Contracting

Bureau of Reclamation sprinting to patch

Shutterstock image: checking documents.

After the Office of Personnel Management data breach, agencies embarked on a governmentwide cybersecurity sprint that produced measurable improvements in two-factor authentication and, more recently, a new cybersecurity strategy.

But how are the finer details shaking out? The Interior Department's Bureau of Reclamation offers a peek at how the sprint's urgency has filtered down to smaller agencies.

Last month, the water management agency, with a large presence in the western U.S., justified awarding three contracts in September without competition on the basis of "urgent and compelling" cybersecurity needs.

"NuAxis is the only company that has local personnel and resources in place to start Oct. 1, 2015," a justification for a sole-source website-support contract states.

Another justification explains that NexGen Technologies is "extremely familiar" with the bureau's IT systems and was given a sole-source award for security work because "assuming the risk of keeping these systems online without current patches is not a prudent or judicious option."

The third justification notes that "through market research, it was discovered that no other contractor could provide [a cybersecurity] specialist in the time that ISYS [Technologies] could, and the required work could begin almost immediately."

Bureau officials said the contracts relate to patching vulnerabilities, which is in keeping with U.S. CIO Tony Scott's instructions to agencies during the sprint to patch critical vulnerabilities "without delay."

According to bureau officials, the contracts reflect the new federal reality of treating cybersecurity as an urgent, serious concern.

"We didn't pick companies out of the air," said Karla Smiley, the bureau's assistant director of information resources. All three companies were small businesses, including two that are woman-owned, she added. Furthermore, two of them had recently been competitively awarded work, and the third was from a small-business matchmaking event.

When asked if the urgency to award new work stemmed from the discovery of new vulnerabilities or intrusions, Smiley said, "I don't think we're going to answer that question."

Jeff Hoffman, manager of the bureau's IT Services Division, said much of the contractors' work will not involve direct patching but rather modernizing application middleware -- a necessary step to enable the patching to take place.

A spokesman did not provide hard numbers on the bureau's performance during the cybersecurity sprint, nor did he give dollar amounts for the awards, which Smiley characterized as modest.

Interior's Office of Inspector General did not respond to a request for comment.

However, bureau spokesman Peter Soeth told FCW that "no protests have been received, and there are no concerns within Reclamation."

About the Author

Zach Noble is a former FCW staff writer.

Featured

  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected

FCW INSIDER

Sign up for our newsletter.

I agree to this site's Privacy Policy.