Spending Analysis: The DHS CDM/CMaaS Contract Vehicle

The inception of the Continuous Diagnostics and Mitigation (CDM)/Continuous Monitoring-as-a-Service (CMaaS) program by the Department of Homeland Security and General Services Administration at the end of fiscal 2013 was heralded as an important step in improving the cybersecurity posture of federal government agencies. More than $460M in obligations from a dozen or so agencies have flowed through the CDM/CMaaS contracts since they first opened for business, but that spending has been extremely uneven leading to the question, has the CDM/CMaaS program accomplished the goals set for it? In this post we’ll analyze spending on the CDM/CMaaS contracts in an effort to provide an answer.

Total Spending

Beginning with the overall trend in obligations, the chart below shows total spending on the CDM/CMaaS vehicle since fiscal 2013.

Spending on the vehicle appears to have peaked in fiscal 2014. However, Civilian agencies still have until the end of October to report spending for fiscal 2017 while the Department of Defense has until the beginning of the next quarter of fiscal 2018. When all of the numbers are in expect the total for fiscal 2017 to approach that of fiscal 2016, coming in perhaps a bit lower.

Spending by Department

Who has spent the most on solutions offered through the CDM/CMaaS contracts? The data below reveals that with $437.3M in total spending customers at DHS itself use the contracts far more than any other federal agency. The only agency that even comes close is the GSA with merely $12.6M in reported spending from fiscal 2014 to fiscal 2017. Defense organizations are not entirely absent as the Air Force has spent a measly $19K. Spending for other Defense organizations could not be found.

Spending at DHS

Since the lion’s share of CDM/CMaaS spending comes from DHS itself, which organizations at the department have been spending the most? The data below shows that the highest spending comes from the Office of the Secretary, followed by National Protection and Programs Directorate (NPPD), and the Domestic Nuclear Detection Office (DNDO). Presumably, the spending by the Office of the Secretary benefits all DHS organizations because no spending could be identified for major components like Immigration and Customs Enforcement, the U.S. Coast Guard, or the Federal Emergency Management Agency.

Spending by Vendor

Finally, here is the data for spending by CDM/CMaaS vendor.

Booz Allen Hamilton has been by far and away the most successful vendor on the vehicle, earning almost $146M since fiscal 2013, with almost all of those dollars obligated by the DHS. $113M of Booz’s earned dollars came from work done for the Office of the Secretary. Another $23M was obligated by the NPPD and yet another $12M from work for the Federal Acquisition Service at GSA.

The overwhelming majority of other vendors’ earnings also came from work at DHS, including $69M of Northrop Grumman’s total, $68M of CGI’s total, and pretty much all of HP ES’s total.

Concluding Thoughts

When the CDM/CMaaS program was first announced it appeared as if it would become the go-to contract vehicle for securing agency IT environments. Moreover, since then many agencies have repeatedly stated in their annual budget submissions that they intend to make greater use of the CDM/CMaaS contracts for security solutions. Lastly, the new presidential administration is making a big deal out of using shared services like CDM/CMaaS to reduce agency costs. Despite all of this, the available spending data shows that only DHS itself has taken advantage of the capabilities offered by CDM/CMaaS vendors. Other agencies have not used the contracts to nearly the extent they might have, suggesting that the CDM/CMaaS program has not yet met the most important goal of all – to establish a cybersecurity baseline for federal agencies that utilizes common solutions and reduces costs.