The Downside of Not Exhausting a $6 Billion Cyber Contract

Agencies are partially taking advantage of a huge bulk-price governmentwide deal to help automate network vulnerability-tracking and fix problems in real-time, according to federal officials.

If departments underutilize the arguably complex acquisition program, the upshot could be saving money on a potentially $6 billion contract.

But if agencies latch onto the five-year endeavor, they could save money elsewhere, by eliminating the hundreds of millions of dollars currently spent on audit paperwork and incident response, advocates say.

The so-called continuous diagnostics and mitigation project -- funded by the Homeland Security Department -- aims to supply all agencies with products to move from traditional three-year vulnerability checks to three-day fixes.

Parts of DHS itself are using established tools and also must wait for current network surveillance contracts to expire. 

The department’s Transportation Security Administration is working with headquarters and other DHS agencies to identify gaps in threat-tracking to strategize purchases, TSA Deputy Chief Information Officer Jill Vaughan said at an (ISC)2 cyber professional conference earlier this month.

"Each component is a little bit different and farther behind in certain areas," she said. TSA officials "need to look at our existing contract vehicles to determine when is the best kind of stepping off point to leverage the vehicle, depending on which area, so we don’t lose money on our existing contract structures."

By negotiating a blanket purchase agreement last August with 17 contractors who will compete for jobs, the Obama administration strove to damp technology and service prices.

Many agencies for years have been using their own methods to reach the holy grail of ongoing “authorization” – White House memo-speak for managing system risks.

A few years ago, the Transportation Security Administration launched, "CARMA," the cybersecurity assessment and risk management approach, "to try to blend some automated tools together, so we could get kind of our own homegrown tool to start down that path" to automated continuous monitoring "before we knew what the CDM contract vehicle was going to look like," Vaughan said.

The Obama administration's continuous monitoring requirements involve deploying sensors and human experts across the dot-gov domain to check for and reduce vulnerabilities at least every 72 hours. Agencies have a 2017 deadline to achieve continuous monitoring. 

Cyber contracting specialists see the new deal as a potential cost-saver– if it does not bog down the purchasing process.

The procurement was stymied at the start by across the board spending cuts known as sequestration and then by last fall’s government shutdown. “So they are put at a little disadvantage -- and it's just a year anyway -- that might result in less spending but not in a good way,” said John Pescatore, director of Emerging Trends for the SANS Institute. “The use of continuous-monitoring-as-a-service can reduce spending in a good way.”

Among the 17 vendors vying to service agencies are Booz Allen Hamilton, CGI Federal, General Dynamics, Lockheed Martin, Northrop Grumman and SAIC. 

Multiple task orders are expected to be released during the next few months. Only one has come out so far. The $59.5 million order, awarded in January, was for endpoint protection, which involves checking device configurations and making sure patches have been applied to buggy devices. 

The bulk purchasing strategy yielded an average 30 percent savings, compared to traditional General Services Administration pricing for the products bought, DHS officials told Nextgov. Homeland Security has requested $143.5 million from Congress to fund the program for fiscal 2015. 

If DHS has to evaluate 17 proposals for each order and protests happen, “you can easily see how the procurement process could end up being so slow that they just can't spend the money,” Pescatore said. But if the vendors team together and submit fewer proposals, “that would be a good sign that they would meet the goals and spend all the money.”

Current federal law requires manual system inspections every three years and dates back to 2002, when high-profile data breaches were not a daily phenomenon. In 2010, the administration pushed for a move to live surveillance, shortly after the State Department tried the approach. 

Pete Gouldmann, director of information risk programs in State's Office of Information Assurance, said his department will crossbreed internal tools with the new outsourced offerings.

When deploying State’s own operations, officials are “making sure that they are named in the DHS program -- or we’re working directly with DHS on bringing in some products that they have made available to us," he said at the recent event. 

At the very least, agencies should be able to use the contract to obtain lower prices on products they already had licensed, Pescatore said. He cited Tenable Network Security’s Nessus vulnerability scanner and ForeScout’s network access control program as examples of widely used tools.

Dan Waddell, (ISC)2 director of U.S. government affairs, said in an interview that deep utilization of the contract might lag because of hidden costs, such as training and concerns about duplicative spending.

By taking on new vendors, some agencies will lose the contractor teams they have grown to trust. "So, it’s going to take me probably a year to get the new guys up to speed, get comfortable with them. It’s hard to put a dollar figure on those amounts," he said.

Fifty agencies, covering 96.7 percent of the civilian workforce, have signed memoranda of agreement with DHS to use the contract in some capacity, Homeland Security officials said. 

They say the project will benefit agencies regardless of the maturity of their current monitoring approach.  "Participating departments and agencies will be able to enhance their cybersecurity assessments by implementing automated network sensor capacity and prioritizing risk alerts," DHS spokesman S.Y. Lee said. 

Waddell called it "encouraging" that the majority of civilian agencies have agreed to participate, but he said the vision of governmentwide threat-tracking has yet to take shape, he said. 

Under the program, DHS will provide each agency with a diagnostic dashboard, informed by the sensors, so problems can be prioritized. All the data collected will feed into a forthcoming federal-wide dashboard, acquired through a separate contract. That display is expected to become operational early in 2015. 

"We’re still waiting to see what the federal dashboard is going to look like. How agencies will be able to look across data sets horizontally will be critical to helping better prepare them for threats and to respond faster to vulnerabilities," Waddell said.

The next phase of the program will address a people problem – preventing employees from accessing government data they don’t need -- and infrastructure integrity. The final phase will concentrate on handling actual breaches, as well as encryption protections and remote access. 

Waddell said, "Tracking how extensively the BPA is being leveraged across the federal government is important, but of much greater value is being able to chart how the BPA ultimately improves cybersecurity operations and decreases overall risk."

(Image via Maksim Kabakou/Shutterstock.com)