wfedstaff | June 4, 2015 7:39 pm
The continuous diagnostics and mitigation program is spreading its wings across seven more agencies. The second contract award under task order two begins the process to implement advanced cybersecurity capabilities across several large agencies.
The General Services Administration, which acts as the procurement arm for the Homeland Security Department, awarded a $39.3 million contract to Booz Allen Hamilton Tuesday to implement cybersecurity tools and services. Booz Allen will implement cyber products from ForeScout and Big Fix under the CDM program.
Mark Kneidinger, a senior adviser in the Federal Network Resilience Office at DHS, said the task order will support seven agencies in Group B under the CDM program:
Kneidinger said the schedule for the rest of the agencies under the CDM program is on track.
“Group C, D and E, we are looking for awards probably around the Quarter 4 of 2015 period. For Group F, the solicitation most likely [will come out] around Q3 of 2015,” Kneidinger said Wednesday during a panel discussion at the Symantec Government Symposium in Washington. “Group F is the small micro agencies and it has a little over 40 micro agencies involved. That’s going to be the first CDM shared service group. We are real excited about supporting the small micros through a secure shared service environment as part of that activity.”
He said DHS is just beginning to work on Phase 2 where they are bringing new tools into the mix.
In fact, the first open season under the “leap ahead program” just closed Monday. This is the first time the 17 blanket purchase agreement (BPA) vendors, who initially won a spot on the CDM contract, can add new subcontractors to their teams. DHS must approve those new vendors to ensure they meet the goals of the CDM program.
Dashboard feeding to begin
The award to Booz Allen is the second major task order deal under CDM for tools and services. GSA made the first one to the Knowledge Consulting Group back in early March for $29 million for only DHS components. HP Enterprise Services has submitted a protest to the Government Accountability Office. GAO has until June 17 to decide the program.
Since GSA/DHS is awarding separate task orders under the CDM program the protest by HP Enterprise Services will not impact the latest task order to Booz Allen. There were six unsuccessful vendors who bid on Group B and they have 10 days to protest the award to GAO.
A second parallel effort in the CDM program is the implementation of agency and federalwide dashboards. Kneidinger said each group of agencies will implement the dashboards as they bring up the tools and services.
“As the awards are made for phase 1, the vendor or awardee will then also be working in regards to moving the dashboard into those agencies,” he said. “Where we are with the dashboard is at the department and agency level, we are looking at this juncture of Q3 of 2015 for the department/agency dashboard to be moved into the first set of agencies under the various awards and in the sequence of awards.”
He said in the first quarter of 2016, DHS and OMB will launch the federal dashboard. Vendors will connect the agency level dashboards to the federal dashboard to feed data and trends.
In December, DHS and GSA’s CDM dashboard contractor Metrica Team Venture chose RSA’s Archer tool for the agency dashboards.
Metrica currently is conducting an analysis of alternatives for the governmentwide dashboard that each of these agencywide tools will feed data to as part of the cyberstat and OMB oversight efforts.
Kneidinger said DHS also recently launched several communities of interest to bring together the small or micro agencies with similar missions and cyber needs. He said since DHS is providing them with continuous monitoring-as-a- service, bringing these agencies together will help make the transition smoother because they can discuss similar needs and challenges ahead of the requirements and contract award.
Kneidinger said DHS also is starting to figure out how best to market and offer up the cyber services under the blanket purchase agreement to state, local and tribal governments as well as other the judiciary and legislative branches of government, and the Defense Department and Intelligence agencies.
Broader discussions about cyber
While the award to Booz Allen marks important progress against a contract, the broader impact of CDM is starting to become clearer.
Experts say once these tools are in place for the seven large agencies, it will both prove out the concept and, more importantly, start moving the CDM program to a new realm.
Grant Schneider, a senior adviser for cybersecurity and CDM oversight lead at OMB, said the dashboards are important because they will not only collect data at the agency level, but give DHS a deeper view they’ve never had before, and make it easier for agencies and OMB to report on cyber metrics.
“We have an effort right now, sort of combined with FISMA 2014 that was signed in to law in December — thank you Congress, we very much appreciate that — one of the things we know we will be able to do about of this is collect data in a way that is repeatable, that is automated, so we are taking a holistic look at what are our fiscal 2016 collection requirements going to be, what are our metrics that we are collecting,” he said. “We actually are engaging the chief information security officer’s community through the CIO Council to say, ‘There are some things we need to know in order to do oversight; however, we probably need to know the same data you need to know to actually run your organizations on daily basis, so let’s collude a little bit on what the measures and metrics are going to be to the maximum extent possible.’ Let’s get them automated through CDM so that we are doing things that actually helping us do things from an outcome standpoint as opposed to helping us from a compliance only standpoint.”
Schneider added this idea of simplifying the collection and submission of data is even more meaningful given that April 15 was the day agencies had to submit their quarterly Federal Information Security Management Act (FISMA) metrics update to the DHS Cyberscope tool.
Kneidinger said DHS plans to hold training sessions for agencies so they can know how best to leverage expanded sensor base and dashboard and also how best to use the information both at the CISO level and for mission owners.
He said the training of mission owners of how to understand the CDM data may be even more critical than for CISOs.
“Having some tangible evidence as to here are the areas we are now aware that we need to be more diligent in regard to cybersecurity. Bringing that conversation up to CIOs, CISOs and to the mission owners, some of that we will be encouraging because everybody owns a responsibility for this,” Kneidinger said. “As we are looking at the CDM to be able to provide that expanded base and we are looking at the dashboard to provide that further decision making process needs to also engage the CIO and mission owners. How do you do that from a governance aspect is something we also will be working with agencies to do. Part of the effort that we are putting in place for that is on a regular basis we bring all the agencies together not only to give updates in regards to where CDM is, but how CDM can be best applied and what does that mean in relationship to internally within your agency.”
Schneider added CDM will help agencies have a more mature risk discussion. He said the data will help deputy secretaries, mission owners and others understand in clear terms where the risks are and what it means for the agency.
“Historically, we’ve done cybersecurity from the secretary in charge, here’s a whole bunch of policies, go make it work, let us know how you’re doing, we’ll ask you questions and come back next year,” he said. “This is far more of a hands-on creature of cybersecurity. I think we also are going to learn from the process and the mechanism we put in place to deliver CDM, which is a little different than what we’ve done in the past. So, I think there’s a lot of intrinsic value we are going to get in addition to the real practical value we are going to get as we roll out the task orders and bring more and more agencies online.”
Schneider said agencies need to keep in mind that CDM is just one of many tools and they shouldn’t get lost in both the potential and limitations of the tools.