Like the tortoise racing the hare, the Homeland Security Department’s continuous diagnostics and mitigation (CDM) program continues to make slow but steady progress.
The CDM program now is in its fourth year and every agency is in the midst of implementing Phase 1 tools and has a contract in place for Phase 2. The agency and governmentwide dashboards are on tap to report data in 2017. Now DHS and its acquisition partner, the General Services Administration, are starting to think about what comes next in 2018 when the current $6 billion blanket purchase agreement contract expires.
“Phase 1 and Phase 2 were centrally funded by DHS and we saw huge savings. In most cases 30 percent and in some cases as high as 60 percent-to-70 percent,” said Jim Piche, a group manager at GSA’s FEDSIM office, which acts as the procurement arm for CDM, at the recent Institute for Critical Infrastructure Technology (ICIT) winter summit in Arlington, Virginia. “The model has to start changing in the future. OMB decided to redirect the funding back to agency CIOs so they are empowered to oversee and maintain their CDM infrastructure. So with Phase 3 on the horizon, it will be centrally funded, but maintenance and ongoing sustainment will not be centrally funded like it is now.”
Mark Kneidinger, director of Federal Network Resilience in the Office of Cybersecurity and Communications at DHS, said GSA and DHS are engaging with OMB, and particularly the Resource Management Officers (RMOs) for how to keep CDM well resourced.
“We want to make sure they are aware of the challenge the agencies are facing in regards to operations and maintenance,” he said. “Collectively, the RMOs work together. We are sending a white paper to all RMOs about the challenges of funding the CDM program. From the CIO and agency perspectives, they have to raise the sustainment question with the RMOs too.”
Piche said the idea under phases 1 and 2 was to get agencies to a minimum baseline of cyber capabilities, and then have agency CIOs take over the maintenance to keep the tools modern and useful.
Piche said GSA and DHS are discussing approaches for Phase 3, which includes boundary protection and security lifecycle management. The goal is to keep current agency groups together, and give them access to a central contracting vehicle to buy support and achieve savings.
Along with the contracting approach, DHS and GSA are asking agencies what they want next from CDM.
Jim Quinn, DHS’ lead system engineer for the CDM program, said at the Association of Government Accountants Summit in mid-January that DHS surveyed CDM customers to ask what should they focus on next.
“All of the respondents said we have to solve CDM and the cloud,” Quinn said. “It was pretty consistent that they said we need to solve the architecture challenges and work with the Federal Risk Authorization and Management Program (FedRAMP).”
Quinn didn’t offer any further details of the survey as DHS still was compiling the results.
What’s happening here is DHS and GSA are realizing the acquisition strategy that came together in 2011 and 2012 will not meet the agency’s needs in 2018 and beyond. CDM phases 1 and 2 were pretty straight forward — know what’s on your network and know who’s on your network.
CDM Phase 3 is more complex and may require new thinking.
Quinn said the goals under Phase 3 are very broad and include four volumes of requirements —whereas phases 1 and 2 required only one volume each.
“Most activities were network introspective, yet most of risks are exposure to outside so Phase 3 looks at how the network is being defended, how EINSTEIN, cloud, the Trusted Internet Connections all get incorporated into Phase 3,” Quinn said.
He added that the current acquisition model for Phase 3 isn’t going to be fast enough to ensure agencies are getting the tools to defend their networks and data in a timely manner.
“When deploying tools, we need to have a plan in place that will be more effective,” Quinn said at the AGA event. “The model we were using before isn’t going to work because we are essentially buying things for a cyber tempo that is so much quicker than the acquisition process. We want to be able to do technology refreshes more often, not every five years.”
Kneidinger said in some cases agencies underestimated their network devices by some 200 percent-to-300 percent.
Even a 10 percent or 20 percent miscalculation would give CDM vendors heartburn, but when the missed estimate gets as high as double or triple, no wonder Phase 1 isn’t finished three-plus years after the initial BPA award.
GSA and DHS aren’t released of responsibility either. The testing and configuration of the tools under Phase 1 took longer than expected, and of course, a handful of task orders faced bid protests so that also slowed down the process.
So far only the Office of Personnel Management has implemented all of Phase 1 of CDM and is working on Phase 2. The Homeland Security Department is the second agency to be well on its way to completing Phase 1. But most other agencies still are in the early stages.