct. 1 CMS will not make any changes to its systems.

The RFQ states the transition must be done two weeks after notification of award, really leaving about two weeks to work out any kinks and assess the current state of CMS networks and systems to make fixes before Oct. 1.

The source said related to transition is the staffing where there is growing concern that the current staff is unlikely to move to the new contractor and make the commute to Baltimore. CMS previously awarded two contracts for these services to Spann & Associates Inc., which was bought by Raytheon, and Creative Computing Solutions Inc., which was bought by Information Innovators Inc. (Triple I), and the work was based in the D.C. metro area.

Additionally, there is concern about Iron Vine’s price, which is about 20 percent lower than what CMS is paying today for the two contracts, which also is why some say the agency went LPTA.

Of course, the obligatory bid protest is expected on this contract, which would delay the implementation even longer, likely until after the open enrollment period has ended so maybe many of these concerns will be moot.

But as CMS prepares for another high profile ACA event, getting the cybersecurity and privacy right for the tens of millions of Americans that will use the marketplace should’ve been a higher priority.

CMS didn’t respond to an email seeking comments on the contract award.

Return to Reporter’s Notebook