New CDM services on the horizon
A task order to provide smaller agencies with Continuous Diagnostics and Mitigation as a cloud-based service is coming this summer, while a new phase focused on data is being explored.
Smaller agencies will soon be able to tap into cybersecurity services via the Continuous Diagnostics and Mitigation program offered by Homeland Security.
The General Services Administration, which handles procurement for the CDM program, is planning a task order that will give 41 small federal agencies access to the cybersecurity protections via the cloud as a shared service.
DHS and GSA have also begun considering how to implement a fourth CDM phase aimed at protecting data.
Jim Piche, group manager of GSA's Federal Systems Integration and Management (FedSIM) center, said his agency will award task orders for CDM-as-a-service by August. In late 2015, DHS and GSA issued a request for proposals for CDM as-a-service tools for the federal government's smallest agencies to reduce or eliminate duplication across those smaller entities. Piche spoke at a May 11 CDM event hosted by FCW.
Federal Election Commission Chief Information Security Officer Esteve Mede told FCW at the event that the CDM as-a-service contract would finally give smaller agencies immediate access to the DHS cybersecurity services. He said he has been waiting for over three years for access to CDM services, as priority was given to larger agencies.
Mede said the FEC has been keeping up with its cybersecurity needs, but the as-a-service option will allow more efficient automation of capabilities and ease some budget concerns.
According to Piche, GSA also is close to issuing task orders for new functional areas under CDM phase 2, for user privileges and identity management. Privilege management task orders for will be made "later this year," he said, while credential management awards will be "up for bid any moment now."
As those efforts roll forward, DHS' Jim Quinn said his agency is beginning to explore a fourth phase of CDM, which was spurred by recent breaches of federal networks aimed at stealing data.
While CDM Phase 1 focused on end-point security, Phase 2 on user privileges and behavior, and Phase 3 on address event management, incident response and boundary protection, Quinn, who is the CDM program management office's lead system engineer, said Phase 4 will focus on protecting data that resides on federal networks.
"That's our challenge for 2017," he said.