Facebook Google Plus Twitter LinkedIn YouTube RSS Menu Search Resource - BlogResource - WebinarResource - ReportResource - Eventicons_066 icons_067icons_068icons_069icons_070

Tenable Blog

Subscribe

From Off-the-Rack to Custom Tailored?

As the Continuous Diagnostics & Mitigation Program (CDM) begins its next phase of task orders, it is useful to look back at the earlier stages of the program to help us understand the importance of changes now being implemented in the program’s contractual and programmatic structures.

CDM began as a group of GSA Schedule 70 Blanket Purchase Agreements (BPAs), awarded in August 2013 to 17 companies. The first four task order awards were for tools, with choice of vendor based on lowest price for each respective tool. These were followed by Continuous Monitoring as a Service (CMaaS) task order awards, organized into six different government agency groups.

To compete for CMaaS task orders, contractors architected solutions that included the tools they selected from the CDM Approved Product List. Upon the award of each CMaaS task order, the winning contractor set about implementing their solution for all agencies in the CDM “Group,” regardless of the tools already in place at a particular agency. For some agencies, this was not a problem because they already had the same tools, and CDM simply provided them with additional product and integration funded by DHS. For others, however, this created a conflict between existing agency IT contracts and architecture and the new CDM solution. In some cases, this conflict led to a slowdown of CDM implementation across the agency. With most task orders having only a three-year period of performance (and some even less), the impact of such slowdowns on implementation was substantial.

One major challenge to successful CDM rollout has been simply educating the federal workforce about the value of CDM to their organization. As one front-line IT manager put it, “If people understand that CDM will ultimately improve our quality of service, we’ll get that ownership buy-in we need to make it work.” At Tenable, we have captured these types of insights from CDM CISOs, PMs and other government and private-sector experts in an ebook, CDM From the Frontlines. Please visit to read these perspectives on the program, lessons learned and tips for successful task order performance.

Looking ahead to phase three of the CDM program, the government is shifting its approach. The next round of CDM task orders, labeled “Dynamic and Evolving Federal Enterprise Network Defense” (DEFEND), will be structured so as to allow for more flexibility in individual agency solutions. Recognizing that establishing a common cybersecurity platform across the federal government is a basic goal of CDM, the new structure still allows for individual agency-specific tailoring that should enhance CDM acceptance and speed implementation across individual agencies.

DEFEND task orders will be awarded under the GSA Alliant contract. Alliant has 57 prime contractors, including 14 of the 17 original CDM BPA holders (and 5 of the 6 CDM BPA task order awardees). The DEFEND task orders will be awarded, with all options exercised, for a six-year period of performance – twice that of most BPA task orders. The task orders will be cost-plus-award fee, providing substantial incentive for strong technical performance, with the product purchases being made on a cost-reimbursable basis. Perhaps most importantly, the DEFEND task order awards will initially be for services only, with a post-award opportunity for government-contractor collaboration that will enable each agency to have substantial and meaningful input into their CDM solution architecture, including product/tool selection.

To enable this post-award collaboration, the government is decoupling the tools from the task orders. GSA is standing up a new CDM-specific Special Item Number, or SIN, on GSA Schedule 70, where approved products are available for purchase after task order award. Those products currently on the CDM Approved Products List will be grandfathered into the new SIN, and a continuous review process will be put in place, enabling timely technology refreshment going forward.

Under this decoupled approach, the final decisions as to which to include in a given agency CDM solution will most likely be made as part of the post-award Request for Service, or RFS, process that will take place between the agency and the task order prime contractor. The agency groups will stay the same under DEFEND as under the BPA – the key difference is the RFS process, which will enable a more tailored approach for each agency within the group. The task order awards under DEFEND will be, for practical purposes, single-award IDIQ contracts, with each agency-specific RFS acting as a task order within the CDM DEFEND task order. Through the RFS process, an agency will be able to bring its internal cyber teams to the table with the CDM contractor and work out a solution that resolves conflicts between the CDM solution and pre-existing solutions already in place within the agency and its component organizations.

Read "CDM From The Frontlines"

Get insights and best practices from industry experts on implemening and supporting CDM.

Read More

Related Articles

Cybersecurity News You Can Use

Enter your email and never miss timely alerts and security guidance from the experts at Tenable.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy.

Your Tenable Vulnerability Management trial also includes Tenable Lumin and Tenable Web App Scanning.

Tenable Vulnerability Management

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

100 assets

Choose Your Subscription Option:

Buy Now

Try Tenable Web App Scanning

Enjoy full access to our latest web application scanning offering designed for modern applications as part of the Tenable One Exposure Management platform. Safely scan your entire online portfolio for vulnerabilities with a high degree of accuracy without heavy manual effort or disruption to critical web applications. Sign up now.

Your Tenable Web App Scanning trial also includes Tenable Vulnerability Management and Tenable Lumin.

Buy Tenable Web App Scanning

Enjoy full access to a modern, cloud-based vulnerability management platform that enables you to see and track all of your assets with unmatched accuracy. Purchase your annual subscription today.

5 FQDNs

$3,578

Buy Now

Try Tenable Lumin

Visualize and explore your exposure management, track risk reduction over time and benchmark against your peers with Tenable Lumin.

Your Tenable Lumin trial also includes Tenable Vulnerability Management and Tenable Web App Scanning.

Buy Tenable Lumin

Contact a Sales Representative to see how Tenable Lumin can help you gain insight across your entire organization and manage cyber risk.

Try Tenable Nessus Professional Free

FREE FOR 7 DAYS

Tenable Nessus is the most comprehensive vulnerability scanner on the market today.

NEW - Tenable Nessus Expert
Now Available

Nessus Expert adds even more features, including external attack surface scanning, and the ability to add domains and scan cloud infrastructure. Click here to Try Nessus Expert.

Fill out the form below to continue with a Nessus Pro Trial.

Buy Tenable Nessus Professional

Tenable Nessus is the most comprehensive vulnerability scanner on the market today. Tenable Nessus Professional will help automate the vulnerability scanning process, save time in your compliance cycles and allow you to engage your IT team.

Buy a multi-year license and save. Add Advanced Support for access to phone, community and chat support 24 hours a day, 365 days a year.

Select Your License

Buy a multi-year license and save.

Add Support and Training

Try Tenable Nessus Expert Free

FREE FOR 7 DAYS

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Already have Tenable Nessus Professional?
Upgrade to Nessus Expert free for 7 days.

Buy Tenable Nessus Expert

Built for the modern attack surface, Nessus Expert enables you to see more and protect your organization from vulnerabilities from IT to the cloud.

Select Your License

Buy a multi-year license and save more.

Add Support and Training