DHS Selects 17 Companies to Participate in $6 Billion ‘Continuous Diagnostics and Mitigation’ Contract
On Tuesday, 17 technology and defense contractors were awarded participation in a cybersecurity contract with the U.S. government that could be valued at as much as $6 billion over five years.
The General Services Administration (GSA) this week announced a contract award that will allow government agencies to partner with the Department of Homeland Security (DHS) to deploy Continuous Diagnostics and Mitigation (CDM) technology that will enhance the security and resilience of their networks.
According to the DHS, the Continuous Diagnostics and Mitigation program was designed to defend Federal IT networks from cyber threats by providing continuous monitoring sensors (tools), diagnosis, mitigation tools, dashboards, and Continuous Monitoring as a Service (CMaaS) to strengthen the security posture of Government networks.
“The CDM Program brings an enterprise approach to continuous diagnostics, and allows consistent application of best practices,” the DHS explained.
As reported by SecurityWeek when rumors of the initiative surfaced, the new program essentially creates a shopping hub where federal, state, and local agencies can buy services to protect their computer networks.
The program is the result of the executive order from President Barack Obama which requires the DHS to ensure unclassified government networks are scanned constantly for threats, defended from attacks, and regularly audited to be compliant with computer security rules.
According to Mike Lloyd, CTO at RedSeal Networks, the announcement of the award for the Continuous Diagnostics and Mitigation program is good news for citizens and taxpayers.
“The DHS CDM program is a direct and significant step in the right direction, with the potential to offer senior leaders at DHS a level of situational awareness and risk management that has not been possible in the past,” Lloyd told SecurityWeek.
“Across the government sector – civilian, intelligence, and military – there is a concerted effort to adopt a defensive strategy known as Continuous Monitoring, described in detail in NIST publications that define a Risk Management Framework,” Lloyd explained. “This is a necessary and urgently needed response, focused on automation of the assessment of defensive state and attack readiness.”
The overarching contract has an estimated ceiling of $6 billion over its five-year duration, which is comprised of a one-year contract with four additional one-year options.
The vendors listed in the contract award include:
• Booz Allen Hamilton
• CGI Federal, Inc.
• Computer Sciences Corporation
• Digital Management, Inc.
• Dynamics Research Corporation
• General Dynamics Information Technology
• Hewlett Packard Enterprise Services
• Knowledge Consulting Group
• Kratos Technology and Training Solutions
• Lockheed Martin
• ManTech International
• Northrop Grumman
• SRA International
• Technica Corporation
IBM said that as part of the rogram, agencies can leverage its consulting services as well security intelligence software including IBM Security Endpoint Manager, IBM Security Appscan and IBM Security QRadar.
“Under the CDM program, participating departments and agencies will be able to enhance their cybersecurity assessments by implementing automated network sensor capacity and prioritizing risk alerts,” the DHS explained. “Results will feed into agency-level dashboards that produce customized reports that alert information technology managers to the most critical cyber risks, enabling them to readily identify which network security issues to address first.”
The DHS also mentioned the importance it its network intrusion detection and prevention technology known as “Einstein” which went live with its latest iteration last month.
Additionally, the DHS said that summary information from participating agencies would be fed into a central Federal-level dashboard, managed by DHS’ National Cybersecurity Communication and Integration Center, to inform and prioritize cyber risk assessments across Federal agencies.
One security expert warned that controls will be important and contracts should be strict, especially in the post-Edward-Snowden era.
“The government will need to be choosy about whom it decides to share data with,” Robert Hansen, director of product management and technical evangelist at WhiteHat Security, told SecurityWeek in a previous statement. Hansen also noted the importance of software and hardware being audited to ensure there are no backdoors implanted by dangerous foreign actors or other malicious actors.
“Attackers have figured out how to twist doorknobs on an industrial scale – they can hit every angle across a complex and growing IT infrastructure, looking for any weak spots,” Red Seal’s Lloyd added. “Defenders need the same capability – the ability to find, understand, and prioritize all these weaknesses in full context of the mission of the organization. This takes vision, dedication, and large amounts of computing power to crunch all the attack scenarios – think of it as ‘Internet Wargaming’.”
More information on the DHS’ CDM Program is available online.