Confusion rises over the CDM dashboard

Clarification: An earlier version of this notebook item says RSA won the dashboard contract, but they are just one of several finalists to provide the technology to DHS.

T here seems to be some confusion over whether or not the Homeland Security Department has chosen a dashboard for its Continuous Diagnostics and Mitigation cybersecurity program.

A government source with knowledge of the CDM program said despite RSA promoting its Archer GRC software as dashboard no decision has been made. The source, who requested anonymity since this is an active procurement, said RSA’s product was one of several that met the requirements DHS laid out and the Metrica Joint Venture team reviewed in its analysis of alternatives. But the source said Metrica didn’t make a source selection yet.

The source said the analysis of alternatives is a technical document and the results shouldn’t have been made public.

Advertisement

The confusion stems from Rear Adm. Mike Brown (Ret.), RSA’s vice president and general manager of RSA Global Public Sector, Sept. 3 blog where he wrote that DHS selected RSA’s Archer product to be the dashboard for the CDM program. DHS officials also commented publicly that RSA had won the dashboard competition.

“We reacted to official public statements and documentation we received indicating that the RSA Archer GRC solution was, in fact, selected for the CDM Dashboard,” an RSA spokesperson said. “RSA will of course defer to DHS to finalize their selection processes.”

The government source said Metrica now will run a procurement to choose a dashboard for the CDM program. The source said the dashboard buy will not be a government procurement, but because Metrica is conducting the acquisition on behalf of the government, they still must follow the Federal Acquisition Regulations, and the General Services Administration will oversee the process.

The source decline to name the other vendors that Metrica determined met DHS’ requirements for the dashboard. One industry source says as many four vendors are finalists.

DHS, with GSA acting as its procurement arm, initially hired the Metrica Joint Venture team in March under a $47.3 million contract to provide design and development services and software/hardware for a series of dashboard releases, or instances. Metrica Joint Venture provided DHS with an alternative analysis to see which software would work best. In the end, DHS chose RSA out of four finalists, sources say.

The goal is to ensure the initial operating capability of the dashboard is demonstrating immediate value. GSA has said IOC includes automating Federal Information Security Management Act (FISMA) compliance reporting through the current reporting tool, CyberScope.

DHS is expected to make other awards under the umbrella moniker of Task Order 2 of the CDM contract over the next nine months. Earlier this summer, GSA/DHS released a task order for CDM products and services for the set of agencies first out of the gate in the program.

The Office of Management and Budget set a 2017 deadline for agencies to move to this dynamic approach to cybersecurity.

This post is part of Jason Miller’s Inside the Reporter’s Notebook feature. Read more from this edition of Jason’s Notebook.