Bureau of Reclamation sprinting to patch

After the Office of Personnel Management data breach, agencies embarked on a governmentwide cybersecurity sprint that produced measurable improvements in two-factor authentication and, more recently, a new cybersecurity strategy.

But how are the finer details shaking out? The Interior Department's Bureau of Reclamation offers a peek at how the sprint's urgency has filtered down to smaller agencies.

Last month, the water management agency, with a large presence in the western U.S., justified awarding three contracts in September without competition on the basis of "urgent and compelling" cybersecurity needs.

"NuAxis is the only company that has local personnel and resources in place to start Oct. 1, 2015," a justification for a sole-source website-support contract states.

Another justification explains that NexGen Technologies is "extremely familiar" with the bureau's IT systems and was given a sole-source award for security work because "assuming the risk of keeping these systems online without current patches is not a prudent or judicious option."

The third justification notes that "through market research, it was discovered that no other contractor could provide [a cybersecurity] specialist in the time that ISYS [Technologies] could, and the required work could begin almost immediately."

Bureau officials said the contracts relate to patching vulnerabilities, which is in keeping with U.S. CIO Tony Scott's instructions to agencies during the sprint to patch critical vulnerabilities "without delay."

According to bureau officials, the contracts reflect the new federal reality of treating cybersecurity as an urgent, serious concern.

"We didn't pick companies out of the air," said Karla Smiley, the bureau's assistant director of information resources. All three companies were small businesses, including two that are woman-owned, she added. Furthermore, two of them had recently been competitively awarded work, and the third was from a small-business matchmaking event.

When asked if the urgency to award new work stemmed from the discovery of new vulnerabilities or intrusions, Smiley said, "I don't think we're going to answer that question."

Jeff Hoffman, manager of the bureau's IT Services Division, said much of the contractors' work will not involve direct patching but rather modernizing application middleware -- a necessary step to enable the patching to take place.

A spokesman did not provide hard numbers on the bureau's performance during the cybersecurity sprint, nor did he give dollar amounts for the awards, which Smiley characterized as modest.

Interior's Office of Inspector General did not respond to a request for comment.

However, bureau spokesman Peter Soeth told FCW that "no protests have been received, and there are no concerns within Reclamation."