Cyber dashboard award initiates a deeper continuous monitoring push

Thursday - 3/20/2014, 4:48am EDT

Jason Miller, executive editor, Federal News Radio

Download mp3

The second major piece of the continuous monitoring cybersecurity program is underway. The General Services Administration earlier this month awarded a contract for the cybersecurity dashboard to help agencies understand the health of their computer networks more easily and more often.

The Homeland Security Department oversees the continuous diagnostics and mitigation (CDM) program, and GSA acts as its procurement arm.

GSA awarded a $47.3 million contract to Metrica Team Venture — a team of five companies under the Alliant small business contract.

Metrica, InfoReliance, Decypher Technologies, Texas Management Associates and TIST Corp., received the one-year contract with four one-year options.

"We had a kick off meeting just yesterday where we saw some of the suppliers' plans, calendars and timelines. We are expecting to get an initial operating capability of the dashboard in the fall, prior to Thanksgiving is the initial thinking and based on their initial plans," said Jim Piche, a group manager at GSA's FEDSIM office, who oversees the management and administration of the CDM contract. "First the operational level, a roll up level at the agency level and then an even higher roll up at the federal government, a federated level. What we are dealing with here is trying to make sure that the right levels of government staff have the information they need to deal with the problems. We are not suggesting that we take the operational level information from the departments or from those network operations centers because you end up with information overload, analysis paralysis. We want that actionable data to reside with those organizations that have the ability to do something with it. But the information that is truly dashboard information then gets rolled up at the agency level and then further at the federal level."

Federal view only at first

A GSA spokeswoman said the Metrica Team Venture will "provide software design and development services and software/hardware for a series of dashboard releases, or instances. The dashboard created under this procurement will be used to automate FISMA compliance reporting mandated by OMB, including reporting through the currently used FISMA reporting tool, CyberScope."

The spokeswoman said DHS' longer-term goal is to make the completed dashboard functionality available to other agencies so they can manage and report their vulnerability to cyber-attacks.

The current task order, however, is only for the implementation of a federal level dashboard.

This latest task order award was the second in what is expected to be a series of contracts under the $6 billion CDM program. GSA awarded 17 companies a spot on the blanket purchase agreement in August to provide product and services. The dashboard task order, however, was not through this BPA.

GSA made the first award under the CDM program in January for $60 million worth of cyber tools.

Piche, who spoke as part of a panel discussion Wednesday on CDM sponsored by the FedInsider and the ImmixGroup in Washington, said GSA is working on several other RFQs in the coming months for products and services based on like characteristics among agencies, such as geography or technology architecture or their current install base of systems.

All of these tools and dashboards are leading to really one main goal of this program.

"As we do this, it is important to get back to the data. But getting to the data is not the reason we do this. It's to make risk decisions," said Bob Brese, the Energy Department chief information officer. "The piece about continuous authorization has to get the people to have the impact part of the risk equation in their pockets. I will tell you from my experience that's been the most difficult part of this whole project is getting the people that own the impact part of this equation to take ownership for it, to articulate it and to be communicative with us so we can figure out what the 'R' is in the equation. Because in the end, it's their risk. If they don't own it, no one owns it."

Educating what risk means

He said it's that risk decision that matters the most because a threat or vulnerability at one part of DoE may not mean the same risk to another part of the agency.

Brese said the dashboard will help technology officials and business process owners decide how meaningful the data is so they can determine risk more uniformly.

Jeff Eisensmith, the chief information security officer at DHS, said educating the mission owners about cyber risks is among his biggest jobs.