(This story has been updated from its original version to include additional details about the contract and quotes from DHS Director of Network Resilience John Streufert.)
The Homeland Security Department awarded 17 companies, providing tools from more than 20 subcontractors, a spot on the continuous monitoring and diagnostics contract.
DHS announced the deal, which could be worth potentially $6 billion, late in the day Monday. The vendors will provide tools, hardware and software to implement continuous-monitoring-as-a-service (CMaaS).
Under the contract, DHS will work with agencies to implement continuous diagnostics and mitigation (CDM) tools at the network level using more than $183 million, which Congress provided as part of the fiscal 2013 budget.
Agencies will use their own funding to implement the software and services for specific applications or systems, said John Streufert, director of Federal Network Resilience at DHS.
“The way the government has structured its information systems is we share networks with multiple custom applications,” he said during a press briefing after speaking at the SANS Institute’s Critical Security Controls Summit in Washington Tuesday. “We track more than 6,000 applications which are categorized at a moderate level of risk, and more than 1,200 applications that are categorized at a high level for risk. Because they all share common networks across both military and civilian government, it was the judgment of DHS that protecting the networks first would be an important foundation and then we would overlay additional software security protections, database protections and website protections on top, and feed to the same dashboards that will be funded in the initial increment under the continuous diagnostics and mitigation program.”
Civilian agencies only
DHS will focus only on the civilian agencies through the CDM program.
Streufert said DHS has signed memorandums of agreements with 22 of 23 CFO Act civilian agencies to implement the program. Only the General Services Administration hasn’t finalized its MOA to implement CDM.
“There were some internal circumstances related to the kind of technology they have at the GSA. I’m not sure of all of their reasons, but I know a good portion of their activity is in the cloud. I know GSA is waiting til 2014, but the good news is that’s less than six weeks away,” he said. “I think we’ll fold them in quite easily as the various task orders play out. A number of the departments and agencies have similar circumstances as GSA and what we are doing as a customer responsive organization is to work with their internal circumstances and cue up those who are ready to move out now, and we’ll create options on the contract and other mechanisms to add in the organizations that need a little bit of additional time.”
Streufert also said an additional 30 small or micro agencies have expressed interest in DHS putting CDM tools on their network.
He added DHS will work with the Chief Information Officer’s Council, the Office of Management and Budget and others to determine the implementation order for customer agencies.
Before continuous monitoring can achieve full operating capability, DHS, working with GSA, will award a separate contract for one or more vendors to provide dashboards to collect and present the data pulled from the CDM tools.
Streufert said the dashboard solicitation hasn’t been issued yet and still is under development.
“Our goal is to get a standard measure of protection across government within three years,” Streufert said. “We believe that notwithstanding the three-phased program, there may be a little bit of clean up in the following fiscal year from the previous phase in dealing with special situations like GSA and a number of small and micro agencies that have asked to wait until 2014.”
DHS issued the request for quotes in December. Industry has closely followed the contract, as it’s the main path agencies are heading with cybersecurity.
“If we can get industry, policy and operations people using a common set of technical tools which have national and industry standards embedded into them, we can not only go into the prioritization of dealing with the worst problems, but also measure results we are getting from substantial investments,” said Streufert.
GSA’s Federal Acquisition Service will run the contract, charging a 2 percent fee for usage. GSA has set up a website portal with an ordering guide and other facts about the continuous monitoring contract.
The contract also is open to federal, state, local and tribal governments.
“The CDM Program will provide specialized information technology tools and CMaaS to combat cyber threats in the civilian dot gov networks,” GSA stated on its website. “The CDM approach moves away from historical compliance reporting and toward combating threats to the nation’s networks on a real time basis. The tools and services delivered through the CDM Program will provide DHS, other federal departments and agencies, and state, local, regional and tribal governments with the ability to enhance and automate their existing continuous network monitoring capabilities; correlate and analyze critical security-related information; and enhance risk-based decision making at the agency and federal enterprise level. Information obtained from the automated monitoring tools will allow for the correlation and analysis of security-related information across the federal enterprise.”
Successful vendors praised DHS and the contract for changing the federal focus on cybersecurity.
“As the attack scenarios against government networks increase-both in quantity and quality-point in time system compliance reviews can no longer be a best practice,” said Matt Brown, vice president for homeland security and cyber solutions at KCG in an email statement. “The DHS CDM contract provides agencies across all levels of government a framework for implementing a comprehensive continuous monitoring program. It is really a game changer in the overall cyber landscape and presents a significant opportunity for agencies to address their security challenges.”
Kenneth Kartsen, vice president and head of federal business at McAfee, said in an email statement that the CDM program is huge step for the government.
“The necessary but limited and largely manual check-the-box approach of FISMA (Federal Information Security Management Act) was like looking through a rear-view mirror. By contrast, the CDM program illustrates the real progress DHS and the government are making in cybersecurity,” he said.
The implementation of CDM will happen over three phases.
Streufert said the first phase is focused on software and hardware asset management, website and email whitelisting, vulnerability management and compliance setting management.
Phase two address privileges and accounts to deal with roles and responsibilities. Phase three includes events and responding to cyber incidents.
“This is mapped out in a document which has been approved by the CIO Council and because that will project the commercial activity that will be occurring during 2014 and 2015 without too much delay here,” Streufert said.
Under phase one, Streufert said the technologies and tools should be in place about six months after the dashboard contract is available for agency use.
“That is the experience USAID beginning in 2003 and Department of State in 2008, and the Veterans Affairs and Justice Department experienced,” he said.
The awards come out just over a year after DHS issued the continuous monitoring policy, detailing requirements on what this approach looks like and giving agencies and vendors a clearer idea of how they will be expected to implement it.
Agencies slowly have been implementing continuous monitoring. The Office of Management and Budget reemphasized the need for this approach in its fiscal 2013 guidance for the Federal Information Security Management Act.