The continuous diagnostics and mitigation (CDM) program isn’t working as planned. The decision to use a blanket purchase agreement approach for the assorted cybersecurity tools and services isn’t flexible enough, doesn’t take into account longer-term agency operations and maintenance needs, and pre-pricing tools and services up-front adds a level of complexity to the program that was unexpected.
That is why the Homeland Security Department and the General Services Administration already are plotting the program’s future with two more years left on the contract.
GSA awarded the original five-year contract in August 2013 to 17 companies with a $6 billion ceiling.
Jim Piché, a group manager at GSA’s FEDSIM office, which oversees the CDM program, said the BPA’s stumbling points are heavily influencing the future of the program.
“The big piece we’ve learned is to have the flexibility of buying the products. Even though we are asking the agencies to specify what their networks look like, and we are asking the offerors to specify a solution that is firm fixed price, we understand the analysis will not be there until they get through the first part of the delivery of the task order where they do that discovery and true-up of what’s really going to be required,” he said after speaking at a conference on CDM sponsored by 1105 Government Information Group. “So having that flexibility in the task order, [we are] able to purchase that additional product and buy those additional services to install that product has been really important to making the task orders useful and viable in the near term.”
DHS and GSA are working with the Office of Management and Budget and others to figure out how best to position the CDM program for the future without the challenges of the current BPA.
Piché said he expected a decision about the future look and feel of CDM to come later this summer, giving GSA roughly two years to go through the acquisition process.
“What’s working about the BPA for us is that it does provide the onboarding process, and technical and financial qualifications of the products being used for the CDM. It provides a single place where agencies can go shop for them,” he said. “We also are seeing direct order and direct bills from smaller agencies. We are getting a lot of interest from state [government] CIOs so the BPA’s construct to be able to buy qualified cybersecurity tools and use qualified cybersecurity integrators at smaller levels of government is working for us.”
The fact that GSA, DHS and OMB are recognizing and now publicly admitting there are challenges with the structure of CDM is a major step forward.
Agency chief information officers and chief information security officers have been saying for the better part of the last year or more that while they fully support the benefits and goals of CDM, it’s moving too slowly.
One common compliant is agencies have to make decisions about whether or not to extend current cyber tools at their own expense even though DHS is providing and paying for the same or similar tools under the CDM program.
Piché said there are several things agencies can do when faced with a “go or no go” decision.
“The advice we’ve given some of the agencies is not to get into long-term leases with the products they are buying. They should get a more targeted lease or term lease so when CDM comes around they can terminate that lease if CDM is bringing something different or renew to a perpetual license if it’s consistent with the CDM solution being provided to them,” he said. “It’s better to invest a small amount now and provide the protections. It’s worse to have a license expire or not have a CDM solution installed for a period of time waiting for DHS than to spend a little bit more of money for a term license that can be replaced with a better solution in the future.”
Several agencies are primed and ready for the CDM solutions. But so far only DHS is testing out the initial products and services under phase 2 and task order 2 — another major stumbling block for the program.
DHS headquarters is beginning to pilot CDM this summer in the Washington, D.C. region, and will give feedback for other agencies.
Meanwhile, agencies in Group B — the Executive Office of the President, the Office of Personnel Management, and the departments of Agriculture, Energy, Interior, Transportation and Veterans Affairs — are awaiting DHS’ plan to accelerate their move to CDM as called for under the Cybersecurity Strategy and Implementation Plan (CSIP).
The rest of the CFO Act agencies are in process of having completed the network and systems discovery process or are in the middle of that effort. GSA and DHS have yet to award the contract for the final group, 41 non-CFO Act small agencies.
“CSIP mandated us to go faster and we are exploring how to do that,” Piché said. “We want incident response capabilities to be quickly leveraged, and CDM calls for incident response. Both of those are coming soon, either later this year or early next year.”
Piché said GSA and DHS also are bringing on new vendors to provide updated or advanced tools as part of the CDM open season process.
The current open season for boundary protection products is under review by DHS.
“Currently, the catalog consists of about 30,000 products and every open season we are adding between 5,000 and 8,000 products,” he said.
But if the program is six months or more from expanding and becoming more useful to agencies, adding more products and services is moot, and DHS is missing out on a golden opportunity to change the government’s cyber posture.