CDM Tools RFI from GSA

The GSA releases an Request for information for Continuous Diagnostics and Mitigation (CDM) Tools. Your response must be provided by April 5, 2017 at 5:00 pm EST and submitted through the CDM SIN RFI Response Form.  We recommend saving your CDM SIN RFI Response Form for your record.  Narrative responses have a 250 word limit.

U.S. General Services Administration
Federal Acquisition Service
Office of Schedule Programs

GSA Proposed Special Item Number
(SIN) on IT Schedule 70:
Continuous Diagnostics and Mitigation (CDM) Tools
Request for Information

March 22, 2017

A.        Introduction

Strengthening the security posture of Federal networks, systems and data is one of the most important challenges we face as a nation. As such, the General Services Administration (GSA) and the Department of Homeland Security (DHS) have partnered to provide customer agencies with a Continuous Diagnostics and Mitigation (CDM) Program established to safeguard, secure and strengthen cyberspace and the security posture of Federal networks in an environment where the cyberattack threat is continuously growing and evolving.

The CDM Program is a federally-funded program designed to provide a new approach to protecting the cyber infrastructure of the civilian .gov network environment. The CDM Program moves away from historical compliance reporting toward combating threats to our nation’s networks on a real-time basis, where tools are gathering system attributes to determine the current state of the network (see below and Figure 1).

  • Phase 1: “What is on the network?”
  • Phase 2: “Who is on the network?”
  • BOUND: “How is the network protected?”
  • Phase 3: “What is happening on the network?”

For CDM tools to automatically determine and report anomalies to the CDM Dashboard, Federal Agencies will need to establish policies in digital formats that define the desired state for the attributes measured by CDM tools. The CDM Dashboard will then score the security weaknesses and vulnerabilities (i.e., defect state) to provide a prioritized order for mitigation and/or remediation.

continuous diagnostics and mitigation tools cdmThe CDM Program offers all state, local, regional, tribal and federal agencies, the ability to enhance and further automate existing continuous network monitoring capabilities, correlate and analyze critical security-related information, and enhance risk-based decision making at the agency and Federal enterprise level, consistent with Office of Management and Budget Memo 14-03 “Enhancing the Security of Federal Information and Information Systems,” November 18, 2013.

On June 12, 2015, the Federal Chief Information Officer (FCIO) initiated a 30-day Cybersecurity Sprint, which resulted in the creation of OMB Memorandum M-16-04, Cybersecurity Strategy Implementation Plan (CSIP). The CSIP is a result of a comprehensive review of the Federal Government’s cybersecurity policies, procedures and practices by the Cybersecurity Sprint Team to strengthen Federal civilian cybersecurity.

As part of the CSIP, DHS was asked to accelerate the deployment of CDM capabilities to all participating Federal agencies to enhance detection of cyber vulnerabilities and protection from cyber threats. The current CDM Program Blanket Purchase Agreements (BPAs), established to provide a consistent, government-wide set of information security continuous monitoring (ISCM) tools, expire in August of 2018.

Therefore, GSA and DHS are continuing to partner to establish a government-wide contracting solution to provide this capability.

GSA is considering a new Special Item Number (SIN) under IT Schedule 70 specifically for Continuous Diagnostics and Mitigation (CDM) Tools.

The purpose of the RFI is to achieve the following two goals:

  • Gain feedback from industry and any other relevant stakeholders on the proposed CDM SIN; and
  • Better understand how industry partners are selling CDM Tools today on IT Schedule 70.

GSA CDM SIN Goals:

  • Establish a government-wide contracting solution to continue to provide a consistent set of continuous diagnostics and mitigation tools;
  • Enhance the ability of offerors to bring new and innovative solutions to the CDM Program;
  • Improve Government access to the best available technology and improve the flexibility of the CDM Program;
  • Streamline CDM Requirements from 15 Tool Functional Areas (TFAs) to 5 subcategories; and
  • Establish and maintain a list of approved CDM products and to provide a mechanism to qualify new products against the CDM requirements and add products to an Approved Product List (APL).

The draft CDM SIN scope description and evaluation criteria are identified below.  As detailed in the questions for industry, GSA is seeking industry feedback on this scope and other aspects of the CDM SIN.

CDM SIN DESCRIPTION

The Continuous Diagnostics and Mitigation (CDM) tools SIN supports the Department of Homeland Security (DHS) CDM Program. The hardware and software products under this SIN undergo a DHS product qualification process in order to be added to the CDM Approved Products List (APL). The full complement of CDM subcategories includes tools and the associated maintenance and training bundles offered.  The SIN is grouped by subcategories that provide agencies with CDM capabilities in the 5 subcategories listed below.

Sub-Categories: Vendors’ tools will be placed within the following subcategories.

