Homeland Security Department officials hailed the Continuous Diagnostics and Mitigation (CDM) program in August 2013 when it and the General Services Administration awarded the $6 billion contract as a network security program that would provide a “standard measure of protection across government within three years.”
Here we are nearly four years later and CDM is a lot harder than initially thought and most agencies remain in Phase 1 of the program. The challenges can be traced to a host of reasons, from poor agency planning because they didn’t know all the devices and end-points on their networks, to a contract vehicle that wasn’t flexible enough, to bid protests that have delayed nearly every award.
But before anyone calls CDM a failure or even a lost opportunity, GSA and DHS deserve a ton of credit for doing something few agencies publicly do — recognize the deficiencies of their program and developing a plan to fix them going forward.
Jim Piche, the homeland sector director at GSA’s FEDSIM, said March 23 GSA and DHS are developing a new contracting approach to CDM that will try to address many of the shortfalls of the original blanket purchase agreement (BPA).
Piche said the first thing GSA and DHS will do is create a CDM special item number (SIN) under the Schedule 70 contract for IT.
“The objective of the CDM SIN is to capture that product catalog. With the BPA sunsetting, there has been a lot of investment by both GSA in terms of analyzing the pricing and by DHS in terms of analyzing the technology and qualifying the tools,” Piche said at the 1105 Government Information Group CDM event in Washington. “When the BPA sunsets, we don’t want that catalog of tools to go away. We are going to migrate the entire BPA catalog to the SIN so the catalog is now available in perpetuity.”
GSA released a request for information on March 22 related to the CDM SIN. In the RFI, GSA is asking for feedback across eight broad categories, including the proposed SIN description, proposed evaluation and qualification process and whether products and services should be included in the five subcategories.
GSA says the goals of the CDM SIN are to:
Establish a governmentwide contracting solution to continue to provide a consistent set of continuous diagnostics and mitigation tools;
Enhance the ability of offerors to bring new and innovative solutions to the CDM program;
Improve government access to the best available technology and improve the flexibility of the CDM program;
Streamline CDM requirements from 15 Tool Functional Areas (TFAs) to five subcategories; and
Establish and maintain a list of approved CDM products and to provide a mechanism to qualify new products against the CDM requirements and add products to an Approved Product List (APL).
Responses to the RFI are due April 5.
“All the resellers and suppliers that have a Schedule 70 that also have BPA products will be asked to do a modification to their Schedule 70 contract,” Piche said. “You will not have to through re-proposal process or have to ask to have these tools added and go through another technical evaluation process because DHS already has done that. You will have to modify your Schedule 70 contract in order to add the SIN number for the products approved under the BPA.”
The second piece to this puzzle is moving the implementation of phases 3 and 4 as well as the operations and maintenance of phases 1 and 2 under task orders awarded to systems integrators through a large governmentwide acquisition contract.
Piche said GSA still is developing the acquisition strategy, so he couldn’t comment on which GWAC they would ultimately use. But it’s easy to guess at Alliant 2 or OASIS as leading contenders.
“We want to break the cycle of continuous acquisitions. Since the beginning of the BPA, whether it was the BPA, all the task orders we’ve awarded, all the delivery orders we’ve ordered and all the modifications to the BPA, there’s over 140 contract actions that we’ve taken since the start of the BPA. We want to break that cycle a little bit and get into more of actually doing work,” he said. “The other thing we are trying to break the cycle of is entrance on duty. When integrators are coming to do work at the agencies or DHS, the process of getting them on board has been very arduous. So we are going to try to break that cycle through a new acquisition strategy.”
Piche said DHS and GSA plan to keep the agencies in their existing groups developed under Phase 1 of the program.
“We will have a long-term sustainable solution for all CDM needs for the foreseeable future,” he said. “We will not engage in 147 contract modifications or every time a license maintenance has to be done and we have to renegotiate the deal. We want to get to a long-term relationship between CDM integrators and agencies they are supporting.”
In many ways that long-term relationship was the missing piece to CDM. When DHS and GSA set up the BPA, many thought the one-off contracts would work, but the complexity of agency networks and the implementation of the CDM tools proved too much.
Kevin Cox, the CDM program manager at DHS, said he is setting up a CDM customer advisory board to continuously address current and emerging challenges.
“We need people who are managing the programs to help us identify challenges, not just from a technology standpoint, because many times the technology side is the easy part. It’s the process reengineering, the training and the governance that is difficult,” Cox said at the event. “We are breaking down silos and barriers that have been in place for decades. That is what we are working toward and that will help make the program even richer and achieve the results we want of creating a better cyber posture for agencies.”
From a timing standpoint, DHS and GSA plan to hold an industry day in the April/May timeframe for the CDM SIN. It would start transitioning the current CDM products to the new SIN in early summer.
The current BPA expires in August 2018, so GSA wants a full year to get the replacement contracts in place under the GWACs, knowing full well that bid protests are going to be part of the initiative.
CDM by the numbers so far:
75 departments and agencies, including 23 CFO Act and 52 smaller agencies, are taking part in the CDM program
6 agencies fully deployed Phase 1 of CDM
$722 million in contracts awarded
$523 million obligated under the BPA
$366 million of task orders awarded under Phase 1
$188 million awarded in task orders for privilege and credential management
7 delivery orders worth $90 million have been awarded
100 delegation of procurement authorities to agencies and four states to buy from the BPA
14 direct orders led to $31 million in direct billing from agencies with delegation of procurement authorities
$47 million award for the CDM cyber dashboard
169,000 tools on the approved products list
30 percent average savings for products IT Schedule 70
35 percent average savings for labor categories over IT Schedule 70