DHS’ governmentwide cyber initiative makes over $1B in contract awards in the last month

The Nuclear Regulatory Commission’s implementation of phase one of the continuous diagnostics and mitigation (CDM) program fell behind schedule by as much as nine months.

In June, the agency issued a sole source justification authority to continue to pay Enterprise Services— formerly HP Enterprise Services — $389,000 for another year of work on phase one.

Now for NRC and the five other agencies in Group E, phase 3 of CDM may also fall behind schedule.

The General Services Administration’s award to ManTech for $668.6 million for services and capabilities under the DEFEND task orders is under protest before the Government Accountability Office. Enterprise Services filed a bid protest on July 2, arguing its proposal shouldn’t have been rejected as unreasonable.

Advertisement

The irony of this protest is the Enterprise Services is the current provider of CDM services to Group E so by protesting the award they are both paying for the legal fees and getting paid by their customers to continue to provide services. It’s a perfect example of an incumbent losing the recompete and extending their revenue through a protest. This issue has long been a red flag for many in the acquisition community about why certain parts of the bid protest process need to be fixed. But that discussion is for another time.

HPES has been providing services to these six agencies since 2015, when GSA and the Homeland Security Department, which the operational arm of CDM, awarded the company a $21.7 million contract. The six agencies include the NRC, the Environmental Protection Agency, the departments of Housing and Urban Development and Education, the Small Business Administration and the National Science Foundation.

And this brings us back around to NRC. It’s unclear if NRC’s implementation challenges were the fault of Enterprise Services, DHS, the agency or some combination of the three, but the fact is NRC, and likely other agencies, will have to figure out how to deal with the ever-increasing cyber attacks without these advanced tools.

In the justification document, NRC offered a little insight into why CDM has been delayed:

“In the original design, the CDM project intended to collect a large amount of system security information that would be analyzed and displayed in an agency CDM dashboard that also sent summary data to a federal CDM dashboard hosted at DHS. This effort required installation of ten new servers involved in data collection and analysis, and due to the complexity of this system the length of time required to troubleshoot configuration issues so that it functioned properly was much longer than anticipated. Due to limitations of the lab environment provided by the contractor, CDM system configurations could not be adequately tested prior to deployment on the NRC network which further increased time needed for troubleshooting.”

NRC also said: “CDM project lacked a complete architectural vision or concept of operations from U.S. Department of Homeland Security (DHS). For that reason, the CDM project is behind the schedule originally” detailed in the initial contract award to HPES.

Only since March has the NRC CDM dashboard met initial operating capability, which seems to be on schedule with other agencies. In May, Kevin Cox, the CDM program manager, said DHS had 20 of 23 agencies providing data and had a goal of closing the gap this month to have all 23 civilian CFO Act agencies submitting data to the governmentwide dashboard.

This is the second time Enterprise Services protested an award under the CDM program. In 2015, the former HPES lost its complaint to GAO over the $29 million award to the Knowledge Consulting Group to provide DHS’ headquarters with continuous monitoring tools.

While Group E must wait until October at most to get going, the agencies under Group C are ready to go.

GSA awarded CGI Federal a $530 million contract to under the Alliant governmentwide contract for five agencies — the departments of Commerce, Justice, Labor, State and the U.S. Agency for International Development.

GSA and DHS held the “kick-off” meeting with CGI Federal and the agencies last week.

GSA received four bids under the task order competition and, obviously, it wasn’t protested.

As for the other agency groups under DEFEND, which marked a major change to how GSA and DHS approached CDM:

  • Group A — CACI won a $407 million task order in May for DHS headquarters and components.
  • Group B — Booz Allen Hamilton won a $621 million task order also in May for seven agencies —the departments of Energy, Interior, Transportation, Agriculture and Veterans Affairs, and the Executive Office of the President and the Office of Personnel Management.
  • Group D — Expected award by the end of July. Agencies under Group D are: GSA, NASA, the Social Security Administration, the departments of Treasury and Health and Human Services, and the Postal Service.
  • Group F — Cox said DHS continues to work with the small and micro agencies to get them to submit data to the governmentwide dashboard, and is starting to pilot a continuous monitoring-in-the-cloud solution.

Sources say GSA and DHS are working on the next part of Phase 3, which currently is being called the CDM Dashboard II. GSA received feedback from a recent request for information and is expected to hold an industry day in August.

Read more of Reporter’s Notebook