  1. Manage “What is on the network”: Identify the existence of hardware, software, configuration characteristics and known security vulnerabilities and include: TFA 1 Hardware Asset Management (HWAM); TFA 2 Software Asset Management (SWAM); TFA 3 Configuration Management (CM); TFA 4 Vulnerability Management (VUL).
  1. Manage “Who is on the network”: Identifies and determines the users or systems with access authorization, authenticated permissions and granted resource rights and includes: TFA 6 Manage Trust-in-People Granted Access (TRUST); TFA 7 Manage Security Related Behavior (BEHAVE); TFA 8 Manage Credential and Authentication (CRED); TFA 9 Manage Account/Access (PRIV).
  1. Manage “How is the network protected”: Determines the user/system actions and behavior at the network boundaries and within the computing infrastructure and includes: TFA 5 Manage Network Access Controls.
  1. Manage ‘What is happening on the network”: Prepares for events/incidents, gathers data from appropriate sources, and identifies incidents through analysis of data and includes: The originally identified TFAs of TFA 10 Prepare for Contingencies and Incidents (CP); TFA 11 Respond to Contingencies and Incidents (INC); TFA 14 Manage Audit Information (AUD); TFA 15 Manage Operation Security (OPS); TFA 12 Design and Build in Requirements, Policy, and Planning (POL); TFA 13 Design and Build in Quality (QAL).  
  1. Emerging Tools and Technology: Includes CDM cybersecurity tools and technology not in any other subcategory.

CDM SIN Evaluation and Qualification Process

It is critical to ensure CDM tools meet technical requirements prior to being added to the SIN. To accomplish this, a new technical evaluation factor for GSA IT Schedule 70 will be created specific to the CDM SIN, entitled “Product Qualification Requirements.”

All CDM tools must meet the Product Qualification Requirements criteria before they will be added to the CDM SIN. Requests to be added to the APL are intended to be considered on a monthly basis.

Proposed Submission Requirements for approval of products on the APL

  • The offeror/vendor submits evaluation package via email to DHS for review. Evaluation package should include the following:
    • Completed Product Evaluation Form
    • Supporting Documentation
  • DHS conducts conformance review on evaluation package
    • All required elements are completed
    • All supporting documents have been provided
      • VPATs (to include 508 Testing results in available)
      • EULAs (GSA approved Federal EULA)
      • Supply Chain Risk Management (SCRM) Plan

The SCRM Plan shall include the following (ref NIST SP 800-53):

  • FOCI potential issues – mostly viewed as Trustworthiness (SA-13)
  • Understanding of the manufacturer’s SDLC (SA-3) and Security Engineering Principles (SA-8)
  • Meeting of Acquisition requirements (SA-4)
  • Materials on security testing and evaluation (SA-11)
  • Supply Chain Protections (SA-12)
    • CDM Common Requirements are met
      • Pass/Fail
      • Scaling (up to 1 million objects)
      • Operate in secure manner protecting data in transit and at rest
      • Demonstrate CDM level of interoperability for information delivery
      • Operate within the timelines (72 hour data currency) and completeness (covering at least 90% of target objects)
      • Support Reporting Groups
      • Support Policy Decision mechanisms.
    • If submission fails conformance, DHS notifies offeror/vendor and provides areas of non-conformance for resubmission.
    • DHS conducts technical evaluation of package against checklist consisting of the following:
      • Tool Capability Validation
        • Validate offeror meets tool capabilities requirements
        • For Emerging Technologies – validation of written narrative/justification to include suggested description for capability if not in CDM Requirements Document.
      • If deemed acceptable, DHS notifies the offeror/vendor via email their product has been approved and will be added to the CDM APL. Notification includes courtesy copy to GSA FAST LANE with GSA instructions to request a modification to their schedule.
      • If deemed not acceptable, DHS notifies the offeror/vendor and identifies areas of non-acceptance.
      • GSA reviews modification requests to add the SIN for contract compliance to include End User License Agreements (EULAs). A streamlined process is anticipated for items already on contract with approved EULAs when adding the new SIN.

B.  Questions for Industry – Feedback on Proposed CDM SIN

GSA would like to obtain feedback from industry on the proposed SIN for the CDM Tools. The following questions shall be answered in the Response Form link. All responses are limited to 250 words response for narrative questions.

Business Information

  1. Provide company profile to include address, business size, whether a large or small business, small business type and/or SBA certification, and number of years in business. Include a point of contact with email address and phone number.
  2. Please list GSA IT Schedule 70 contract number, SINs held, and CDM/CMAAS BPA number if applicable.
  3. Are you currently a team member or BPA holder on the CDM/CMaaS BPAs (yes or no)? If so, what is your role (primary BPA holder, Contractor Teaming Agreement (CTA) member, Team Lead or subcontractor)?
  4. What is the primary Product Service Code and NAICS code your company utilizes to sell CDM tools?

