The Future of the GSA CDM SIN: What it means to you

By Gina Brown, Federal Contracts Manager

In August 2018, the CDM program underwent a procurement transition that vendors should keep in mind. Combined with a proposed elimination of the GSA CDM special item number (SIN), the changes could streamline certain aspects of the way in which products are catalogued.

Initially, blanket purchase agreements (BPAs) were awarded to 17 primes. This then switched to a two-pronged acquisition strategy, in which four GSA Alliant prime contractors were awarded six Dynamic and Evolving Federal Enterprise Network Defense (DEFEND) task orders.

These prime system integrators would purchase cybersecurity tools according to the DHS approved product list (APL), to strengthen the security posture of civilian agency customers.

Read more of this post

CDM: Cloud Hardening and Zero Trust Environments

By Amanda Mull, Contract Specialist

Critical cybersecurity goals for most federal agencies are focused on Zero Trust for a more mobile workforce, cloud-based products, and active threat detection plus dynamic response. Purchase of tools alone, however, cannot provide successful operational cybersecurity. Ongoing budgeting must address a holistic approach, including flexible policies and procedures, to adjust to new threats and changing work landscapes – along with a critical investment in cyber workforce training.

It is becoming more important for federal agencies to partner with companies that can help achieve their foundational cybersecurity goals. Partners and agencies alike must be committed to constant review and adjustment to systems and operations, to ensure that they maintain the highest levels of cybersecurity.

CDM program funds directly support agencies striving to harden their cloud cybersecurity against threats. The program becomes even more important as new threats emerge and agencies are forced to scramble to protect themselves and the public trust. 

Read more of this post

The Cybersecurity Executive Order: What’s coming and where are the opportunities?

By Davis Johnson, VP & General Manager

Private sector companies have a considerable amount of work to do to comply with the recent Presidential Executive Order on Improving the Nation’s Cybersecurity. Existing contracts must be scrutinized to reduce the trend of serious cyberattacks across government and industry alike.

It’s clear that the order puts the onus on the vendor community. It reads, in part, “The private sector must adapt to the continuously changing threat environment, ensure its products are built and operate securely, and partner with the Federal Government to foster a more secure cyberspace.”

The order further recommends standardizing common cybersecurity contractual requirements across agencies, to “streamline and improve compliance for vendors and the Federal Government.”

Beyond the effect on contract implications, vendors can expect more attention from the government in several key technology areas, which will spark greater demand and more funding. Here are just a few:

Cyber Vulnerability and Incident Detection

Agencies are required to establish a Memoranda of Agreement with CISA for Continuous Diagnostics and Mitigation. CISA is required to report quarterly to OMB and the National Security Advisor on implementation of threat-hunting practices. Vendors can expect more contact with agencies as these reports and documents are being prepared.

Read more of this post

CDM Updates to Product Listing Requirements

By Amanda Mull, Contract Specialist

The federal Continuous Diagnostics and Mitigation (CDM) program includes cybersecurity tools and sensors that are reviewed by the program for conformance with Section 508, federal license users and CDM technical requirements. Manufacturers are encouraged to update, refresh and add new and innovative tools to the CDM Approved Products List (APL).

To maintain currency with federal and requirement and the constant evolution of the cyber/IT landscape, the CDM APL product submission requirements have been revised several times in FY2021.

The most recent updates reflect heightened security policies and protocols required for a more mobile workforce. Others support the full realization of the federal CDM Dashboard expected by year-end. The CDM Dashboard is intended to gauge agency cybersecurity posture. It also monitors the achievement of directives meant to raise the overall level of security and privacy in cyber/IT tools and technology across the federal government.

There have been several recent updates to CDM Common Requirements for Approved Product Listings (APL):

Read more of this post

CDM IPv6 compliance plans due July 6: Why the technology matters

By Amanda Mull, contract specialist

As I mentioned in my previous blog, there have been some changes to CDM. The Cybersecurity and Infrastructure Security Administration (CISA) announced recently that the common requirements for the Continuous Diagnostics and Mitigation (CDM) Program had been updated to align with the extended compliance schedule published in the Office of Management and Budget (OMB) Memorandum 21-07 (M-21-07) – PDF.

By FY2023, all federal information systems must be Internet Protocol version 6 (IPv6) enabled. This is an important policy move for acquiring information technology (IT) products and services contained in Federal Acquisition Regulation (FAR) 11.002.

On June 4, CISA directed suppliers with CDM-approved products suspected of not being natively IPv6 compliant to provide proofs of capability or a plan for becoming compliant by July 6, 2021. CISA will conditionally approve products that are not fully IPv6 compliant, providing applicants submit an acceptable plan detailing how their products will become fully operational in an IPv6-only network by the end of FY2023. CISA intends to perform periodic progress checks on accepted plans.   

Read more of this post

Top 3 HHS IT programs planning procurements in FY22

By Jessica Parks, market intelligence analyst

In a previous blog post, I went over the top three IT programs at the Department of Justice planning acquisitions. Now that the new administration has released the official FY22 budget, I would like to explore similar opportunities at another large agency, the Department of Health and Human Services. (As I’ve mentioned previously, this information is all publicly available in the Exhibit 53.)

