The Homeland Security Department is taking a different, and maybe somewhat surprising path, for its latest task order under the continuous diagnostic and mitigation (CDM) program.
The General Services Administration, which is acting as the procurement arm for the CDM program, and DHS released task order 2F under the Alliant governmentwide acquisition contract instead of through the program’s $6 billion blanket purchase agreement (BPA) awarded in August 2013 to 17 vendors. The previous five task orders have come under the BPA. GSA awarded contracts to Knowledge Consulting Group, Booz Allen Hamilton, HP Enterprise Services and Northrop Grumman.
The RFP is for continuous monitoring-as-a-service (CMaaS) for 41 small and micro agencies ranging from the Consumer Product Safety Commission to the Federal Trade Commission to the Postal Regulatory Commission.
“The contractor shall design, build, and operate a CMaaS solution for the agencies identified in this task order (TO). The CMaaS solution shall include tools, sensors, CMaaS integration support services, and the use of secure shared services as the platform for tools, sensors, and supporting CDM
Infrastructure,” the RFP released Dec. 3 and obtained by Federal News Radio stated. “The CMaaS integration support services include the planning, provisioning, configuration, operation, and management of tools, sensors, dashboards, and data feeds as well as support for CDM governance. This TO’s scope also includes implementation and maintenance of the CDM dashboard at the agency level. The contractor shall provide agency-specific training for the CMaaS solution, the agency CDM dashboard, and CDM governance.”
GSA says the 41 agencies are at different states of maturity. Some need only basic capabilities and services to support their cyber needs, while others need the full CMaaS solution.
“The contractor shall purchase CDM tools and sensors using multi-tenant (cloud) perpetual licenses to the maximum extent possible. This applies to tools and sensors that reside on the shared services platform (SSP),” the RFP stated. “Tools and sensors resident on endpoints, agency servers, and other similar devices shall also be perpetual to the extent possible.”
The successful contractor still must purchase tools and sensors from the CDM BPA and may not mark up the tools from the existing prices, which are detailed in this RFP.
For the first time, GSA publicly detailed its vision of its approach to CDM shared services.
GSA and DHS said the shared services architecture must use the cloud to allow for scalable and elastic hosting and minimize infrastructure costs. It must be based on standards that let multiple users access the services through similar interfaces, and shall include service level agreements and cybersecurity risk mitigation and distribution plans.
“The contractor shall provide shared services that are private for each agency. Data from multiple agencies under this TO can be co-located on the same physical device or within the same data center, provided that agency privacy is preserved; the choice of devices or locations depends on the contractor’s technical approach,” the RFP stated. “However, all CMaaS solution elements (e.g., hardware, network links) shall be located within CONUS. No non-government tenants shall use the same physical devices as are used by the CMaaS Solution under this TO.”
Another interesting aspect of the RFP is how GSA is reviewing bids. It’s taking a two-step approach—first written bids are due by Jan. 5. Then, by Jan. 14, supplemental and video proposals are due. Questions on the RFP are due by Dec. 10.
GSA doesn’t say why it went in the direction of Alliant instead of the CDM BPA for this task order. One reason could be the size and scope of the shared services offering and the need to get more vendors involved. But if GSA and DHS pre-determined the 17 CDM BPA vendors are best qualified to provide these services and tools, then why the need to add more vendors to the mix? And if these 17 vendors already invested in and have been implementing CDM tools and services for the 24 largest civilian agencies, what vendors on Alliant could be better qualified?