In the almost seven years since the Department of Homeland Security launched the signature initiative to raise all cyber boats, the focus mainly has been on the 24 CFO Act civilian agencies.
The 75 small and micro agencies weren’t ignored, but it was clear the continuous diagnostics and mitigation (CDM) program would address cybersecurity gaps among the largest agencies first.
Well, it’s the little guys’ turn, now.
The General Services Administration, acting as the procurement arm for CDM, awarded CGI-Federal a $276 million contract to provide those 75 small and micro agencies — think Consumer Product Safety Commission or the Merit Systems Protection Board or the U.S. Institute of Peace — a host of services including a cyber catalog and a shared services platform.
In the solicitation, released in November, GSA and DHS say the goal is for the vendor to modernize version 1 of the shared services platform and add more capabilities including network security management and data protection management to go with the current set of services that include asset management and identity and access management.
“The shared services catalog (SSC) will also require the contractor to develop innovative solutions to the CDM capabilities that prioritize cloud native and hosted service solutions,” the solicitation stated. “The SSC will be a continuously curated list that is intended to grow and change with the threat and technology landscape.”
Two years in the making
The Defend F task order — in CDM parlance — has been in the works for the better part of two years.
DHS has not left small and micro agencies out to dry with CDM capabilities.
Kevin Cox, the CDM program manager for DHS, said in early March that 36 small and micro agencies are using version 1 of the shared services platform.
“We’ve made good strides with our existing shared services platform,” he said. “The idea here is we deployed the asset management capabilities and the identity and access management capabilities to these agencies, and rather than each of them have their own individual dashboards, we created a shared service platform in the cloud where all the sensor data reports up. That shared service platform in the cloud is multi-tenant so each agency has their own dashboard. They can see their own data and the model works the same way where that data gets summarized up to the federal dashboard.”
Cox said the new task order will give these small and micro agencies new and different cybersecurity tools and services that meets their needs more specific to their environment and the risks they face.
“We will be able to provide more services in the cloud under that new platform so agencies will have more tools at their disposal in regards to the own dashboard to better visualize and analyze their data,” he said. “The new dashboard will give them better value for their data and manage their risk better.”
CGI-Federal has been one of the biggest winners under the CDM program. This is its third major task order win. The others included a 2016 award for identity management services through the credential management task order, which was worth $102 million.
In 2018, GSA and DHS awarded CGI-Federal a $530 million contract to under the Alliant governmentwide contract for five agencies — the departments of Commerce, Justice, Labor, State and the U.S. Agency for International Development.
CGI says in its release that the new shared services platform will provide non-CFO Act agencies access to the same cybersecurity tools as their larger, cabinet-level counterparts.
Industry sources say the award to CGI-Federal could be delayed if one of the unsuccessful bidders — likely ManTech — file a protest with the Government Accountability Office. As of May 3, GAO’s docket didn’t show any complaints on this solicitation.
New CDM dashboard on tap
The award for the shared services platform kicked off a busy spring and summer for CDM.
Judy Baltensperger, the Cybersecurity and Infrastructure Security Agency CDM dashboard project manager, said during a recent webinar sponsored by FCW, that the initial version of the new governmentwide dashboard should be ready in the spring.
That coincides with a new data management strategy for cyber data going through the dashboard.
“With data quality, we’ve found some stability and readiness challenges, and interoperability issues and governance with agencies,” Baltensperger said. “Additionally our master device record logic happens at the integration layer so that’s why we need clear data requirements to do business logic and ensure consistency across the dashboard.”
She said the goal of the data efforts is to make sure the right people have the right data to make the appropriate risk management decisions. That means, Baltensperger said, agencies have to start with common data schema and dictionary to enhance the data sets and feed the predictive analytics tools in the new dashboard.
“We want to present the layout of an agency’s environment so as we collect more data, we can understand the critical flows and help identify when there is a problem and what action should be taken,” she said. “Agencies have different risk appetites so it’s not a one-size-fits-all approach.”
DHS expects all agencies to have the new dashboard by the fall.
“The dashboard team provided a calculator so the Defend integrators can size the implementation of the new dashboard appropriately for two capabilities,” Baltensperger said. “They also need to identify the volume of data, how many nodes are in the Elastic cloud enterprise. These will include the management node at each agency and then additional data nodes. We’ve built and prototyped the dashboard in the cloud. The federal dashboard will be in cloud, and we are hearing several agencies would like to go to the cloud.”