John Streufert, Director of Federal Network Resilience at DHS, said some agencies are further along than others in adoptiong CDM. (Mike Morones/Staff)
The Department of Homeland Security, aided by the General Services Administration’s Federal Systems Integration and Management Center, has released the first request for quotation for Task Order 2 of its $6 billion Continuous Diagnosis and Mitigation initiative.
Congress established the CDM program to commission and allocate risk-based, cost-effective cybersecurity resources across the dot-gov space, with the first phase introducing network monitoring and endpoint-protection products that feed continuous diagnostics and vulnerability information into an enterprise-level dashboard. The goal is to reduce vulnerabilities and paperwork. The next phase will provide tools, sensors and integration services for federal departments and agencies with signed Memoranda of Agreements, according to Herb Josey, acting deputy director of external affairs at DHS’ Office of Cybersecurity and Communications.
The first RFQ, earmarked for DHS-wide acquisitions, was released to 17 blanket purchase agreement holders on July 8. Following the DHS deployment, the remaining five orders, covering more than 40 additional departments and agencies, will be released within 12 months. Those five orders consist of the following agencies:
■ The Departments of Energy, Interior, Transportation, Agriculture and Veterans Affairs; the Executive Office of the President; and the Office of Personnel Management.
■ The Departments of Commerce, Justice, Labor and State; and the U.S. Agency for International Development.
■ The Departments of Treasury and Health and Human Services; the General Services Administration; NASA; the Social Security Administration; and the U.S. Postal Service.
■ The Departments of Education and Housing and Urban Development; the Broadcasting Board of Governors; Court Services and Offender Supervision Agency; Equal Employment Opportunity Commission; Federal Election Commission; Federal Energy Regulatory Commission; Federal Housing Finance Agency; Millennium Challenge Corporation; National Archives and Records Administration; Nuclear Regulatory Commission; National Science Foundation; Office of Government Ethics; and Small Business Administration.
■ Consumer Financial Protection Bureau; Consumer Product Safety Commission; Defense Nuclear Facilities Safety Board; Environmental Protection Agency; Federal Trade Commission; International Boundary and Water Commission; National Capital Planning Commission; National Labor Relations Board; National Transportation Safety Board; Occupational Safety and Health Review Commission; Pension Benefit Guaranty Corporation; Peace Corps; Recovery Accountability and Transparency Board; Selective Service System; Tennessee Valley Authority; U.S. Access Board; and African Development Foundation.
John Steufert, director of the Federal Network Resilience Division at DHS, said at an event last month that the order of the agencies included in the coming five task orders reflect variations in how far along agencies are in rolling out CDM capabilities.
“Some of the departments and agencies have a several-year history of continuous monitoring in place. They’re looking for some labor to help them and round out their base to common equivalent footing for vulnerability management configuration setting compliance, hardware asset management and software asset management. Some of them have nothing on the other extreme, and some of them have a patchwork quilt,” Streufert told an audience at a June 11 cybersecurity event sponsored by Federal Times and C4ISR&Networks.