NRC seeks CDM contract extension, cites lack of 'vision' by DHS

The Nuclear Regulatory Commission is justifying an extension for an integration contract related to a key federal cybersecurity program by claiming the Department of Homeland Security failed to articulate "a complete architectural vision" at the outset of the program.

In a sole source justification posted to FedBizOpps June 14, the NRC seeks to add an additional year and $389,273 to a contract with Enterprise Services to continue implementing the Continuous Diagnostics and Mitigation program that scans federal networks for unauthorized users and threats.

The document provides insight into the challenges faced in the early stages of implementation, when some agencies complained they had little or no input over the vendors selected to work on their systems.

According to the document, the NRC contract missed several deadlines "due to limitations of the lab environment provided by the contractor." That led to inadequate testing of CDM system configurations and required additional troubleshooting.

However, NRC is not looking to switch contractors, stating that Enterprise Services has already implemented a unique dataflow that would be incompatible with another vendor.

"Without the support of the contractor as the CDM integrator provider, the NRC would suffer unacceptable delays in meeting the requirements to operate and maintain the CDM solution," the memo states.

Instead, NRC appears to place the blame at the feet of DHS, which manages the program and structured the initial contracting vehicle for implementation.

"As a new development effort, the CDM project lacked a complete architectural vision or concept of operations from U.S. Department of Homeland Security," the justification states. "For that reason, the CDM project is behind the schedule originally reflected in [the contract]."

For their part, DHS officials have acknowledged that the initial structure of the CDM task order awards, while necessary, contributed to some of the program's early stumbles. Program managers subsequently altered their approaches for a second round of contracts -- dubbed CDM DEFEND-- which were designed to offer more flexibility and allow agencies to select more tailored vendor partners.