First CDM Phase 3 task order hits the street

Shutterstock image: protected hardware.

The General Services Administration has taken the next step in the federal government's rollout of its civilian agency cybersecurity program.

GSA confirmed to FCW on Aug. 25 that it has released a task order for CDM DEFEND, part of Phase 3 of the Continuous Diagnostics and Mitigation program. That phase focuses on boundary protection and incident response.

The task order covers Group B agencies -- the Agriculture, Energy, Interior, Transportation and Veterans Affairs departments; the Office of Personnel Management; and the Executive Office of the President, including the Office of Management and Budget.

It's not clear how much spending will be devoted to those agencies, but $2.75 billion to $3.4 billion could be spent across all agencies on CDM Phase 3.

DEFEND -- an acronym for Dynamic and Evolving Federal Enterprise Network Defense -- is a two-pronged acquisition strategy developed to replace the CDM monitoring-as-a-service blanket purchase agreement, which expires in August 2018.

When asked about the significance of the initial Phase 3 task order, a GSA spokeswoman said the agency does not comment on active procurements.

The Group B task order is broken up into a base year with options for five more and seems to be valued at roughly $100 million in the base year, said Eric Trexler, executive director for civilian and national security programs at McAfee. The company is not a prime contractor for CDM, but it was used on 13 of the 18 original prime contracts during Phases 1 and 2 and is expected to collaborate on bids for Phase 3.

The resulting services from the Group B task order will be available through GSA's eBuy portal, according to GSA.

Responses from potential bidders are due by Sept. 21. Trexler said he expects the contract for Group B to come sometime in the first quarter of 2018.

GSA has been rearranging how and when it will provide CDM services with an eye toward more efficiency for federal agencies as the CDM program moves forward. GSA and the Department of Homeland Security jointly administer the program, which seeks to fend off cyberattacks aimed at the civilian agency .gov domain in real time.

CDM initially focused on asset management (what is on the network) and credentialing (who is on the network). Trexler said those activities have contributed to a more agency specific or tailored approach for CDM Phase 3 task orders and potential contracts.

"The CDM program office learned a lot from the visibility" agencies gained through the first two phases, he added.

This article was updated Aug. 29.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • Workforce
    White House rainbow light shutterstock ID : 1130423963 By zhephotography

    White House rolls out DEIA strategy

    On Tuesday, the Biden administration issued agencies a roadmap to guide their efforts to develop strategic plans for diversity, equity, inclusion and accessibility (DEIA), as required under a as required under a June executive order.

  • Defense
    software (whiteMocca/

    Why DOD is so bad at buying software

    The Defense Department wants to acquire emerging technology faster and more efficiently. But will its latest attempts to streamline its processes be enough?

Stay Connected