Patrick Howard is Program Manager for CDM & CMaaS at Kratos SecureInfo, and is former Chief Information Security Officer at the Nuclear Regulatory Commission and the Department of Housing and Urban Development. (Courtesy Photo)
We’ll be looking at ways agencies can get the most of the Continuous Diagnostics & Mitigation (CDM) program and the resources the Homeland Security Department is making available. Today we review the information agencies should be prepared to share in technical libraries/reading rooms with the pending release of Task Order 2 request for quotes (RFQ).
Just to clarify, Phase 1 of the CDM program is focused on endpoint integrity by ensuring federal agencies have the baseline ability to inventory their hardware and software assets, configure those products, and scan for vulnerabilities. Task Order 2 will procure products and services for agencies to leverage and build on their existing CDM capabilities, filling in the gaps of what may be missing. However, since there’s no one-size-fits-all approach for getting all .gov departments and agencies on equal footing, DHS has bundled agencies into six separate buying groups based on the similarity of their architectures, size, CDM readiness, program maturity and cybersecurity needs.
GSA plans to issue an RFQ for each buying group over the next nine to twelve months. However, agencies can do several things before that to ensure the optimal solutions for their needs are procured as quickly and effectively as possible. Just as a physician needs access to a patient’s medical history before prescribing immunizations, likewise, the CDM vendors will require up-to-date knowledge of an agency’s capabilities and IT environment before prescribing an effective CDM treatment.
DHS made itself the first test case for Task Order 2 by issuing an RFQ on July 8th. The primary lesson learned from that exercise, according to John Streufert, DHS director of federal network resilience, was the need for more complete and consistent information in the technical libraries or reading rooms.
That’s why, based on that feedback, this topic is both timely and relevant. It’s imperative for agencies to provide detailed, accurate, and current information in their reading room for the five areas below:
An up-to-date software inventory with version numbers and license expiration dates for both CDM and non-CDM products. (Agencies can reach out to their support vendors to get much of this information)
Current CDM product upgrade/deployment plans and key dates and milestones for completion
Accurate counts of end points, servers and network devices by platform and location
The number of internal and external users
Identification of IT integrator partners supporting deployment, operations and maintenance and determination of how they support CDM activities
Like any bid process, the vendor teams require a clear understanding of each agency’s current infrastructure and plans for its operating environment – namely its existing capabilities and the composition of its networks, servers and endpoint devices. Higher quality information would have reduced the need for the hundreds of follow-up questions posed by the CDM vendors.
It’s also worth noting that Task Order 2 isn’t just a product offering. It can be used to obtain labor to optimize existing tools for CDM. This can include services such as CDM planning, program management, engineering and architecture, training and governance. For example, your agency may already own a configuration management tool, but needs help to upgrade and configure its management tool for CDM needs.
Considering that one vendor will be awarded for each buying group, each agency needs to ensure its own particular needs are met by the winning vendor, and aren’t subordinate to the other agencies in its group. Your agency will be more apt to get what it needs by clearly defining and delineating its requirements.
The quality of the reading room information is also important as it relates to timing. Government IT leaders have generally expressed optimism about the CDM Program and would like to see it rolled out more quickly. With 17 vendor teams competing under the CDM blanket purchase agreement, the more accurate and detailed the information they’re bidding from, the quicker and more efficiently DHS can evaluate and make an award. Without that information, more assumptions will have to be made, leading to more cycles for clarification, extending the schedule, as well as causing costly change orders following contract award.
Every large department or agency is composed of numerous offices, divisions and geographic locations, so agencies would be well served in planning now to collect the necessary detailed, accurate and consistent information across the organization – before their group’s RFQ is issued. The benefit of the CDM Task Order process working efficiently and successfully is for your agency to get what it needs as quickly as possible.