2. Small Business/Subcontracting

  1. What are the barriers of entry to this industry? (Start up costs, Highly Competitive Market, Limited Resources, Regulation)
  2. How fast can your company respond to an emergency requirement (24 hours, 48 hours, 72 hours, other)
  3. Do your offerings often provide a total solution or do you have to partner to provide a total solution?
  4. If you are a large business, have you partnered with a small business to provide a total solution?(Yes or No) If yes, how often? (25% or less, 50%, 75% or 100%)
  5. If you are a small business, have you partnered with a large business to provide a total solution? (Yes or No) If yes, how often? (25% or less, 50%, 75% or 100%)
  6. Would your company submit a proposal against a requirement, as described in this RFI, if released? Yes or No

3.  Potential Offerings and Capabilities

  1. Please indicate what CDM Tool subcategories your company currently offers and under what IT Schedule 70 SINs.
  2. What future offerings could be considered that have not been captured in subcategories 1-4, that could fit under subcategory 5?
  3. Currently, the Government’s intent is for the proposed CDM SIN to only include tools. Is there a need for the SIN to be expanded to include related CDM service offerings and if so what are the advantages/disadvantages of adding services as part of the scope?
  4. Have the offeror/vendor’s tools been validated by any recognized evaluation bodies, such as the National Information Assurance Partnership (NIAP), NIST Security Content Automation Protocol (SCAP) Validation Program, etc.? If yes, please provide information.

4. Vendor Pricing Methodology

  1. The pricing structure of the SIN is anticipated to be Firm-Fixed-Price. How does your company currently price the offerings that would fit within the scope of the proposed CDM SIN?   Please Note: It is not our intention for your company to change its current pricing methodology to conform to a standard. We only seek to better understand your pricing methodology.
  2. Currently, volume discounts and tiered discount strategy are offered on the current vehicle (CDM Tools/CMaaS BPA). Please provide insight into discount methodology that could be provided at the SIN level for CDM tool offerings.

5.   Proposed SIN Description

  1. Please provide overall feedback on SIN description and any related subcategories.
  2. Please identify any specific concerns about the SIN description as well as any recommendations.
  3. Please provide any feedback on subcategory 5 (Emerging Tools and Technologies) description.

6.   Proposed CDM SIN Evaluation and Qualification Process

  1. Identify any advantages/disadvantages and/or provide any recommendations of having a qualification requirement factor of the APL for the SIN.
  2. Identify any recommendations that haven’t been considered as part of the CDM SIN evaluation and qualification process.
  3. Identify any advantages/disadvantages and/or provide any recommendations in regards to the CDM APL open season reoccurring on a monthly basis.
  4. How would the APL process described in the RFI impact your business?
  1. Terms and Conditions: As with other IT Schedule 70 SINs, a CDM SIN would have special Terms and Conditions. Please provide feedback on the following.
  1. It’s anticipated that program reporting requirements will be required under this SIN. This may include monthly or quarterly reports on orders received to include ordering agency, quantity, product description, manufacturer part number, SIN and Subcategory/TFA, and price.  This is similar to the current BPA reporting.   Please provide feedback on proposed reporting.
  2. Identify if there are any other standards or regulatory requirements that should be referenced.

8.  Additional Comments:

  1. Provide any additional comments and information relevant to this RFI.

C.   Responses Requested

Your response must be provided by April 5, 2017 at 5:00 pm EST and submitted through the CDM SIN RFI Response Form.  We recommend saving your CDM SIN RFI Response Form for your record.  Narrative responses have a 250 word limit.

D.    Use of Results and Confidentiality

The results of the RFI will be used to inform a GSA decision on the potential SIN for IT Schedule 70. The release of this RFI does not guarantee that the government will, in the end, complete an acquisition or create a new SIN. This RFI is for information and planning purposes only and does not constitute a solicitation for bids, proposals or quote and is not to be construed as a commitment by the government to issue a request for proposal/quote or award of a contract as a result of this request. This announcement is not a Request for Proposal (RFP) or a Request for Quote (RFQ). The government will not reimburse respondents for any cost associated with information submitted in response to this request.

Any document submitted in response to this RFI that contains confidential information must be marked on the outside as containing confidential information. Each page upon which confidential information appears must be marked as containing confidential information. The confidential information must be clearly identifiable to the reader wherever it appears. All other information will not be treated as confidential.

All information marked confidential in RFI responses is only for the government’s planning use. Confidential information may be reviewed by contractors providing advisory services within scope of contract, subject to a non-disclosure agreement (NDA) including but not limited to commercial or financial data obtained from or contained in contractor/vendor submitted documents and proposals. Otherwise, no information marked confidential included in this document or in discussions connected to it may be disclosed to any other party outside of the government.