Earlier this year, program managers in the Department of Homeland and the General Services Administration’s FEDSIM undertook a redesign of the Continuous Diagnostics and Mitigation (CDM) program, the largest cybersecurity effort in the federal government.
While the program has a shiny new name — CDM DEFEND, which stands for Dynamic and Evolving Federal Enterprise Network Defense — program managers assert that this is more than just a rebranding.
“It’s an effort to replace the CDM BPAs that expire in August of 2018,” explained Kevin Cox, CDM program manager at DHS, during a discussion Oct. 30 at the annual American Council for Technology and Industry Advisory Council (ACT-IAC) Executive Leadership Conference in Williamsburg, Va. “It will follow the same model of how the agencies are grouped, then we will be competing different task orders for system integrators to partner with those agencies.”
The focus on partnerships is key, said Cox, as the new CDM model will be less about buying specific services and technologies and more about creating a strong cybersecurity posture that can evolve over time.
“We’re not looking for a specific technology; we’re not looking for a specific cyber solution,” said Jim Piche, homeland security director for FEDSIM. “We’re going to take the acquisition cycles out of it so that we can identify, acquire and deploy those cybersecurity tools at the speed they need to be deployed rather than getting into another procurement cycle.”
Using GSA’s Alliant contract vehicle — and, subsequently, Alliant 2 as that contract goes into effect — CIO offices will issue a task order with a system integrator that will help the agency develop cybersecurity goals and discover the right technical solutions to achieve those goals. Then, over the life of the task order — five to six years, according to Cox — that framework can be adjusted as new tools and solutions are developed, and those products can be acquired without having to issue a new task order or contract.
“This is not a BPA, it’s not an IDIQ,” Piche said. “It is a single-award task order to an integrator that is incrementally funded as a cost-type task order.”
That doesn’t mean the whole CDM system will be thrown out.
“What’s still the same is the inextricable relationship that Kevin and I have, the CDM program office and GSA … to bring the best innovation solutions to support the CDM program,” Piche said. “The other thing that hasn’t changed is the scope: every federal agency is a customer.”
Finally, Piche noted the program’s reliance on industry. The program currently works with more than 100 companies and that isn’t expected to change going forward.
“What we’re trying to get out of the CDM program is better cybersecurity,” Piche said. “You can also read that as ‘compliant cybersecurity’ or ‘more efficient cybersecurity.’ But we’re also trying to do it more affordably.”
To be both effective and affordable, the contract vehicle needs to be able to adapt to the ever-changing landscape of cybersecurity.
“We don’t know today what better cybersecurity is going to look like in 2019 or 2020 or as we get to the tail end of this project,” Piche said. Using this more flexible model will allow agencies to “redefine what is better cybersecurity in 2019 and 2020.”
Aaron Boyd is an awarding-winning journalist currently serving as editor of Federal Times — a Washington, D.C. institution covering federal workforce and contracting for more than 50 years — and Fifth Domain — a news and information hub focused on cybersecurity and cyberwar from a civilian, military and international perspective.