Cybersecurity CDM Dashboard Part 2 – the Danger of Drama Delays

Federal departments and agencies are struggling with enough cybersecurity challenges without the acquisition process adding to the problem. Agencies working to improve their cybersecurity capabilities are looking to industry to provide needed expertise and tools through efforts like the joint GSA/DHS Continuous Diagnostics and Mitigation (CDM) program. But these acquisitions must be properly managed or we risk introducing unnecessary and dangerous delays, as recent comments by a GSA official suggest.

While the first task order on the CDM BPA was awarded without incident, there has been quite a stir of controversy around the handling of the planned procurement of the (CDM) dashboard solution (See Part 1 for details.) This has left a bit of a fog around where the procurement stands. In fact, recent comments made by a GSA official at the office that manages the CDM procurements give some insight into how irregularities in acquisition process could have real impacts in federal agencies’ cybersecurity posture.

Jim Piché, the DHS Group Manager of the Federal Systems Integration and Management (FEDSIM) Center at GSA was a participant at recent ImmixGroup panel on the CDM program and its upcoming Phase II focused on detecting insider threats.

When asked about the dashboard and where things are with the selection process Piché chose his words carefully while giving some forthright perspective on how the process is unfolding and what we should expect going forward.

“There has been a lot of discussion in the press on this. Just for clarity . . . The procurement process is underway. Announcements that were made previously were as a result of an analysis of alternatives that was conducted by the Department of Homeland Security. In essence, it was really a technology survey to determine that the products that they were looking for… the specific software solutions that implement the dashboard solution that is being developed by MTV (Metrica Team Venture) … to determine that those software capabilities existed in industry. The analysis of alternatives proved that out. The results of the analysis of alternatives should have been held as an internal document as DHS was seeking to solidify and clearly articulate the requirements for the dashboard. The next phase is to actually go through competitive procurement. So there has been no competition, there’s been no selection, there’s been no awardee. Based on the information from DHS received as part of that analysis of alternatives they are refining their requirement and the GSA’s contracting officer is in contact with MTV. MTV will actually be conducting the solicitation under the guidance of GSA. That that particular procurement is still being developed and I don’t have a schedule for when that will be released.”

Recognizing the delicacy and drama from the media attention Piché concluded his comments with “That’s all I want to say on dashboard today,” to which he received an appreciative and empathetic chuckle from the audience.

The drama and damage control underscores the challenge of moving federal .gov agencies toward mature and effective CDM capabilities. The experience of federal agencies working toward CDM reveals that it is a slow process from a technical and organizational perspective. They do not need additional challenges and delays from the acquisition side that could potentially fuel award protests and prolong cybersecurity vulnerabilities.

Phase II of CDM centers on dealing with insider threats and this is none too soon. News of a National Oceanic and Atmospheric Administration (NOAA) employee being charged with stealing sensitive information from a federal database for the nation's dams underscores the urgency and importance of these and other capabilities.  Hopefully, the acquisition process will not become an additional obstacle to success.