DHS Is Building A Contract To Manage All Its Cybersecurity Operations Centers

The Homeland Security Department is building a contract vehicle of vendors able to manage its 17 unclassified security operations centers—the cybersecurity hubs for the government’s central cybersecurity agency.

The agency issued a request for information Wednesday outlining its tentative acquisition strategy and asking for feedback from industry on capabilities and approach to spinning up additional resources in times of crisis, such as during a large-scale cyberattack.

“The Department of Homeland Security has a complex and demanding mission,” the notice on FedBizOpps reads. “To assist in meeting that mission, DHS needs robust and effective information systems. It also needs to protect those systems from cyber threats posed by nation-states and criminal enterprises.”

The department currently operates 17 security centers, including the Enterprise Security Operations Center, or ESOC, that oversees and collects threat intelligence from the other component SOCs. Managing cybersecurity operations at that scope and level requires staffing 24/7/365, a requirement the department can’t meet at its current staffing levels.

All 17 SOCs are currently managed by contractors, with Homeland Security component offices generally acquiring their own services. The vehicle being contemplated in the RFI would centralize the pool of vendors and create a single set of core functions available to all SOCs.

Those core services will include “network monitoring and security event analysis, email security monitoring and analysis, computer security incident response and management, vulnerability assessment, security engineering, cyber intelligence support, intrusion analysis and continuity of operations for SOC services,” according to the RFI.

While the work will be done at Homeland Security facilities, vendors will also have to be able to quickly relocate the entire SOC operations to alternate sites in the case of emergencies or for training scenarios.

The core services will fall under six core functions, as described in the RFI:

• Management and Control is responsible for providing the program management oversight across the contract and all contract orders, up to and including contractual deliverables and financial controls. 
• SOC Operations Services is responsible for providing support to conduct the daily business of the SOC, which includes threat monitoring and analysis, incident response, vulnerability management, along with various other activities.
• SOC Service Delivery Management provides the overall relationship management for operational service delivery activities and manages end‐to‐end service ownership. Service Delivery staff meets with DHS regularly, follows up on escalations, drives proactive problem management, provides service level management, availability management, and reports and focuses on continual improvement of services.
• SOC Architecture, Engineering, Operations and Maintenance is responsible for advising and assisting the government security architect with maintenance and update of the architecture of the SOC infrastructure, to include hardware and software, and for controlling and managing the lifecycle of all SOC changes with minimum disruption to SOC services.
• Cybersecurity Communications and Coordination is responsible for synchronizing all cybersecurity-related events, incidents and coordination efforts across the department.
• Acquisition Support is responsible for managing all of the ongoing department SOC procurements for maintenance on SOC‐licensed software and SOC‐owned hardware, as well as contributing to the preparation of acquisition documents for new SOC infrastructure software and hardware purchases.

The contract will be another early test of Homeland Security’s EAGLE Next Gen procurement strategy. As the EAGLE II contract expires, Homeland Chief Procurement Officer Soraya Correa announced in December that the agency would be taking a different tack with the next enterprise IT contract.

Rather than build another vehicle in-house, Homeland officials are pushing components to order off of existing governmentwide acquisition contracts, or GWACs, including the General Services Administration’s Alliant 2 and Alliant 2 Small Business, 8(a) STARS II and VETS 2, and the National Institutes of Health’s CIO-SP3 and CIO-SP3 Small Business.

No matter the pool of vendors, the plan is to award multiple spots on the contract, with each company capable of performing all of the functions covered under the statement of work.

“Optional tasks will be identified on each award allowing each SOC to contract only for those services needed given that SOC’s unique mission,” the RFI states. “All awards will include options allowing the later addition of those services not included in initial awards up to and including all services described.”

The contract will likely have a one-year base with six one-year option periods, though that might change in the final solicitation.

Responses to the RFI are due by noon Aug. 29.