One of the main points that made the Department of Homeland Security's Continuous Diagnostics and Mitigation program different from other cybersecurity initiatives was the creation of a blanket purchase agreement to enable agencies to buy security tools off a single vehicle. That is likely to change slightly in the next few months, with at least one group of agencies getting their products off a General Services Administration GWAC instead.

The last of the six groups on CDM, Group F — a catch-all for many small and micro-agencies — has been an outlier in the program in many respects. Rather than getting individual security solutions, the group will be treated as a shared services environment; rather than moving through the three phases one at a time, Phase I and II are being combined; and while awards are being announced on a rolling basis for the other five groups, Group F has yet to issue a solicitation on task order two.

More: CDM rollout to accelerate through 2015

Due in part to those very factors, the products and services for Group F will likely be bought off of GSA's Alliant vehicle instead of the CDM BPA, according to Chris Hamm, director of GSA's FEDSIM, who was speaking at an event hosted by FCW on Aug. 19.

"There are lots of pros and cons on both sides," Hamm said of choosing the right vehicle. "One is: we've built this BPA, we should use it. But a lot of the purchasing side of building this thing, the requirements we need … you probably need a lot of cross-contracting."

More: $39M CDM contract awarded for six major agencies

Since Group F will be developed as a shared service, it will be considered an as-a-service offering, which means contracting officials will have to start out with high-level requirements and drill down to specifics further down the road. The BPA structure doesn't allow for that but the Alliant GWAC does, Hamm explained.

"You want to have the pay-by-the-drink style model … Right now it doesn't exist [on the BPA], so I can't buy it," he said. Using Alliant, "I can buy things — services and parts — and put them together to make something, then post-award make decisions on how it gets put together."

The use of a GWAC for Group F will be a special case, Hamm said, and shouldn't signal a sea change away from the BPA.

More: CDM Phase II centers on monitoring user privileges, activities

"Because the BPA is governmentwide and the majority of the acquisition activity is going to continue to be on the BPA, I think that there's still utility to adding new products to the BPA," Hamm told vendors in the audience. "This is really about the unique requirements that are on [Group] F and how we're going to deliver something. But I don't see future activity moving outside of that."

Hamm said a formal decision has yet to be made but that DHS and FEDSIM officials are strongly leaning toward using the GWAC instead of the BPA. He said the solicitation is being written up now with that route in mind.

That solicitation is expected to be issued in the first quarter of fiscal 2016.

Video: ForeScout CTO on CDM, preventing the OPM breach

Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.

More In GSA
In Other News
Load More