In early April 2016, FCW reported that the ranking member of the Senate Homeland Security and Government Affairs Committee Sen. Tom Carper (D-Del.) tasked the Office of Management and Budget with exploring how to improve agency acquisition of cybersecurity tools. The letter referenced several avenues for potential flexibility – simplified procedures for purchases below the $150,000 threshold, expediting acquisition by limiting competition, faster access to the General Service Administration’s IT Schedule 70, agency transactional authority, and partnering with the Department of Homeland Security (DHS) to implement continuous monitoring. Only one of the points mentioned is currently directly linked to federal information security initiatives: continuous monitoring. Still in its first phase, DHS’s continuous monitoring program is beginning to deliver cyber defense tools and capabilities to federal agencies. By taking a government-wide contracting approach, the program enables agencies to leverage pooled negotiating power and economies of scale. It’s unclear, however, whether the program will be able to evolve quickly enough to keep pace with the evolving threats agencies face.
Current contracts for the Continuous Diagnostics and Mitigation (CDM) and Continuous Monitoring as a Service (CMAAS) program are set to expire in August 2018 (GovWin opportunity ID: 118780). Review of the CDM program spending last fall highlighted the slanted distribution of the awards as well as the discrepancy between the established ceiling and actual reported spending. Since then, the proportion has grown to two thirds of the vendors on the blanket purchase agreement (BPA). Among those contractors, one accounts for 47 percent of the total spending and three vendors combine for another 51 percent. (To be fair, though, that 0 percent slice represents just over $115,000 in task order spending. So, all of the vendors have seen a bit of activity at this point.) Despite its $6 billion ceiling value, the total reported spending has yet to crack $300 million.
The phased approach of the CDM program addresses different capabilities. As noted earlier, the current contracts on the CDM BPA will expire in 2018. Awards for Phase 2 of the program have yet to be announced. This phase will address Least Privilege and Infrastructure Integrity, which includes credentialing and access, privilege management, as well as protection of network, physical, and virtual boundaries. Carper’s letter listed a number of cybersecurity topics for the OMB Director to investigate. These questions ranged from general inquiries about steps being taken to procure innovative security solutions to OMB’s role in the process, capability development for additional offerings through CDM, and what steps agencies are taking to promote security advances. The response was requested within 30 days.