Two acquisition events mark the turning point for the CDM program

Two important acquisition events happened this month that mark the transition of the Continuous Diagnostics and Mitigation (CDM) program.

First, the General Services Administration opened its Schedule 70 Special Item Number (SIN) on Aug. 3 to start accepting new tools under SIN 132-44 and grandfathered in some 70,000 existing cyber software, hardware and services under the CDM program.

The second significant item came Aug. 23, when GSA and DHS released the first task order, called DEFEND, under the Alliant governmentwide acquisition contract (GWAC).

GSA and DHS detailed the major changes to their acquisition approach to CDM earlier this year.

Advertisement

“As we move forward with the acquisition process of CDM at DHS, we needed to look at two things. The approved products list will be available to agencies, states, localities, tribes and territories for activities related to continuous monitoring and CDM related activities. The SIN through the GSA Schedule was the first step,” said Kevin Cox, DHS’ CDM program manager, in an interview with Federal News Radio.

Cox said the second step was moving the task order process off of the blanket purchase agreements and on to the Alliant GWAC.

“The nice thing about these task orders is they will be multi-year, beyond just the two or three years we offered with prior task orders. We are looking at offering task orders that are five or six years in length,” he said. “The other nice thing about it is the agencies will be able to utilize the task orders directly in order to do different activities. So it’s not the [CDM] program that will be placing requests for service on the task orders and additional funding on to the task orders. But it gives the agencies an additional vehicle to be able to utilize in order to mature their continuous monitoring programs in their agencies.”

The fact GSA and DHS met their goals this summer and didn’t run into any legal or contract regulatory issues is a small, but important win for CDM.

It’s also a recognition by GSA and DHS that the approach to CDM over the last four years wasn’t working well enough, as the time-to-market needed to happen more quickly.

“The biggest benefit of CDM Phase 3 is the ability to transform agencies from a slow, paper-based, manual risk assessment process to a near real-time automated risk assessment dashboard,” said Eric Trexler, McAfee’s executive director of national security and civilian programs, in an email to Federal News Radio. “ It also provides civilian agencies standardized purchase and deployment capabilities that would be costly and inefficient to provide on their own.”

Under the CDM Phase 2 task order, called DEFEND, which stands for Dynamic and Evolving Federal Enterprise Network Defense, GSA is asking for vendors to address six broad categories of support services for Group B agencies: The Office of Management and Budget, and the departments of Agriculture, Energy, Interior, Transportation and Veterans Affairs, and the Office of Personnel Management.

The task order services include ongoing support of current CDM tools and services, filling gaps in existing capabilities, integrating, operating and maintaining the agency’s CDM dashboard and providing training for use of the tools and dashboard.

Niels Jensen, the senior vice president of U.S. government sales at ForeScout Technologies, said CDM is giving agencies more visibility into their network.

“Kevin Cox, the program manager for the CDM program at DHS, recently noted that, on average, 44 percent more unmanaged and un-catalogued devices have been found on civilian federal networks than were expected during Phase 1 of CDM,” Jensen said. “Without complete visibility and control of every device on these civilian networks, it is impossible to address the unmanaged and unsanctioned population of devices where the vast majority of cybersecurity risks exist.”

GSA is using a two-step approach to accepting bids. Written proposals are due by Sept. 14, and then cost and technical proposals are due Sept. 21.

“The orchestration component of CDM DEFEND (Phase 3) is exciting because it has the potential to shift government agencies from a reactive to proactive cyber threat defense posture, leveraging an integrated and open security architecture,” Trexler said. “CDM DEFEND (Phase 3) provides a near real-time risk assessment of government infrastructure allowing the federal government to mitigate threat vulnerabilities more efficiently while reducing duplicate efforts and costs.”

Cox said after this first task order, DHS and GSA will issue other solicitations through Alliant for the other agency groups under CDM.

“They will be able to utilize over the next few years the task orders to buy products and services related to CDM and be able to mature some of the CDM capabilities they already have in place,” he said. “They will be able to do new CDM related to our upcoming Phase 3, which ties into ongoing assessment and authorization in place, improving the incident response capabilities across the federal government and working to better our boundary protections as well.”

As for the CDM SIN, GSA split it into five subcategories and 15 tool functional areas of products and services:

  • Manage “What is on the network?”: Identifies the existence of hardware, software, configuration characteristics and known security vulnerabilities.
  • Manage “Who is on the network?”: Identifies and determines the users or systems with access authorization, authenticated permissions and granted resource rights.
  • Manage “How is the network protected?”: Determines the user/system actions and behavior at the network boundaries and within the computing infrastructure.
  • Manage “What is happening on the network?”: Prepares for events/incidents, gathers data from appropriate sources; and identifies incidents through analysis of data.
  • Emerging tools and technology: Includes CDM cybersecurity tools and technology not in any other subcategory.

GSA says current BPA CDM products will be listed under the SIN, and new or updated products require vendors to submit an evaluation package to DHS for review.

DHS will examine the product for conformance and technical capabilities before it’s added to the SIN.

Return to the Reporter’s Notebook