CMaaS contracts stack odds in favor of success

The Continuous Diagnostics and Mitigation program is a complex undertaking.

The goal of CDM, according to the Department of Homeland Security, is to “enable network administrators to know the state of their respective networks at any given time, understand the relative risks and threats, and help system personnel to identify and mitigate flaws at near-network speed.”

To achieve that goal, DHS has partnered with the General Services Administration to create a central contract vehicle known as Continuous Monitoring-as-a-service (CMaaS) through which agencies can buy software to address the essential requirements of continuous monitoring. Last fall, GSA selected 17 contractors to deliver software in four functional areas. Future awards will cover an additional eleven functional areas.

But software is not enough. That is why CMaaS also provides participating agencies with extensive support in developing and managing their CDM initiatives.

“The CDM Program helps transform the way federal and other government entities manage their cyber networks through strategically sourced tools and services and enhances the ability of government entities to strengthen the posture of their cyber networks,” according to GSA.

The support services begin before the first order for software is placed. The first two service task areas cover project management support and CDM order planning. These services are intended to help agencies approach CDM from a strategic perspective — from developing detailed project plans for each order to assisting with technical design reviews and proposing a concept of operations.

CMaaS also provides extensive support in implementing the software. Available services include customizing, configuring and operating the CDM tools and associated sensors as well as setting up the CDM dashboards and managing the necessary data feeds.

More buying power

In setting up the program, GSA also looked to help agencies address their budget concerns. Its approach recognizes that despite the clear importance of protecting their systems, agencies often struggle with finding enough money to buy the necessary solutions.

For starters, GSA established the CMaaS blanket purchase agreements by using GSA Schedule 70 pricing to establish the first tier of pricing discounts. Deeper discounts are available based on the volume of purchases. But that’s not all.

GSA is leveraging its experience with the Federal Strategic Sourcing Initiative to help agencies become smarter buyers. As part of the BPAs, agencies will receive quarterly reports on software purchases, usage and the volume discounts achieved, helping them to better understand their requirements and to extend their buying power.

Strategic sourcing is widely seen as a critical component of federal acquisition. Although both the Bush and Obama administrations have championed the concept, its proponents say agencies can do much more to tap into the potential of this acquisition strategy.

“Strategic sourcing efforts to date have targeted a small fraction of procurement spending,” said Cristina Chaplain, director of acquisition and sourcing management at the Government Accountability Office, speaking to the Senate Committee on Homeland Security and Governmental Affairs last October. “As budgets decline, however, it is important that the cost culture in federal agencies change.”

However, strategic sourcing is not just about cutting costs. In looking at similar efforts in the private sector, GAO found that “these practices drive efficiencies and yield benefits beyond savings, such as increased business knowledge and better supplier management,” Chaplain said.

CDM clearly is an ambitious undertaking, and there is still a long ways to go. But experts believe that the program has the potential to make a significant impact in the federal government. The SANS Institute recently held a CDM workshop to help agency executives understand the program.

“I've seen a lot of these large BPA/IDIQ contracts get announced to huge fanfare, only to end up as failures when little of the allocated funds were ever actually spent, and most of what was procured ended up as shelfware,” wrote John Pescatore, director of emerging security trends at the SANS Institute, in a blog post.

“Since the CDM program shares a lot of DNA with the Critical Security Controls, SANS believes that by helping the CDM program succeed the overall level of implementation of the Critical Security Controls at government agencies will increase — a good thing for cybersecurity,” Pescatore wrote.