The Homeland Security Department wants to make sure the continuous diagnostics and mitigation program (CDM) remains on the cutting edge. Even though CDM is just more than a year old, DHS already is reviewing new cyber technologies to include in the contract. John Streufert, the director of Federal Network Resilience at National Protection and Programs Directorate in DHS, said through the Leap Ahead program as many as 18 new technologies could be added to CDM in the coming months.
“I think one of the historical concerns about federal acquisition is that it takes so long that sometimes by the end of the competition, an older technology is being delivered up. We can’t solve all the problems with federal acquisition in a program of our size, but we can make sure the latest technology is evaluated, reflected in our formal statements of work to industry and ultimately reflected in the products and services on the General Services Administration Schedules of the continuous monitoring-as-a-service providers,” Streufert said in an interview with Federal News Radio after his presentation of the Information Security and Privacy Advisory Board meeting Wednesday in Washington. “We understand that it’s a sequence of activity of finding those trends but ultimately if those products are not on the GSA schedules of our CMaaS teams, they are not available to our customers. We are trying to by way of introduction and making sure our statements of work do not preclude the use of the latest technology, the combination of activity will ideally bring the highest value for the lowest cost to get the CDM program where it needs to be.”
DHS is reviewing these technologies in a systematic way to see what technologies or tools could further advance the CDM goals. Streufert said DHS will introduce the vendors with the best qualified Leap Ahead technologies to the 17 prime contractors under the $6 billion CDM contract. Streufert said DHS has been looking at a number of technologies to accomplish cybersecurity in a shared cloud environment. He said the technologies to protect data at rest and data in motion are key to that shared services environment.
“Some of the products we’ve found can increase the protection of sensitive data including those that could be stored in commercial environments,” he said. “Our dialogue with industry continues. It becomes clear that many of our fine integrators and vendors know these technologies and are quite anxious to bid them to the government requirements so a very fruitful process is in the works here.”
Streufert said DHS also is looking at new versions of the existing tools and technologies on the CDM contract already that could help agencies improve cybersecurity.
Agency chief information officers and deputy CIOs have high hopes for CDM, but realize it’s another tool in the toolbox, according to a new Federal News Radio survey of federal technology managers. The survey found that 58 percent of the respondents say CDM is just another tool in the toolbox, but 80 percent say it will improve their agency’s cybersecurity. Over the next year, DHS and CIOs will get to see just how true that is. Streufert said 98 percent of all civilian agencies signed a memorandum of agreement with DHS to implement CDM, including all 23 CFO Act agencies out of 58 total agencies. Additionally, 16 more micro or small agencies are set to MOAs in light of the Office of Management and Budget’s recent memo giving DHS the authority to regularly scan certain agency networks. Under CDM, agencies are buying specific products to enhance their continuous monitoring efforts, or begin their implementation. DHS and GSA, which acts as the procurement arm for CDM, awarded the first $64 million task order in January.
Streufert said already the government is paying 30 percent less for the same tools than it would have paid on the GSA schedule for a savings of about $26 million. He said that is enough savings to pay for the salaries of the CDM program office staff for five more years. Now DHS is working on task order 2, which is for both products and services, including planning, program management, training and engineering and architecture. Homeland Security will implement the tools and services under task order 2 first, and then the departments of Agriculture, Energy, Interior, Transportation, and Veterans Affairs, and the Executive Office of the President and the Office of Personnel Management will follow. Streufert said those seven agencies will cover about 47 percent of the civilian government.
New RFP in the works
Additionally, DHS and GSA are working on a new request for proposals for phase two of the program to manage user privileges, identity access control and management and similar topics. Streufert said DHS reviewed the responses from April’s request for information and will circulate a draft statement of work among agencies to receive comments before issuing the final RFP in 2015. A third area of CDM in progress is the award of the contract for the CDM dashboard. DHS and GSA have not awarded a contract yet, but are working with the vendor that eventually will run the tool to make an award in the coming months. Streufert said he expects DHS to reach the initial operating capability of the dashboard in early calendar year 2015. With all of this activity, Streufert reiterated that the CDM program is maintaining its schedule. “We plan to implement the program that we discussed with industry,” he said. “I wish the entire process would move faster, but the federal procurement mechanism is one that gives everyone an equal chance to compete that has won the contract and we have to go through those steps deliberately.
The good news is that we are on track.” Industry and other sources say DHS has taken a “strategic pause” to incorporate lessons learned. But Streufert said they have not deviated from their original schedule and there are no delays. Whether or not there are schedule delays, Streufert said phase one of CDM will cover almost the entire government over the next year, and state and local governments are beginning to consider the contract. He said the small and micro agencies even are asking DHS about whether CDM could be offered as a shared service.
“The initial group of small and micro agencies are interested piloting the concept of shared services. Those conversations are just beginning,” Streufert said. “I would expect this conversation on CDM delivered up in a shared service environment to follow all the previous CDM activities where there will be an initial definition of requirements, feedback with those who might benefit from the service and then formal interaction with industry that we partner with to get some our specific conclusions. This is the beginning of what will be a longer conversation, but from the perspective of me and those in the CDM program, one that is very beneficial and very appropriate to the changing directions of technology.”
Thinking ahead to 2017
Another program that is just in the concept stages is the Critical System Resilience effort. Streufert said this is an idea that could come in the fiscal 2017 budget request or later. “Our goals and objectives here are rather than a centrally funded program to protect the custom software and sensitive data of government, we would instead create a mechanism by which we would organize the security protections, which are already underway in the 23 CFO Act agencies,” he said. “What we think will be most cost effective is to take the methods and approaches we are using in the CDM program and ultimately create a portal or a place where custom software developers and those that are running websites can come to get cost effective security technologies that could boost their results on our current dashboard and access to specialized labor so that the end objective of protecting sensitive information can be facilitated.”
Streufert said with more than 6,000 moderate and 1,200 high systems as classified under the Federal Information Security Management Act (FISMA), each program manager is maintaining security currently. But the challenge is keeping pace with current techniques and getting new tools at a cost effective rate isn’t something the government can do easily today. “Critical System Resilience stands between the needs of the many custom software developers and those that develop systems to hold the sensitive data of government and give them a helping hand to help them protect their areas of responsibilities,” he said.