Read on for a brief description of these programs and how you can position yourself accordingly.

1) CMS Federally Facilitated Exchange

Based within the Centers for Medicare and Medicaid Services, the FFE is the platform that supports the health insurance marketplace. This is the single largest IT investment at HHS and has been a crucial system for the agency for many years. Total IT funding for FY22 is expected to be more than $417M, with $176M being DME funding (i.e., new money to spend on program upgrades and additions).

The main objectives for this investment are to stay innovative and ensure minimal downtime. Automated customer service solutions as well as solutions that ensure secure information sharing could play a role here. Talk to the folks in the Center for Consumer Information and Insurance Oversight for more detail.

Read more of this post

CDM: More relevant than ever

By Amanda Mull, contract specialist

With the recent incidents involving ransomware and other serious data breaches, security remains a top priority in federal IT.

It’s been some time since we published our last blog on CDM, so to keep our channel partners and suppliers up to date on recent changes, in the coming weeks we will be publishing a series of CDM-related blogs.

In this, our first blog, we provide some basic information and discuss a recent leadership change. Future blogs will cover the federal CDM Dashboard, IPv6 compliance, updates to common requirements and the future of the CDM SIN.

Here are some of the basics about the program:

Continuous Diagnostics and Mitigation Program 

The CDM Program was developed in 2012 to support government-wide and agency-specific efforts to provide risk-based, consistent, and cost-effective cybersecurity solutions to protect federal civilian networks across all organizational tiers.

Read more of this post

A Data-Centric Approach to Zero Trust for Public Sector

By Derek Giarratana, Supplier Manager

An organization’s data is its most important and valuable asset. This is especially true as organizations continue to move towards data-driven approaches to deliver on their missions and are more actively putting that data to work — and in remote locations no less. This means the need to protect data and maintain its accuracy and integrity is paramount.

In this series, we will explore each of these facets of data security and how it applies to IT challenges currently faced in the public sector. This first installment examines Zero Trust and how a data-centric approach addresses some of the hurdles with which public sector IT leaders struggle.

What is Zero Trust?

Aptly named, a Zero Trust approach assumes nothing internal or external to an organization’s perimeters can be trusted and should, therefore, require additional verification for access. The level of sophistication needed to meet the expectations and requirements of public sector data security lends itself to a Zero Trust model, which prompts data security experts to assess and manage data at the most granular level. With this approach in mind, data security experts are taking a fine-tooth comb to their data and paying close attention to their data management environment.

Read more of this post

What is CMMC?

By Jeff Ellinport, Division Counsel

Although CMMC has been around for more than a year, it never hurts to review what it is and why those who sell into DOD and the rest of the federal government should care.

CMMC stands for Cybersecurity Maturity Model Certification and is a new certification process to measure a company’s ability to protect sensitive government data. It is a unified standard for implementing cybersecurity across the defense industrial base. CMMC is a way for DOD — and soon after, probably civilian agencies as well — to address intellectual property theft, cybercrime and national security threats of the type evidenced by the recent SolarWinds attack.

Once fully implemented, CMMC will be an acquisition foundation, required for almost every contractor transacting business with the U.S. government.

CMMC Maturity Levels

CMMC has five maturity levels, with basic cybersecurity hygiene at a Level 1 to very robust requirements at a Level 5. These certification levels reflect the maturity and reliability of a company’s cybersecurity infrastructure to safeguard sensitive government information on contractors’ information systems. The five levels build upon each other’s technical requirements such that each level requires compliance with the lower-level requirements and then implementation and documentation of additional processes employing more rigorous cybersecurity practices.

Read more of this post

StateRAMP: An Outgrowth of FedRAMP for SLED

By Troy Fortune, VP & General Manager

Is StateRAMP on your radar screen? If you are a cloud software vendor and trying to sell into the state, local and education market, I encourage you to pay attention.

Modeled after FedRAMP, StateRAMP is gaining traction among many state CIOs. For the last seven years cybersecurity has topped the priority lists for CIOs at the state, local and education (SLED) levels, yet there are no established security standards they have all agreed to.

StateRAMP plans to leverage the existing FedRAMP assessment and approvals processes to help simplify the implementation for government and industry. Logistics for FedRAMP to StateRAMP transitions are still being finalized but vendors should look for the marketplace to launch in Q2 of 2021.

Cyberattacks on the Rise

Cyberattacks in SLED have amped up in recent years and become increasingly sophisticated, targeting sensitive citizen PII data. Many organizations have begun taking steps to protect their databases and systems, but those measures vary widely from state to state and even department to department. The expanded use of cloud-based systems to house and manage critical services like Medicaid and unemployment insurance only increases the risk. Unfortunately, few standards exist for cybersecurity or cloud security, which makes the protection of their sensitive data even more challenging.

Read more of this post
%d bloggers like this: