DHS Awards Cybersecurity Continuous Monitoring Contracts

The announcement reported this week indicates that the Broad Purchase Agreement (BPA) contract has a one-year base and four one-year options.  Congress appropriated more than $183 million in the final fiscal year (FY) 2013 budget and the White House has requested $168 million in its FY 2014 IT budget.

The Continuous Diagnostics & Mitigation (CDM) program provides continuous monitoring, diagnosis, and mitigation activities to strengthen the security posture of the federal .gov networks. DHS is overseeing the procurement, operations, maintenance of sensors/dashboards deployed to agencies, in partnership with the General Services Administration (GSA) which has established a portal to facilitate CDM program purchases and will be charging a 2 percent fee to agencies using the BPA.

GovWinIQ has been tracking the contract opportunity for more than a year. The DHS National Protection and Programs Directorate (NPPD) announced that it was developing the CMaaS capability with the goal of establishing an automated dashboard that displays information about cybersecurity risks based on data collected through an array of sensors.

The BPA winners and their respective tool suites are:

• Booz Allen Hamilton – McAfee, ForeScout
• CGI – Tivoli Endpoint Manager, ServiceNow, Retina, BDNA, Splunk
• CSC – ServiceNow, ForeScout, McAfee, Tivoli Endpoint Manager
• DMI – Lumension, Triumfant, Hewlett Packard, ForeScout, SailPoint
• DRC – McAfee, ForeScout, VeraCode
• GDIT – McAfee, Microsoft, Symantec, Veracode
• HP – Hewlett Packard, Symantec, Tenable, View Trust, AppSec
• IBM – Tivoli Endpoint Manager, IBM, Rapid7, Core Impact, Hewlett Packard
• KCG – McAfee, IBM, Veracode, Core Impact, ForeScout
• Kratos – McAfee, ForeScout, Microsoft, RedSeal, Veracode
• Lockheed Martin – McAfee, ForeScout, ServiceNow, JBOSS, AirWatch
• ManTech – McAfee, ForeScout, Veracode
• MicroTech – CA Client Automation, InfloBlox, Symantec
• Northrop Grumman – ViewTrust, McAfee, ForeScout, Veracode
• SAIC – McAfee, ForeScout, Veracode
• SRA – nCircle, Symantec
• Technica – Symantec, p0f (Passive OS Fingerprinting)

These firms will now compete for task orders under the new BPA – which is open to all government agencies, including state, local and tribal entities – for the following functional and task areas:

This BPA marks new territory for federal cybersecurity efforts and acquisitions. It seeks to help agencies down the path to effective real-time monitoring of their networks’ security posture, a goal that has remained elusive for many agencies. And while each agency will continue to focus their on their own core information assurance and security the BPA may also bring more continuity to the overall .gov domain. Notice that many of the security tool providers in the list above hold positions on multiple contracts.

This also impacts agency acquisitions.  Historically, pure cybersecurity opportunities were few and far between and most efforts were embedded in network operations and infrastructure efforts. Those that you could find were either small and fragmented by agency or consolidated into huge service contracts that only the largest of firms could perform.

The contracts also bolster the fed’s move toward cloud implementations and shared services, pushing IT-as-a-service into the cybersecurity realm. Cost is one of the key drivers in the push to the cloud and this BPA could bring some additional competitive pressure to an area that has so far seemed immune to budget pressures, although agencies have been saying for some time that cyber spending will eventually level off and even come down.