How CDM is Rolling Out

Announced in early 2013, the $6 billion DHS CDM program is expected to take around five years to implement completely, with the ability to get a government-wide view of agency security status due by the end of FY 2017, when a federal CDM dashboard should be up and running.

In between then and now, the program will go forward in three separate phases, each one blending into the other. Work on an earlier phase will still go on, even as the next phase begins. Each phase, involving the delivery and integration of commercial-off-the-shelf scanning and security tools to agencies, will be implemented via a number of task orders, which will be met through the CMaaS BPA overseen by the GSA.

Contract awards for CMaaS, which will operate under GSA Schedule 70, were made in August 2013 to 17 companies.

Phase 1—endpoint security/device integrity—kicked off in January 2014 with a $60 million award for tools needed to provide immediate protection for agency devices such as desktop computers and servers, along with hardware and software inventory tools. A separate contract to begin development of the federal and agency dashboards was made several months later outside of the CMaaS, under the Alliant small business contract.

Task order 2 for Phase 1, which would begin the rollout of planning, management, training, and architecture and engineering tools and services to agencies, is split into six separate groups of differing agency size and missions. The $29 million contract for task order 2A, involving the DHS itself, was awarded at the end of February 2015.

Task order 2B—intended for the departments of Energy, Transportation, Interior, Agriculture, and Veterans Affairs, along with the Office of Personnel Management—was filled with a $39 million award in April 2015. Groups C through E task orders are expected to be awarded by the end of FY 2015 with the remaining group, mainly comprising smaller agencies, to be settled by the end of the calendar year.

When all five awards are made, the CDM program will cover over 98 percent of the federal civilian workforce.

Phase 2 is expected to generate major interest from vendors since it includes five of the CDM’s 15 capabilities—access control management, security-related behavior management, credentials and authentication management, privileges, and boundary protection including network, physical and virtual components—that also represent some of the more leading-edge technology areas.

CDM vendors received a RFI for products that could be used in Phase, and the necessary modifications needed to the GSA BPA to include these are now being considered. Those modifications could come before the end of FY 2015.

DHS officials have touted the CDM program also for its ability to save agencies money by going through the CMaaS. In remarks to a Senate appropriations panel in April 2015, Ozment said the January 2014 Phase 1 award to purchase continuous monitoring tools for agencies through the CMaaS —demonstrated a 30 percent cost reduction over GSA pricing and resulted in $26 million in cost avoidance.

A subsequent award for license maintenance of those tools reflected a 50 percent cost reduction over GSA pricing, he added.

State, local, regional and tribal governments can also buy CDM products and services using the CMaaS BPA, independent of the CDM program itself.