GSA looks to streamline cyber buying

Agencies will have access to products approved for a key federal cybersecurity program under the governmentwide Schedule 70 contract vehicle thanks to a new acquisition strategy being rolled out by the General Services Administration.

GSA proposed a new special item number (SIN) for Continuous Diagnostics and Mitigation program tools that give agencies access to approved network monitoring products and services. The CDM program is jointly administered with the Department of Homeland Security.

The move comes as the August 2018 expiration of CDM's blanket purchase agreement looms.

Jim Piche, sector director at GSA's Federal Systems Integration and Management center, said the new Schedule 70 SIN will play a big role as DHS and GSA gear up for Phase 3 of the CDM program, and ensure that all the work done to approve and catalog products and services for the current BPA isn't lost when that contract expires.  That product list contains "over 169,000 tools," he said. 

GSA is moving relatively quickly on the successor acquisition vehicle.  The request for information for the phase three contacting has been out since last fall, but the agency plans an industry day in April to explain how it is proceeding and issue a request for quotes that will be due back this summer, said Kevin Cox, the Department of Homeland Security's CDM program manager. Cox said GSA hopes to make the first phase 3 awards beginning in fall of 2017 and continuing into next year.

The current BPA, Piche said at a March 23 cybersecurity conference in Washington by FCW, don't give agencies flexibility in the kinds of contracts they can use to implement CDM. Additionally, the agreements limit agencies' ability to add in new technologies and accommodate changes.

The new approach leverages the power of large-scale task orders to governmentwide contracts instead relying on only BPAs.

The SIN, Piche said, will help inject that flexibility, allowing agencies to see and order CDM-specific products more readily or use system integrators to develop their systems. The SIN will cover five subcategories of CDM tools, down from 15 under the BPA. It will give contractors a way to more quickly get new technology onto their CDM products listed on GSA contracts and have products permanently linked with CDM.

The SIN, Piche said, will allow GSA to "capture" the product catalogue at the agency that have already has been qualified for CDM.  Vendors who already are on Schedule 70 can simply submit a modification, he said.  "You're not going to have to go through a re-proposal process."

The establishment of the special item number is also on something of a fast track. Responses to the SIN RFI are due April 5, with SIN awards by May, Cox said. The transition for CDM products to the SIN will begin in May also, he said.

Note: This article was updated on March 23 to correct Kevin Cox's agency affiliation.