Continuous Monitoring as a Service Award on the Horizon

Published: May 08, 2013

Cloud ComputingCybersecurityDHSOMBStrategic Sourcing

Improved cybersecurity was called out as one of three administrative priorities for FY 2014. Agencies have been inching towards cybersecurity targets, and an upcoming award may ease agency pains of implementing continuous monitoring solutions.

As described in the 2012 FISMA report, continuous monitoring covers three categories: assets, configuration and vulnerability. According to the report, all CFO Act agencies demonstrated the ability to successfully report data feeds to Cyberscope. While agency implementation of automated continuous monitoring increased in FY 2012, 7 out of 24 civilian agencies did not have monitoring programs in place.

According to the agency capability implementation, scores often appear lopsided. Overall, agency implementation would need a 7% improvement in FY 2013 to meet the implementation target. Perhaps, DHS’s continuous monitoring program will provide the boost lagging agencies have needed.

Last year, The Department of Homeland Security’s National Protection and Programs Directorate (NPPD) announced that it’s developing a Continuous Monitoring as a Service (CMaaS) capability. The result of this effort would be an array of sensors that collects data about agency cyber security risks and presents that information in an automated and continually updated dashboard. This display will allow technical workers and managers to improve an agencies’ view of security, to counter recurring threats more effectively, and to support a data-driven approach to agency risk management.
As we previous explored, the core capabilities for DHS’s continuous monitoring fell into five areas: hardware asset management, software asset management, vulnerability management, configuration management, and anti-virus. The continuous monitoring program outlined several approaches, including a service-based solution.CMaaS solutions will be based upon NIST standards including a number of guidelines set out in NIST’s 800 series of special publications:
·         “Guide for Conducting Risk Assessments” (SP 800-30)
·         “Guide for Applying the Risk Management Framework to Federal Information Systems” (SP 800-37)
·         “Guide for Managing Information Security Risk” (SP 800-39)
·         “Recommended Security Controls for Federal Information Systems and Organizations” (SP 800-53)
·         “Guide for Assessing the Security Controls in Federal Information Systems and Organizations”   (SP 800-53A)
DHS plans to shoulder the financial responsibility for this continuous monitoring effort because many agencies lack the resources and expertise.  In December 2012, the contracting office released a request for quote (RFQ) that covers both the CMaaS and tools portions of Continuous Diagnostics and Mitigation (CDM). Responses to the RFQ were due in February 2013.  Strategic sourcing is expected to be leveraged using DHS funds to implement sensors (where missing), a federal dashboard, and operating services. The General Services Administration (GSA) will be charging a 2 percent fee to agencies using the broad purchase agreement (BPA). Over 40 vendors have expressed interest in the opportunity, valued at $6 billion over five years. Officials have stated that they expect to award the contract before October 2013.  Deltek analysts currently estimate the award announcement in June 2013.
Updates regarding the CMaaS award can be found on GovWin under Opportunity ID 89183 (log in required).