From Off-the-Rack to Custom Tailored?

As the Continuous Diagnostics & Mitigation Program (CDM) begins its next phase of task orders, it is useful to look back at the earlier stages of the program to help us understand the importance of changes now being implemented in the program’s contractual and programmatic structures.

CDM began as a group of GSA Schedule 70 Blanket Purchase Agreements (BPAs), awarded in August 2013 to 17 companies. The first four task order awards were for tools, with choice of vendor based on lowest price for each respective tool. These were followed by Continuous Monitoring as a Service (CMaaS) task order awards, organized into six different government agency groups.

To compete for CMaaS task orders, contractors architected solutions that included the tools they selected from the CDM Approved Product List. Upon the award of each CMaaS task order, the winning contractor set about implementing their solution for all agencies in the CDM “Group,” regardless of the tools already in place at a particular agency. For some agencies, this was not a problem because they already had the same tools, and CDM simply provided them with additional product and integration funded by DHS. For others, however, this created a conflict between existing agency IT contracts and architecture and the new CDM solution. In some cases, this conflict led to a slowdown of CDM implementation across the agency. With most task orders having only a three-year period of performance (and some even less), the impact of such slowdowns on implementation was substantial.

One major challenge to successful CDM rollout has been simply educating the federal workforce about the value of CDM to their organization. As one front-line IT manager put it, “If people understand that CDM will ultimately improve our quality of service, we’ll get that ownership buy-in we need to make it work.” At Tenable, we have captured these types of insights from CDM CISOs, PMs and other government and private-sector experts in an ebook, CDM From the Frontlines. Please visit to read these perspectives on the program, lessons learned and tips for successful task order performance.

Looking ahead to phase three of the CDM program, the government is shifting its approach. The next round of CDM task orders, labeled “Dynamic and Evolving Federal Enterprise Network Defense” (DEFEND), will be structured so as to allow for more flexibility in individual agency solutions. Recognizing that establishing a common cybersecurity platform across the federal government is a basic goal of CDM, the new structure still allows for individual agency-specific tailoring that should enhance CDM acceptance and speed implementation across individual agencies.

DEFEND task orders will be awarded under the GSA Alliant contract. Alliant has 57 prime contractors, including 14 of the 17 original CDM BPA holders (and 5 of the 6 CDM BPA task order awardees). The DEFEND task orders will be awarded, with all options exercised, for a six-year period of performance – twice that of most BPA task orders. The task orders will be cost-plus-award fee, providing substantial incentive for strong technical performance, with the product purchases being made on a cost-reimbursable basis. Perhaps most importantly, the DEFEND task order awards will initially be for services only, with a post-award opportunity for government-contractor collaboration that will enable each agency to have substantial and meaningful input into their CDM solution architecture, including product/tool selection.

To enable this post-award collaboration, the government is decoupling the tools from the task orders. GSA is standing up a new CDM-specific Special Item Number, or SIN, on GSA Schedule 70, where approved products are available for purchase after task order award. Those products currently on the CDM Approved Products List will be grandfathered into the new SIN, and a continuous review process will be put in place, enabling timely technology refreshment going forward.

Under this decoupled approach, the final decisions as to which to include in a given agency CDM solution will most likely be made as part of the post-award Request for Service, or RFS, process that will take place between the agency and the task order prime contractor. The agency groups will stay the same under DEFEND as under the BPA – the key difference is the RFS process, which will enable a more tailored approach for each agency within the group. The task order awards under DEFEND will be, for practical purposes, single-award IDIQ contracts, with each agency-specific RFS acting as a task order within the CDM DEFEND task order. Through the RFS process, an agency will be able to bring its internal cyber teams to the table with the CDM contractor and work out a solution that resolves conflicts between the CDM solution and pre-existing solutions already in place within the agency and its component organizations.