35% of BPA Vendors See Spending through Continuous Monitoring Program

Published: September 02, 2015

Contract AwardsCybersecurityGSADHS

It’s been two years since the Department of Homeland Security (DHS) announced the contract awards for the Continuous Diagnostics and Mitigation Program Tools and Continuous Monitoring as a Services (CDM) (CMaaS). Several years remain before the current blanket purchase agreement (BPA) expires, but so far the reported spending is a far cry from the $6 billion combined maximum ordering limit.

The continuous monitoring BPA is expected to dramatically improve system monitoring and authorization by addressing fifteen functional capabilities over the course of three phases. DHS has estimated that the manual plans, reports, and audits associated with historic information security practices cost between $600 million and $1.9 billion a year - a level of spending that consumes between 18 and 65 percent of each .gov cybersecurity dollar of funding. By contrast, CDM is expected to cost $200 million and approximately 6 percent of information security spending. Those figures represent a significant potential for government cost savings and strategic business opportunity for vendors.

According to a presentation from the Federal IT Acquisition Summit earlier this year, “DHS has appropriated $185 million in FY 2013, $168 million in FY 2014, $143 million in FY 2015, and anticipates similar levels for the option years of the BPA.” Lest appropriations be taken at face value as an indication of contracting levels, the reported spending for the effort paints a different picture. As of mid-August 2015, reported obligations were about $97 million. An additional $5 million in August pushed that total over $100 million.

40 percent of the spending to date tracks back to January 2014. April 2015 brought another uptick in spending, around 24 percent of the total to date. While 17 vendors were awarded places on the BPA, task orders have been issued to 6 of the vendors so far. The combined spending to date amounts to $102 million, about 47 percent of the $218 million combined total ceiling value for 17 different task orders.


Upcoming activities for the information security effort include progress with Task Order 2F (CDM as a Services, and Phase 1 and Phase 2 Products) and emphasis on delivery orders for the Phase 2 approach, which will continue with the groups established for the first phase. As of midsummer 2015, DHS reported that Phases 2 and 3 were being further defined to address concerns around privilege levels and boundary protection, respectively. It will be interesting to see how the evolution of the phases impacts the competition across offerings. Currently, 18 percent of the vendors on the BPA account for over 80 percent of the total CDM BPA spending to date. That’s likely to slightly change over time, as the agencies in the final CDM group (Group F) shift to buying security solutions off one of the General Services Administration’s government-wide acquisition contracts. Nonetheless, the distribution of spending across BPA vendors will give an indication of how agencies are filling their requirements for security solutions.