Cybersecurity Meets Soap Opera in CDM Dashboard Competition

Published: September 17, 2014

Acquisition ReformContract AwardsCybersecurityGSADHSProtest

In a budget-constrained federal IT market the competition for cybersecurity work is bound to become increasingly competitive, even cut-throat. And when things get this way a certain amount of drama is sure to follow. Such is the case with a Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) Dashboard tools competition where a premature award announcement has combined with accusations of acquisition rule-breaking to add controversy to the process.

DHS announced last summer the creation of its $6 billion Continuous Diagnostics & Mitigation (CDM) program BPA with awards to 17 primes and more than 20 subcontractors. The government-wide effort is in partnership with the General Services Administration (GSA) which is acting as the procurement agency and has established a portal to facilitate CDM program purchases. Last March, GSA awarded a contract for the CDM Dashboard design and implementation effort to Metrica Team Venture. So far, so good.

The drama started when an official with RSA announced in a blog post that DHS has selected RSA Archer's GRC solution for its CDM Dashboard effort. FCW first reported on the unofficial award announcement before the story was later clarified that RSA’s product is a finalist for the contract, but the selection process is not yet complete.  (The RSA official’s blog post has since been deleted.)

The story gained further drama when it came to light that the firm that had won the Alliant Small Business contract to evaluate the CDM Dashboard tools bid, Metrica Team Venture, is being accused of allowing one of its team members, InfoReliance, to market the RSA products (another team member) during the period between GSA's awarding the Alliant Small Business contract to Metrica and the agency's decision on the Dashboard vendor.  Agiliance, the firm that has brought the complaint to GSA, is asserting organizational conflict of interest (OCI) and marketing practices that are forbidden under federal acquisition rules, according to a subsequent article in which FCW appears to have seen their letter to GSA.

To make things even more colorful, Agiliance’s letter to GSA is not a formal protest. It is unclear whether the move was made to preempt the need for Agiliance to protest the forthcoming DHS Dashboard tool award or if it was because Agiliance is not an Alliant Small Business contract holder, or both. Either way, it’s clear that they are trying to get GSA to take a closer look at the process that is unfolding and to take action.

These events underscore how competitive the market has become and will continue to be in the close-knit world of cybersecurity. In an era where winning or losing a contract can mean life of death for your company it is crucial that vendors know the acquisition rules and keep solid documentation of your processes out of self-protection.  Further, any appearance of possible impropriety – even if none exists – will raise hackles in an increasingly competitive market where awards are often “winner takes all.”

Also, Agiliance’s letter to GSA could be considered a form of “protest by another name” where a company sees anomalies that raise their concern enough to look for ways to raise a flag in a formal way. Such methods may grow in frequency as federal agencies look for efficiencies in their acquisition processes like turning to GSA or another agency to facilitate procurements.