TSA, most recently, issued a request for quote under the CDM blanket purchase agreement.
“The Information Assurance and Cyber Security Division (IAD) requires (IT) tools and services to support the performance goal of integrating IT infrastructure and data to provide senior management greater insight into high risk areas while prioritizing investment in areas in which senior management and other stakeholders have the most interest,” stated the RFQ, which Federal News Radio obtained. “Integration of IT infrastructure and data allows for pinpointing areas of concern that helps TSA assess and mitigate risk, and will result in the improvement of the overall protection of TSA IT infrastructure assets and applications.”
TSA wants a contractor to install, configure and maintain a continuous monitoring and risk management tool to collect data from a variety of disparate sensors and provide a centralized risk report to senior officials.
“A tool that gives TSA the ability to provide accurate and automated risk reports to DHS, a centralized CMRM dashboard, and a centralized electronic document routing and approval process for workflow management,” the RFQ stated.
The TSA RFQ comes as HHS is reviewing comments from vendors on its request for information issued in March. Comments on the RFI were due March 26.
Now we know that a RFI is far from an active procurement, but it does signal that HHS is starting to look at its options.
The HHS RFI asks vendors for input on an “Enterprise Governance, Risk and Compliance (eGRC) tool to support HHS in managing security policies, controls, risks, assessments and weaknesses through a single platform. The goal is to develop a single repository to document and store security information, allowing HHS to review and assess the security stance of systems. This approach facilitates real-time approval, monitoring, and reporting for all HHS systems. An automated GRC tool would allow system owners, information system security officers (ISSOs), privacy officers and security analysts to easily identify system weaknesses and issue resolutions with improved efficiencies.”
An industry source, who requested anonymity in order to talk about the active procurements, said there are signs in the RFI that HHS may be considering going its own way.
The source said the term continuous monitoring is defined and used 11 times in HHS’ RFI, while CDM is not defined and only used once.
“Its existence and these points cast a light of independent selection,” the source said. “The DHS CDM program conceived a consensus cyber risk management path, as the Office of the Director for National Intelligence and the Defense Information Systems Agency are trying for intelligence community and for the Defense Department agencies. It’s unclear if DHS executed far and fast enough internally for large civilian agencies to follow suit. Of the 33 civilian agencies, it is likely smaller ones will adopt a DHS template, while medium to large agencies will run their own course.”
That question of how quickly DHS has rolled out the CDM tools and services continues to come up.
Sources say House and Senate oversight committees are growing concerned about the time it’s taking to get CDM tools and services to the agencies as the cyber threat grows.
Much of the issue around speed is not DHS’ fault. DHS continues to say the program is on schedule, but at least two RFQ protests have caused some delays in getting contracts awarded and agencies started down the implementation paths.
Additionally, the program is complicated causing vendors to ask more questions to DHS about the groupings of agencies, and some vendors have said the “reading room” concept is making the bidding process longer than expected.
While vendors will put up with the extra time, the question now is whether agencies will.