GSA, DHS begin to tip their hand about future of CDM program

The $6 billion blanket purchase agreement for the continuous diagnostics and mitigation (CDM) program is heading into the home stretch with less than 18 months left on the initial deal.

The General Services Administration and the Homeland Security Department continue to send signals of how they will move forward after that initial BPA expires in August 2018.

The latest indication came in the form of a request for information (RFI) to GSA Alliant Small Business contract holders on March 6.

GSA is asking small firms to provide details across seven broad CDM capabilities, including:

  • Maintaining and operating the existing CDM solution to ensure a common set of CDM capabilities across all installations;
  • Planning, provisioning, configuring, operating, testing and managing tools, sensors, data feeds and dashboard integration as part of the solution;
  • Integrating, operating and maintaining the agency-level CDM dashboard;
  • Developing and maintaining the capability for CDM tools and sensors to report information to the agency dashboard;
  • Refreshing and integrating enhanced CDM capabilities, while ensuring continued operation of the functioning CDM solution;
  • Designing, building, deploying and operating CDM solution for new agencies that opt-in to the CDM Program;
  • Providing agency-specific training for the CDM solution with an emphasis on introductory level operation and maintenance of the implemented tools and technologies, the agency CDM dashboard, and support for Information Security Continuous Monitoring and CDM governance frameworks and processes consistent with the office of Management and Budget (OMB) and other federal oversight entities.

DHS and GSA also want insights into how CDM can be better integrated with mobile and cloud computing services.

Aubrey Merchant-Dest, federal chief technology officer for Symantec, said in an emailed statement to Federal News Radio that adding cloud and mobile is important especially as network boundary protection is dissolving.

“This provides a hybrid approach to cloud security, enabling the same level of granular policy control, data governance, visibility and threat intelligence to ensure security for cloud applications and workflows irrespective of the device accessing it,” he said.

Responses to the RFI are due March 16.

“It’s a bit of a departure, but not a direct change in their approach to CDM,” said Pete Morrison, CA Technologies’ senior director for cybersecurity solutions for public sector and Canada. “What they are doing is looking at Alliant small business to see if they can get someone outside of the current contractors to help them with tasks that seem outside the scope of the current CDM contract. This seems to be more of a program management RFI, which is similar to the type of work that GSA and DHS have done in the past with other small businesses.”

This is the first of what many expect to be two RFIs looking for insights from industry to how GSA and DHS can improve CDM.

In February, GSA and DHS said challenges around Phase 3 of the program, which includes boundary protection and security lifecycle management, is pushing them to rethink their strategy for ensuring cutting edge cyber products and services are available to agencies in a timely manner.

The second RFI, according to one industry source, is likely to focus on products that could be added to GSA Schedule 70’s cyber special item number (SIN). GSA announced in August it was adding three new SINs around penetration testing, incident response, cyber hunt and risk and vulnerability assessment services.

“The reality is Schedule 70’s cyber SIN is the future for CDM so they want to strengthen the SIN,” said the source, who requested anonymity in order to talk about internal agency discussions. “I think GSA and DHS are setting a new direction for CDM. They started with 17 companies on the BPA and now are down to 10 or 12. Product companies are complaining they can’t get in, and whenever DHS has an open season, they would be flooded with products looking to be added and DHS can’t respond fast enough. CDM did not accomplish its goals on one level, which was to give agencies access to cutting or leading edge technologies.”

The source said vendors and agencies alike understand there is a learning curve to any major program, but here we are nearly four years into the program and agencies and vendor alike are frustrated by CDM’s slow roll out.

Morrison said he hears from clients too that there is great pressure to secure the federal environment and the fact that CDM is “free” to agencies, the waiting for the tools and services leaves them in a tough predicament.

“I don’t think that a CIO or chief information security officer or agency secretary will be able to go in front of Congress after a breach and say it’s not our fault, but CDM hasn’t gotten to us yet,” Morrison said. “I think because of the program’s time frames, a lot of agencies are just on the first piece of CDM.”

The industry source said the Alliant Small Business RFI and the one that is expected in the next few months are part of how GSA and DHS are developing the new CDM strategy. The source emphasized that there is no clear path for CDM beyond 2018 yet, but GSA and DHS believe a contract longer than three years and one that can easily take advantage of changes in the cyber market will be necessary.

Morrison added there needs to be a specific plan for the operations and maintenance of the CDM tools Phase 1, which included endpoint asset management and software assurance tools.

“When we speak to agencies, they are concerned about what will happen afterward the contract runs out and DHS stops paying for CDM,” he said. “I suspect some of the reason for the RFI is a response to agency concerns about what do we do when the task orders end. I’m glad to see that they are thinking about it because it’s at that point where these projects tend to fail. An agency installs technology and there is a lot of teething pain when you install enterprise software, but that is short term. Over the long term, you have to understand how you live with the cyber tools under limited resources and people.”

Return to the Reporter’s Notebook