DHS to standardize cyber protections through new contract

Tuesday - 8/13/2013, 11:51am EDT

Jason Miller talks to DHS Director of Network Resilience John Streufert.

Download mp3

(This story has been updated from its original version to include additional details about the contract and quotes from DHS Director of Network Resilience John Streufert.)

The Homeland Security Department awarded 17 companies, providing tools from more than 20 subcontractors, a spot on the continuous monitoring and diagnostics contract.

DHS announced the deal, which could be worth potentially $6 billion, late in the day Monday. The vendors will provide tools, hardware and software to implement continuous-monitoring-as-a-service (CMaaS).

Under the contract, DHS will work with agencies to implement continuous diagnostics and mitigation (CDM) tools at the network level using more than $183 million, which Congress provided as part of the fiscal 2013 budget.

Agencies will use their own funding to implement the software and services for specific applications or systems, said John Streufert, director of Federal Network Resilience at DHS.

"The way the government has structured its information systems is we share networks with multiple custom applications," he said during a press briefing after speaking at the SANS Institute's Critical Security Controls Summit in Washington Tuesday. "We track more than 6,000 applications which are categorized at a moderate level of risk, and more than 1,200 applications that are categorized at a high level for risk. Because they all share common networks across both military and civilian government, it was the judgment of DHS that protecting the networks first would be an important foundation and then we would overlay additional software security protections, database protections and website protections on top, and feed to the same dashboards that will be funded in the initial increment under the continuous diagnostics and mitigation program."

Civilian agencies only

DHS will focus only on the civilian agencies through the CDM program.

Streufert said DHS has signed memorandums of agreements with 22 of 23 CFO Act civilian agencies to implement the program. Only the General Services Administration hasn't finalized its MOA to implement CDM.

"There were some internal circumstances related to the kind of technology they have at the GSA. I'm not sure of all of their reasons, but I know a good portion of their activity is in the cloud. I know GSA is waiting til 2014, but the good news is that's less than six weeks away," he said. "I think we'll fold them in quite easily as the various task orders play out. A number of the departments and agencies have similar circumstances as GSA and what we are doing as a customer responsive organization is to work with their internal circumstances and cue up those who are ready to move out now, and we'll create options on the contract and other mechanisms to add in the organizations that need a little bit of additional time."

Streufert also said an additional 30 small or micro agencies have expressed interest in DHS putting CDM tools on their network.

He added DHS will work with the Chief Information Officer's Council, the Office of Management and Budget and others to determine the implementation order for customer agencies.

Dashboard RFP coming soon

Before continuous monitoring can achieve full operating capability, DHS, working with GSA, will award a separate contract for one or more vendors to provide dashboards to collect and present the data pulled from the CDM tools.

Streufert said the dashboard solicitation hasn't been issued yet and still is under development.

"Our goal is to get a standard measure of protection across government within three years," Streufert said. "We believe that notwithstanding the three-phased program, there may be a little bit of clean up in the following fiscal year from the previous phase in dealing with special situations like GSA and a number of small and micro agencies that have asked to wait until 2014."

DHS issued the request for quotes in December. Industry has closely followed the contract, as it's the main path agencies are heading with cybersecurity.

"If we can get industry, policy and operations people using a common set of technical tools which have national and industry standards embedded into them, we can not only go into the prioritization of dealing with the worst problems, but also measure results we are getting from substantial investments," said Streufert.

The BPA winners are:

  • Booz Allen Hamilton
  • CGI
  • CSC
  • DMI
  • DRC
  • General Dynamics-IT
  • HP
  • IBM
  • KCG
  • Kratos
  • Lockheed Martin
  • ManTech
  • MicroTech
  • Northrop Grumman
  • SAIC
  • SRA
  • Technica

GSA's Federal Acquisition Service will run the contract, charging a 2 percent fee for usage. GSA has set up a website portal with an ordering guide and other facts about the continuous monitoring contract.

The contract also is open to federal, state, local and tribal governments.