GSA Issues RFI for Continuous Diagnostics and Mitigation SIN
On the heels of the HACS and Health IT Special Item Number (SIN) additions, yet another SIN has been proposed for the GSA IT Schedule 70 Contract. GSA released a Request for Information (RFI) on March 22nd for a Continuous Diagnostics and Mitigation (CDM) Tools SIN. The full RFI can be found on fbo.gov. Responses are due by Wednesday, April 5th 5pm eastern time.
Like the GSA HACS SIN, the proposed CDM SIN is a result of collaboration between GSA and DHS. It is also set to replace the Continuous Diagnostics and Mitigation (CDM) Program and Tools and Continuous Monitoring as a Service (CMaaS) Blanket Purchase Agreement (BPA) that is set to expire in August 2018. There are currently 15 companies awarded under the BPA, one of which is a small business. According to Govini, agencies have awarded approximately $446.3 million under the CDM CMaaS BPA since 2013.
According to the DHS website, CDM offers government “capabilities and tools that identify cybersecurity risks on an ongoing basis, prioritize these risks based upon potential impacts, and enable cybersecurity personnel to mitigate the most significant problems first.”
While the CDM CMaaS BPA includes 15 Tool Functional Areas and 11 CMaaS Service Task Areas, the proposed CDM SIN would consolidate these functional areas into the 5 subcategories detailed below.
|CDM SIN Subcategory||CDM SIN Subcategory Description||Tool Functional Areas (TFAs) Included|
|What is on the network||Identify the existence of hardware, software, configuration characteristics and known security vulnerabilities||• TFA 1 Hardware Asset Management (HWAM)
• TFA 2 Software Asset Management (SWAM)
• TFA 3 Configuration Management (CM)
• TFA 4 Vulnerability Management (VUL)
|Who is on the network||Identifies and determines the users or systems with access authorization, authenticated permissions and granted resource rights||• TFA 6 Manage Trust-in-People Granted Access (TRUST)
• TFA 7 Manage Security Related Behavior (BEHAVE)
• TFA 8 Manage Credential and Authentication (CRED)
• TFA 9 Manage Account/Access (PRIV)
|How is the network protected||Determines the user/system actions and behavior at the network boundaries and within the computing infrastructure||• TFA 5 Manage Network Access Controls|
|What is happening on the network||Prepares for events/incidents, gathers data from appropriate sources, and identifies incidents through analysis of data||• TFA 10 Prepare for Contingencies and Incidents (CP)
• TFA 11 Respond to Contingencies and Incidents (INC)
• TFA 14 Manage Audit Information (AUD)
• TFA 15 Manage Operation Security (OPS)
• TFA 12 Design and Build in Requirements, Policy, & Planning (POL)
• TFA 13 Design and Build in Quality (QAL)
|Emerging Tools and Technology||Includes CDM cybersecurity tools and technology not in any other subcategory|