CDM's next phase starts in 30 days

EDITOR's NOTE: This story originally appeared on FCW.com

The General Services Administration will move the continuous diagnostics and mitigation acquisition vehicle into its second phase within the next month by issuing modifications to the blanket purchase agreement, a GSA official said June 2. The CDM vehicle, which has a $6 billion ceiling, is one of the prime federal tools for defending civilian networks that are under siege daily from hackers.

Whereas Phase I of CDM is giving agencies tools to detect what devices are on their networks, Phase 2 will focus on better identifying who is on those networks. Thus, security products for identity management and network boundary protection will be in the offing from vendors during Phase 2. The third phase, to come at an undetermined date, will delve further into boundary protection and tackle incident response.

“Each of the phases is an add-on to what was previously there,” Jim Piché, group manager at GSA’s Federal Systems Integration and Management Center, said at the Federal IT Acquisition Summit in Washington, D.C. “So the product catalog is continuing to grow.”

Earlier this year, Knowledge Consulting Group won the first award under Phase I, task order 2 of the program. Piché said he expects task orders 2C through 2E, representing about $100 million in contracting awards, to be awarded within the next 90 days.

The CDM vehicle, which is also open to state and local governments, has sought to install a baseline level of cybersecurity across government in an era of rapidly evolving threats. The program will “enable a sea change in governance,” in that agencies will respond to what dashboard sensors are actually telling them rather than the false assurance of security compliance, Homeland Security Department Chief Information Security Officer Jeffrey Eisensmith predicted at the FCW-sponsored summit.

Officials describe Phase I as foundational to cleaning up agencies’ cybersecurity posture. “If [a device] talks to an IP address, we want to know about it,” John Simms, CDM program at DHS, said of the goal of Phase I. Many agency officials are still “hard-pressed to tell you exactly” how many devices are on their networks, he added. 

But while the CDM program is credited with giving federal IT managers a clearer view of network vulnerabilities, it has not all been smooth sailing.

“One of the big pieces of feedback we’ve gotten from contracting officers is that they’re struggling with the volume of products that are available, they’re struggling with the tiered pricing,” Piché said. So GSA is trying to make the BPA catalog available to contracting officers in the form of a searchable database, he said. But as of now, these contract officers have to make to do with a collection of spreadsheets on the program.