The 17 vendors under the $6 billion continuous diagnostics and mitigation program are anxiously waiting for the first of six task orders under phase two of the program.
The General Services Administration and the Homeland Security Department are putting the final touches on the next set of contracts that will truly kickstart the federal move toward dynamic cybersecurity protections of agency networks and computers.
“The future phases allow for the expansion of the CDM capability, but really the focus of phase one — in addition to providing CDM of the hardware, software, configurations and vulnerabilities of the network — is the interconnections to the cyber dashboard,” said Jim Piche, a group manager at GSA’s FEDSIM office, which oversees the management and administration of the CDM contract, at a recent conference. “That dashboard is going to aggregate the CDM data that’s collected at the agencies and allow them to prioritize and focus their remediation and mitigation activities. That is an important piece of phase one. That’s going to be a requirement of all phase one offerors to propose or present how they are going to integrate, aggregate data and make it visible and actionable on the CDM dashboard.”
DHS and GSA awarded a separate contract outside of the CDM program in March worth $47.3 million to Metrica Team Venture, a team of five companies under the Alliant small business contract, for a federalwide cyber dashboard.
Insight by GitLab: During this webinar executives from the State Department, U.S. Securities and Exchange Commission, U.S. Patent and Trademark Office and GitLab will discuss how institutionalizing a DevSecOps approach to software development is a journey that must bring together the technology and business sides to change an organization’s culture.
Piche said Metrica Team Venture is developing an analysis of alternatives and initial operating capability using the technical specifications from DHS and GSA.
He said the goal is to ensure the initial operating capability of the dashboard is demonstrating immediate value. GSA has said IOC includes automating Federal Information Security Management Act (FISMA) compliance reporting through the current reporting tool, CyberScope.
The two agencies awarded the first task order under the CDM program in January, worth about $60 million for cybersecurity tools under the CDM program. These products mainly were focused on getting agencies’ continuous monitoring programs up to a baseline level.
DHS first out of the gate
The upcoming award of six contracts under the umbrella moniker of Task Order 2 over the next nine months or so will accelerate the program’s forward motion.
“Phase one is really focused on the end point integrity, so putting sensors out there to focus on the software, to focus on the hardware and to focus on the configurations of those products in the network to identify what their vulnerabilities are,” Piche said. “So Task Order 2 is deploying that initial baseline capability to all of these agencies to raise the cyber awareness and critical protection of the dot-gov agencies.”
He said Task Order 2 includes both products and services, including planning, program management, training and engineering and architecture.
DHS and the Chief Information Officer’s Council created six groups of agencies based on similar architectures, mission and cybersecurity needs.
DHS and its component agencies are first out the gate in Group A.
Industry sources say Group B likely will include the departments of Energy, Transportation, Interior, Agriculture and Veterans Affairs; the Executive Office of the President and the Office of Personnel Management.
One vendor under the CDM program, who requested anonymity in order to speak about the program, said industry expects GSA to release the first task order in mid to late July for DHS.
Then, GSA will release the task order for Group B in late August.
Finding the best fit
Piche, who would not comment on the specific order of task orders, said each of the requests for quotes would be open in “reading rooms” for at least two weeks for vendors to review and plan their responses.
“We believe that the blanket purchase agreement (BPA) holders will be choosing which groups to bid on based on a couple of different factors. One is where they have existing footprint, where they have existing relationships and where they have some initial understanding of the technology,” he said. “The other factor in that is BPA holders will bid where they think they will win. So, a BPA holder may not necessarily bid on one group of agencies where they don’t have a footprint, where they don’t understand the architecture or the technology already. But in order to facilitate competition, we need to make that data available so that BPA holders have the possibility to bid. They have all the information available so they can put together something competitive and meaningful to the agency.”
Piche said GSA and DHS hope to release the RFPs for all the groups in 2014 and 2015. Congress appropriated DHS more than $180 million to implement phase one of the program.
“We are only planning a single award for each group,” he said. “Every vendor or BPA holder will have an equal opportunity to bid on each of the groups. Since there is only one awardee for each group, we expect there may be multiple architectures that they are proposing. Even though we did our best to group agencies by like needs, similar architectures, similar install base, there may be situations where Agency A versus Agency B is completely different, so the offeror may have to come back with two different solutions. We are not expecting this to be a one-solution fits all.”
The vendor source said making only six awards will leave several vendors unhappy and open the program to potential bid protests.
Piche said there is a lot interest in Task Order 2, and GSA and DHS held an industry day in April.
He said the final statement of work should be out later this summer and then will be available in the reading room.
The industry day presentation said the goal is to make awards for Groups A and B in October and November timeframes.
Awards for the remaining four groups would happen sometime between April and June 2015.
Piche said GSA released a request for information in May asking CDM contract holders for a list of products and services that currently are listed under Schedule 70 that could be added to the BPA to meet phase two needs.
Phase Two includes products and services that will improve access control management, security-related behavior management, credentials and authentication management, privileges and network, physical and virtual boundary protection.
“The acquisition planning around task orders that are focused on phase two has not started yet,” he said. “We are just right now focused on getting the actual tools on the BPA to meet the phase two needs.”