What we know and don't know about the $6B CDM contract

Seventeen companies won spots on DHS's $6 billion cybersecurity contract, and many think the contract will change how the government buys cybersecurity products and services; however, there are still some significant unknowns, and DHS's relative silence on the program isn't helping anything.

I don’t usually start with a rant, but the Homeland Security Department has done a poor job in getting the word out about a $6 billion contract that they claim will be a game changer for how agencies buy cybersecurity products and services.

The 17 winners of the DHS Continuous Diagnostics and Mitigation contract apparently were notified late Monday afternoon. Jason Miller at FederalNewsRadio broke that news.

As I and other reporters chased the story on Tuesday, companies on the list were active reaching out with interviews offers and statements about what a great win this is.

But DHS was only about 12 hours behind the rest of the world in putting out any news on it, and it still lacks an official list of winners.

Technically, the contracts are blanket purchase agreements issued for DHS by the General Services Administration, but calls to GSA were redirected to DHS. And then, when I spoke to the DHS spokesman, he wanted to know who gave me his number.

Dude, it’s your job.

I'm frustrated because this contract is important, and is a real opportunity for the government to change how it buys the products and services it needs to secure its networks.

Here’s what it can do:

  • Lower costs by giving agencies a vehicle that makes it easier to take an enterprise view of network security.
  • Promotes consolidation and standardization of network security.
  • Allows for a more risk-based approach to cybersecurity.
  • Provides near real-time monitoring of networks, which will allow better decision making and a more proactive approach to cybersecurity.

Here are some more specifics:

The contract can be used to buy sensors for hardware asset management and software asset management and whitelisting. It can be used for vulnerability management, compliance setting management and the contract will feed dashboards with data about security flaws and risks. All of this can be done in an automated and continuously updated dashboard.

The contract is big on dashboards because of how they help collect and synthesize information for better decision making. The information feeding these dashboards will be near real-time, and will make it easier for network operators to prioritize and mitigate risk.

The contract is open to all federal civilian agencies, tribal governments and state and local governments.

For the 17 winners, the contract should be a terrific sales vehicle for selling their products, services and a variety of solutions.

But the emphasis in that sentence is definitely on the word “should”; on paper, it all looks great, and there is definitely the need for the CDM contract, but here is the big "what we don’t know": Yes, it is a great vehicle, but will agencies use it? And if they do, will they take advantage of some of its more compelling features, such as buying these tools via a cloud-based service?

What I’ve always been told about cybersecurity is that agencies don’t buy it as a standalone feature; it is part of a broader implementation. So, how does CDM fit traditional buying patterns?

Does anyone remember the iAssure contract let by the Defense Information Systems Agency? It had a $1.5 billion ceiling, and was won by 11 companies in 2000. It never lived up to expectations, and was allowed to quietly expire. Other contracts filled the need.

Will the same happen to CDM? Probably not, but the potential is there. A vehicle like this needs marketing and promotion, and not just by the winning contractors; DHS should have been out there front and center with these awards. It's a missed opportunity to show its leadership.