GSA offers new way to buy CDM cyber tools


The General Services Administration is looking to change up how it provides access to the Department of Homeland Security’s  cybersecurity program.

GSA officials said the agency is looking to create Special Item Number exclusively for the Continuous Diagnostics and Mitigation program, tentatively scheduled to roll out this summer.

The program provides federal, state and local partners with tools for continuous network monitoring and risk-based analysis of cybersecurity threats.

In a March 22 request-for-information issued on FedBizOpps, GSA officials solicited feedback from industry stakeholders on the proposed move to offer CDM tools under an exclusive SIN within IT Schedule 70.

Related: Read the RFI

“Together, GSA and DHS are structuring a new SIN for IT Schedule 70 to meet the government’s need in strengthening cyber networks,” said a GSA spokesperson in an email.

“A GSA IT Schedule 70 technical evaluation factor will be created specific to the CDM SIN to undergo a DHS product qualification process to be added to the CDM Approved Products List.  This collaborative approach will strengthen the security posture and best-practices application of Government-wide networks.”

CDM tools are presently provided under a Blanket Purchase Agreement maintained through a partnership between GSA and DHS, but the RFI states that those agreements will expire in August 2018, necessitating a new contract solution.

The RFI detailed how the new SIN aims to pair down CDM’s 15 Tool Functional Areas into five subcategories addressing the following:

Manage “What is on the network”: Identify the existence of hardware, software, configuration characteristics and known security vulnerabilities and include: TFA 1 Hardware Asset Management (HWAM); TFA 2 Software Asset Management (SWAM); TFA 3 Configuration Management (CM); TFA 4 Vulnerability Management (VUL).

Manage “Who is on the network”: Identifies and determines the users or systems with access authorization, authenticated permissions and granted resource rights and includes: TFA 6 Manage Trust-in-People Granted Access (TRUST); TFA 7 Manage Security Related Behavior (BEHAVE); TFA 8 Manage Credential and Authentication (CRED); TFA 9 Manage Account/Access (PRIV).

Manage “How is the network protected”: Determines the user/system actions and behavior at the network boundaries and within the computing infrastructure and includes: TFA 5 Manage Network Access Controls.

Manage ‘What is happening on the network”: Prepares for events/incidents, gathers data from appropriate sources, and identifies incidents through analysis of data and includes: The originally identified TFAs of TFA 10 Prepare for Contingencies and Incidents (CP); TFA 11 Respond to Contingencies and Incidents (INC); TFA 14 Manage Audit Information (AUD); TFA 15 Manage Operation Security (OPS); TFA 12 Design and Build in Requirements, Policy, and Planning (POL); TFA 13 Design and Build in Quality (QAL).

Emerging Tools and Technology: Includes CDM cybersecurity tools and technology not in any other subcategory.

GSA and DHS will continue to jointly manage the CDM program under the new SIN. Industry stakeholders have until 5 p.m. on April 5 to submit feedback to RFI. Depending on that feedback, GSA officials said the SIN could debut in early summer.