The Department of Homeland Security recently awarded the first phase of the Continuous Diagnostics and Mitigation (CDM) Blanket Purchase Agreement contract. This award is to 17 system integrators and about 19 product vendors, providing products and services that cover mostly the first four of the Critical Security Controls:
- Inventory of Authorized and Unauthorized Devices
- Inventory of Authorized and Unauthorized Software
- Secure Configurations for Hardware and Software
- Continuous Vulnerability Assessment and Remediation
The good news for government agencies is that the funding covers procurement and deployment of many of the most popular products across those areas, along with a few related products.This can be a very powerful vehicle for government agencies to upgrade their capabilities in network discover, vulnerability assessment and patch management - badly needed upgrades.
However, many government agencies have learned over the years that these kind of omnibus/BPA/IDIQ contracts often can cause more problems than they solve. To help the government security learn how to take advantage of the CDM contract and avoid the pitfalls, SANS has put together a webinar to be held on Tuesday 10 September at 1000 ET that will include myself, Mark Kneidinger from DHS and Tony Sager of SANS - link here.
The CDM program really came directly from the increases in security seen by early adopters of the Critical Security controls, and I think government security managers can make great security gains if they use this vehicle carefully and effectively. SANS will also be holding a one day workshop, free for government attendees, in the Washington DC area, likely in early November.
Full information on the contract can be found here and I've included some of the DHS CDM FAQ below.
Q. How will CDM be implemented?
A. By agreement of the Joint Continuous Monitoring Working Group (JCMWG) and Information Security Identity Management Committee (ISIMC) of the Chief Information Officers Council, the first phase of CDM will focus on four cyber risk conditions:
- Hardware-asset management: Discovering unauthorized or unmanaged hardware on D/A networks;
- Software-asset management: Looking for unauthorized or unmanaged applications (including malware) on the D/A networks;
- Vulnerability management: Discovering missing or inadequate patching in the network and systems; and
- Configuration management: Ensuring that baseline configuration settings are in effect and accurately reported.
In all these cases the information is reported by those with action to either mitigate the risk condition and/or accept some risk. A second and third phase of risk condition sensors are under evaluation by the JCMWG and ISIMC for implementation in Fiscal Year (FY) 2014 and FY2015 respectively.
The CDM Program can be implemented through three various approaches:
- Self-provision — where D/As operate previously purchased sensors and connect them to the CDM dashboard.
- Vendor-provision — where D/As can choose an eligible vendor under a CMaaS task order competition to deploy and integrate CDM sensors.
- Cloud service — D/As choose cloud service, which is a complete, outsourced turn-key approach where vendors could provide all aspects of the cyber services, but with the option of purchasing CDM sensors off the CMaaS contract.
Q. Who will use CDM?
A. The initial phase of the CDM Program will be implemented for more than 140 Federal civilian Executive Branch D/As covering about 2.2 million Federal and contractor personnel. CDM contracts will be made available for use by the Department of Defense, the Intelligence Community, and the Defense Industrial Base for purchases.
Additionally, in its comprehensive cyber-defense role, DHS will make CDM tools and CMaaS available for use by State, local, tribal, and territorial (SLTT) governments. SLTT entities will also be able to make their own purchases of services and tools under the CDM Program and benefit from the same consistency, pricing, and speed of procurement starting at the same time as will be available to Federal entities under this acquisition.
Q. How much does CDM cost?
A. The Fiscal Year 2013 continuing resolution included a budget anomaly for DHS appropriating funding for the CDM Program for civilian dot gov networks. Even with the sequestration-mandated budget cuts, Congress provided $185 million in seed money for the program. The seed money will be used to buy sensors and dashboards, services to operate the sensors and dashboards in D/As, and training for D/A staff to use the dashboards to reduce risk efficiently.
The pending CDM contract - referred to as a Blanket Purchase Agreement (BPA) — will be for a one-year base period and four one-year options from date of award for a total five years. The BPA is estimated at $6 billion over the five-year period. The first awards under the BPA are expected in summer 2013.