CDM — a pilot for a central IT modernization fund?
The Department of Homeland Security’s governmentwide Continuous Diagnostics and Mitigation cybersecurity task orders can serve as pilots to show the effects a centralized IT fund could have on bolstering agencies’ modernization efforts, officials working on the program said.
Because task orders under the CDM program are centrally funded by the Office of Management and Budget to provide basic continuous monitoring capabilities for all CFO Act agencies, CDM mirrors the business case behind a centralized, governmentwide IT modernization fund in that the federal government could invest in capabilities that each could benefit dozens of agencies, said Jim Piche of the General Services Administration during a panel hosted Wednesday by the Institute for Critical Infrastructure Technology.
“The CDM program is actually a pilot of that investment fund where we’re getting a centralized appropriation to leapfrog every agency’s technology to the next level of CDM, whether it be hardware, software management, role and authentication, HSPD-12, or any kind of FISMA reporting,” said Piche, senior director for the homeland sector in the GSA’s FEDSIM, the office leading the CDM program procurement. “There’s this core investment that is being centrally funded through OMB.”
A centralized, governmentwide IT modernization fund has been championed by U.S. CIO Tony Scott and proposed in legislation by Rep. Will Hurd, R-Texas, that is known as the Modernizing Government Technology Act. The Treasury Department would house the fund and the GSA would administer it at the discretion of a board. The bill passed the House last year before stalling in the Senate due to a steep cost estimate from congressional budget analysts.
While money from that fund could be given to individual agencies for modernization needs, it could also be used for “the development, operation, and procurement of information technology products, services, and acquisition vehicles for use by agencies to improve Governmentwide efficiency and cybersecurity,” the bill reads.
DHS is currently in the phase of working with agencies to implement the second phase of the program, particularly credentials and authentication management, which it calls CRED. GSA recently awarded a single contract for the CRED portion of phase 2 to integrator CGI, who brought in Centrify and SailPoint to provide base-level continuous monitoring services around credentialing.
“The whole program is centered around leveraging funding that’s already in place for agencies to start to upgrade their controls around cyber-identity,” said Jeremy Grant, a managing director with the Chertoff Group and the National Institute of Standards and Technology’s former identity management buff.
Doing so, the federal government is able to “achieve incredible bang for the buck,” Piche said, “rather than distributing the funding to all the agencies and diluting the capability of what industry is providing to government.”
The beauty of the way CDM has been funded and procured, panelists explained, is that beyond the initial capabilities DHS helps provide through the task orders, agencies have the ownership to expand upon them as they wish. Rather than dictating federal agencies’ full path to cybersecurity competency, CDM is more of a nudge in the right direction.
The companies under the CDM task orders can provide much more than what DHS has asked them to do, said Ross Foard a CDM phase 2 engineer at DHS.
“We asked for a limited set of capabilities that we wanted with these products, and these products do much more than we asked for under the CDM capabilities,” Foard said.
DHS will provide a period of operations and maintenance under the program before leaving the agencies with the licenses to operate the tools on their own. At that point, he said, “You are able to as an agency do other things with these products that you have license to do.”
Paula Wells, vice president with CGI, said the integrator chose to partner with SailPoint and Centrify “for their broad capabilities,” despite the CRED task order’s “very narrow focus.”
During the initial implementation phase, she said, the challenge is “going to be walking that line between these great tools and great capabilities but the constraints of our task order is to deliver these very specific capabilities.”
“Once you own it, you can turn on all these other great functions,” Wells explained.
The future of CDM really lays in the hands of the agencies, Piche said.
Though the first three phases of CDM are centrally appropriated “and DHS is providing the candy store of ‘look at all these great and wonderful things you can do,’ they are only tasked with providing and delivering the base, core capabilities,” he explained.
“So while DHS will continue to be the technical leader and the technical policy guide in where agencies are going with CDM, OMB is committed to putting CDM funding in the agencies’ hands [after that],” Piche said.