The Federal Government is reportedly upgrading its Continuous Diagnostics and Mitigation (“CDM”) program, administered by the Department of Homeland Security (“DHS”) and the General Services Administration. The redesigned program is called the CDM DEFEND - Dynamic and Evolving Federal Enterprise Network Defense. CDM functions as a federal acquisition tool for cybersecurity solutions.

The CDM program “provides federal departments and agencies with capabilities and tools that identify cybersecurity risks on an ongoing basis, prioritize these risks based upon potential impacts, and enable cybersecurity personnel to mitigate the most significant problems first.” CDM includes “a multi-award, Schedule 70 Blanket Purchase Agreement (“BPA”).” The BPAs “provide[] government programs with specialized information technology (“IT”) tools to defend Federal IT networks from cyber-security threats by providing Continuous Monitoring as a Services (“CMaaS”) to strengthen the security posture of their Government networks.”

The current CDM BPAs will expire in August 2018, and CDM DEFEND is an effort to replace them. Kevin Cox, CDM program manager at DHS, has reportedly indicated that “the new CDM model will be less about buying specific services and technologies and more about creating a strong cybersecurity posture that can evolve over time.” According to Jim Piche, homeland security director for Federal Systems Integration and Management Center (“FEDSIM”), FEDSIM is “‘not looking for a specific technology; we’re not looking for a specific cyber solution. . . . We’re going to take the acquisition cycles out of it so that we can identify, acquire and deploy those cybersecurity tools at the speed they need to be deployed rather than getting into another procurement cycle.’” In the new iteration, “[Chief Information Officer] offices will issue a task order with a system integrator that will help the agency develop cybersecurity goals and discover the right technical solutions to achieve those goals.” The new system thus “‘is not a BPA, it’s not an [indefinite delivery/indefinite quantity]. . . . It is a single-award task order to an integrator that is incrementally funded as a cost-type task order.’”

Piche stressed that the CDM’s focus on industry and cooperation with over 100 companies will not change under the new system. Rather, “[u]sing this more flexible model will allow agencies to ‘redefine what is better cybersecurity in 2019 and 2020.’”