CDM's next phase starts in 30 days
- By Sean Lyngaas
- Jun 02, 2015
EDITOR's NOTE: This story originally appeared on FCW.com
The General Services Administration will move the continuous diagnostics and mitigation acquisition vehicle into its second phase within the next month by issuing modifications to the blanket purchase agreement, a GSA official said June 2. The CDM vehicle, which has a $6 billion ceiling, is one of the prime federal tools for defending civilian networks that are under siege daily from hackers.
Whereas Phase I of CDM is giving agencies tools to detect what devices are on their networks, Phase 2 will focus on better identifying who is on those networks. Thus, security products for identity management and network boundary protection will be in the offing from vendors during Phase 2. The third phase, to come at an undetermined date, will delve further into boundary protection and tackle incident response.
“Each of the phases is an add-on to what was previously there,” Jim Piché, group manager at GSA’s Federal Systems Integration and Management Center, said at the Federal IT Acquisition Summit in Washington, D.C. “So the product catalog is continuing to grow.”
Earlier this year, Knowledge Consulting Group won the first award under Phase I, task order 2 of the program. Piché said he expects task orders 2C through 2E, representing about $100 million in contracting awards, to be awarded within the next 90 days.
The CDM vehicle, which is also open to state and local governments, has sought to install a baseline level of cybersecurity across government in an era of rapidly evolving threats. The program will “enable a sea change in governance,” in that agencies will respond to what dashboard sensors are actually telling them rather than the false assurance of security compliance, Homeland Security Department Chief Information Security Officer Jeffrey Eisensmith predicted at the FCW-sponsored summit.
Officials describe Phase I as foundational to cleaning up agencies’ cybersecurity posture. “If [a device] talks to an IP address, we want to know about it,” John Simms, CDM program at DHS, said of the goal of Phase I. Many agency officials are still “hard-pressed to tell you exactly” how many devices are on their networks, he added.
But while the CDM program is credited with giving federal IT managers a clearer view of network vulnerabilities, it has not all been smooth sailing.
“One of the big pieces of feedback we’ve gotten from contracting officers is that they’re struggling with the volume of products that are available, they’re struggling with the tiered pricing,” Piché said. So GSA is trying to make the BPA catalog available to contracting officers in the form of a searchable database, he said. But as of now, these contract officers have to make to do with a collection of spreadsheets on the program.
Sean Lyngaas is an FCW staff writer covering defense, cybersecurity and intelligence issues. Prior to joining FCW, he was a reporter and editor at Smart Grid Today, where he covered everything from cyber vulnerabilities in the U.S. electric grid to the national energy policies of Britain and Mexico. His reporting on a range of global issues has appeared in publications such as The Atlantic, The Economist, The Washington Diplomat and The Washington Post.
Lyngaas is an active member of the National Press Club, where he served as chairman of the Young Members Committee. He earned his M.A. in international affairs from The Fletcher School of Law and Diplomacy at Tufts University, and his B.A. in public policy from Duke University.
Click here for previous articles by Lyngaas, or connect with him on Twitter: @snlyngaas.