From Deltek/GovWin
In a draft solicitation issued mid-October 2012, the Department of Homeland Security (DHS) outlines 15 toolsets and 11 services areas for the new Continuous Diagnostic and Mitigation (CDM) program and for continuous monitoring as a service (CMaaS).
In June 2012, DHS outlined requirements for Continuous Monitoring. The core capabilities for continuous monitoring fell into five areas: hardware asset management, software asset management, vulnerability management, configuration management, and anti-virus. The concept of operations for the continuous monitoring program identified three approaches:
- Internally operated services
- Continuous Monitoring as a service (CMAAS)
- Cloud provider security services.
Each agency would have to decide which approach best suits their cloud-based applications. While contractors would have to comply with security reviews under the Federal Risk and Authorization Management Program (FedRAMP), DHS suggested that vendors that are only cloud security providers could self-certify. According to the concept of operations, a request for proposals would be released at some point between December 2012 and March 2013.
The recently passed Continuing Resolution provided DHS with an additional $183 million to begin transforming agency cyber security, including implementation of CDM tools and CMaaS. The solicitation draft provided additional details around the scope of continuous monitoring tools and services that DHS is seeking. Initially, the programs will target civilian agencies, but DHS sees these offering extending across the entire government.
The draft provides descriptions for 15 tool functional areas and 11 CMaaS task areas, as well as outlining the required security policies and regulations that contractors will need to meet.
VENDOR IMPACT
For contractors, the CDM program is first and foremost a business opportunity. DHS intends to centrally manage and fund this program. Since consistency in Continuous Monitoring is one of the goals of this approach, those awarded contract under the BPA will be well positioned to provide their tools and services to multiple government customers.
This opportunity, however, comes with responsibilities and costs. Contractors will be responsible for provisioning, securing, monitoring and maintaining the hardware, networks, and software supporting the infrastructure for the CDM tools and services. The solicitation reference two special publications (SP) from the National Institute of Standards and Technology (NIST) on risk management frameworks and appropriate system controls that will guide Assessment and Authorization with continuous monitoring (SP 800-37 revision 1 and SP 800-53). Contractors are advised to review the NIST documents to determine the effort for completing the requirements. The solicitation also references the possibility of leveraging Independent third-party assessment organizations to assess contractor implementation of security controls. As with other security review processes (e.g. the Federal Risk and Authorization Management Program), these independent reviews would spare government resources, making them all the more likely. Contractors will also need to comply with the Federal Information Processing Standards (FIPS) and the Federal Information Security Management Act (FISMA) requirements.
These contractor compliance requirements are part of government efforts to lower cost and increase efficiencies. So far, this shift often involves moving risk and cost over to contractors.
Leave a Reply