The Department of Homeland Security's $6 billion cybersecurity award last week to a slew of contractors and vendors sets in motion a contest among them to sell federal agencies on new network monitoring, vulnerability assessment and mitigation technologies. The underlying goal of this massive "Continuous Diagnostics and Mitigation" (CDM) contract is to spur federal civilian agencies to move away from static approaches to network-security compliance reporting in favor of real-time monitoring.
“What they’re trying to accomplish here is moving from FISMA [Federal Information Security Management Act] reporting quarterly to see what’s going on a daily basis,” says Peter Allor, federal cybersecurity strategist for IBM Security Systems, alluding to the government’s IT compliance-reporting obligations spelled out under FISMA. FISMA, passed in 2002, is now widely seen as too much of a check-the-box approach, given how many security monitoring technologies support a real-time approach. IBM is just one vendor among the crowd of 17 systems integrators that won a spot on the DHS CDM contract awarded last week.
John Streufert, director of the National Cybersecurity Division at DHS, had a hand in the CDM last November before the RFP was issued. At the time, he expressed hope CDM might one day become a “cyberscope” for the federal agencies to know what’s happening in real-time on their networks and a way to mitigate vulnerability problems. He says federal agencies need to get away from inefficient and untimely paper-based vulnerability reporting.
Along with IBM, the systems integrators winning a spot on CDM include Booz Allen Hamilton, CSC, Knowledge Consulting Group, Lockheed Martin, Northrop Grumman, SAIC and ManTech. The contract also brings in dozens of vendors of monitoring, scanning, log management and security-information and event management tools. These include McAfee, Symantec, ForeScout, Splunk, Veracode, Rapid7, Core Impact, Microsoft, RedSeal, nCircle and several more. ForeScout, for example, said its CounterACT monitoring product has been included in product suites put forward by 11 out of the 17 systems integrators winning the contract.
The products and services under the CDM contract award will be available through the General Services Administration. However, DHS is expected to oversee the contract, which is established as a 1-year baseline for “indefinite quantity, indefinite delivery” purchases by agencies for a maximum total of five years and $6 billion if all options are exercised.
IBM, which will be selling its Security Endpoint Manager, Security AppScan and QRadar SIEM, notes the contract is set up in a way to engender competition while making it easier for civilian federal agencies to buy monitoring and mitigation products. The contract is also expected to be available to state and local agencies.
The CDM contract was also put forward with the idea that there could be Continuous Monitoring as-a-Service (CMaaS), meaning some larger agencies could take on the role of providing services to smaller agencies.
Ellen Messmer is senior editor at Network World, an IDG publication and website, where she covers news and technology trends related to information security. Twitter: MessmerE. E-mail: firstname.lastname@example.org