The Homeland Security Department and the General Services Administration put two more key pieces in place under the Continuous Diagnostics and Mitigation (CDM) program.
GSA, acting as the procurement arm of the CDM program, awarded the continuous monitoring-as-a-service contract — also known as task order 2F — to ManTech. Under this sixth part of task order two, GSA and DHS are asking ManTech to provide services to at least 44 small-and-micro agencies, ranging from the Consumer Product Safety Commission to the Federal Trade Commission to the Postal Regulatory Commission.
GSA and DHS awarded the first contract under phase 2 of the CDM program for privileged access controls to Knowledge Consulting Group (KCG), which ManTech bought in June 2015.
This means ManTech essentially won both task orders with the first one being worth $25.5 million and the second one being worth $85.4 million equaling $110.9 million in total.
This is the fourth win for KCG under the CDM program. The most recent one before the privileged access controls came in March 2015 when the company received a $29 million contract to implement McAfee’s vulnerability manager and ePolicy Orchestrator tools, ForeScout’s CounterACT’s tool for network access control and Splunk’s big data analytics software.
The privileged access control task order is the first of four under phase 2. DHS and GSA also plan to award contracts for access control management, security-related behavior management and credentials and authentication management.
Under the privileged management task order, KCG will provide “specialized information technology services and tools to ensure that all employees and contractors that function with elevated privileges and responsibilities for accessing and administering federal IT system, are using appropriately secure methods.”
GSA says the privileged management will help integrate the other three parts of phase 2 to create a Master User Record with all data, policy enforcements elements and strong authentication requirements.
DHS and GSA expect 65 agencies to take advantage of these tools and services.
Under the CMaaS program, ManTech will provide tools, sensors, integration support services and the use of a shared platform to support the CDM infrastructure to the small and micro agencies, which otherwise wouldn’t have the resources to undertake the CDM program on their own.
“The CMaaS integration support services include the planning, provisioning, configuration, operation, and management of tools, sensors, dashboards, and data feeds as well as support for CDM governance,” GSA said in the task order. “The tools will feed the CDM agency dashboard, hosted on the shared service solution. The task order includes implementation and maintenance of the CDM Dashboard at the agency level. The contractor shall provide agency-specific training for the CMaaS solution, the agency CDM dashboard, and CDM governance.”
This is the first time DHS is providing CDM tools and services in a shared services environment.
DHS and GSA released the request for proposals under the Alliant governmentwide acquisition contract in December.
Andy Ozment, the DHS assistant secretary for cybersecurity and communications, told the House Oversight and Government Reform Subcommittee on IT in April that DHS expects to award the other contracts under phase 2 by the end of the fiscal year.
“We are also still not satisfied with how long it takes to ensure that a vulnerability is fully patched across the government,” Ozment said. “CDM will allow a necessary transition to automation and timely data analysis, and thereby inform better oversight for the government writ large and better cybersecurity at each agency.”
There are growing concerns both in and outside of government that the CDM program is moving too slowly.
But Jeh Johnson, the secretary of DHS, told the Senate Judiciary Committee on June 30 that CDM is making progress.
“In 2015, we provided CDM sensors to 97 percent of the federal civilian government. Next year, DHS will provide the second phase of CDM to 100 percent of the federal civilian government,” he said.
DHS also requested $274.8 million for CDM in fiscal 2017, which is an increase of more than $170 million over the 2016 enacted level.
In the 2017 DHS appropriations bill, House lawmakers are providing DHS $164.9 million, while Senate members have allocated $246.6 million for CDM.
“Given budget constraints and likely delays in the planned acquisition schedule for CDM Phase 4, however, the committee reduces the request for CDM by $102 million,” House members wrote in the DHS appropriations bill report passed June 22. “Recognizing the ever-changing cybersecurity landscape and increased vulnerabilities at the data level, the committee agrees with National Protections and Programs Directorate’s program strategy to evolve CDM beyond network protections to also include data protections. The committee urges NPPD to incorporate and accelerate these new capabilities in Phase 3 and Phase 4 of CDM to the greatest extent practicable to further enhance protection of high value digital assets across all federal civilian agencies.”
Senate appropriators reduced DHS funding for CDM phase 4 by $19 million to $81 million for 2017.
“While the committee fully supports the CDM mission, the reduction in Phase 4 is due to scalability and fiscal constraints,” lawmakers wrote in the committee’s report issued May 26. “Due to the ever-changing cybersecurity landscape and increased vulnerabilities to sensitive data, the committee agrees with CDM’s programmatic strategy to evolve beyond network protections and include data protections. The committee expects these new CDM capabilities, to include digital rights management, micro-segmentation, data masking, encryption and decryption, and mobile device management, will be accelerated and incorporated into future phases of CDM development.”