Carahsoft’s wide variety of schedules, contracts and purchasing agreements makes procuring the solutions you need fast and easy.
The need to protect government networks is more paramount than ever. Government networks and systems contain sensitive data on everything from healthcare information to national security. With the increased connectivity between agencies, the risk is even higher for attack from injected viruses, disrupted operations and stolen information.
The Department of Homeland Security has initiated a program to safeguard and secure Federal Information Technology (IT) networks from cyber-security threats. Under the Continuous Diagnostics and Mitigation (CDM) program all federal executive branch civilian agencies, state and local agencies will have access to continuous monitoring sensors, diagnosis, mitigation tools, dashboards, and continuous monitoring as a service(CmaaS) to strengthen the security posture of government networks. The program's goal is to protect cyberspace environments from cyber-attack threats that are continuously growing and evolving.
The CDM program is designed to provide capabilities and tools that enable network administrators to be constantly aware of the state of their respective networks, understand relative risks and threats, and identify and mitigate flaws at near-network speed. DHS works with its partners across agencies to deploy and maintain these capabilities and tools as listed in the functional areas and present the information in an automated and continuously-updated dashboard.
Carahsoft is pleased to represent many best-of-breed vendors to enhance the network and system security of federal entities. Our industry leading vendors are committed to helping customers select and implement the best solutions possible to satisfy existing requirements.
Carahsoft Points of Contact:Mike Losi
Carahsoft CDM/CMaaS Team
This contract establishes a Blanket Purchase Agreement (BPA) in accordance with FAR 8.405-3. The contract includes one base year and four option years.
BPA Summary:The Department of Homeland Security (DHS) has established the CDM Program to provide specialized information technology (IT) services and tools to implement DHS' Continuous Diagnostic and Mitigation (CDM) program. The CDM program seeks to defend Federal and other government IT networks from cyber-security threats by providing continuous monitoring sensors (tools), diagnosis, mitigation tools and Continuous Monitoring as a Service (CMaaS) to strengthen the security posture of Government networks. Within the scope of the CDM Tools and CMaaS BPA, the contractor shall provide tools and services required by ordering agencies to implement an effective CDM program.
The scope for Tools includes the 15 tool functional areas, as well as providing ancillary hardware.
Authorized BPA Users: Any department or agency of the Federal Government, or any entity that may use GSA IT Schedule 70, may order from this BPA. In addition, state, local, regional, and tribal governments that may use Schedule 70 through the Cooperative Purchasing Program may also use this BPA.
Prior to issuing an order solicitation, and making an order award, the Ordering CO must contact the BPA CO (see Section 6.1.1 above), to request ordering authority. This will ensure the order value is within the total BPA value, volume discounts are being properly applied, and to answer any questions of scope or modification. Only those that have received ordering authority may place Orders under the Blanket Purchase Agreement (BPA).
In the event of a conflict between an order, the BPA, or the contractor's GSA Schedule contract, the GSA Schedule contract takes precedence.
Ordering Guide: In order to facilitate procurement against this contract, GSA has made available an ordering guide, which includes eligibility requirements and BPA holder POC's.
Carahsoft Points of Contact:
DHS CDM/CMaaS Program Manager
Carahsoft CDM/CMaaS Team
TOOL FUNCTIONAL AREA 1 - HARDWARE ASSET MANAGEMENT
The Hardware Asset Management (HWAM) Function is to discover unauthorized or unmanaged hardware on a network. Once unauthorized or unmanaged hardware is discovered by the contractor's provided tool(s), the agency will take action to remove this hardware. Since unauthorized hardware is unmanaged, it is likely vulnerable and will be exploited as a pivot to other assets if not removed or managed.
TOOL FUNCTIONAL AREA 2 - SOFTWARE ASSET MANGEMENT
The Software Asset Management (SWAM) Function is to discover unauthorized or unmanaged software configuration items (SWCI) in IT assets on a network. Once unauthorized or unmanaged SWCI are discovered by the contractor's provided tool(s), the agency will take action to remove these SWCI. Because unauthorized software is unmanaged, it is probably vulnerable to being exploited as a pivot to other IT assets if not removed or managed. In addition, a complete, accurate, and timely software inventory is essential to support awareness and effective control of software vulnerabilities and security configuration settings; malware often exploits vulnerabilities to gain unauthorized access to and tamper with software and configuration settings to propagate itself throughout the enterprise.
TOOL FUNCTIONAL AREA 3 - CONFIGURATION MANAGEMENT
The Configuration Management (CM) Function is to reduce misconfiguration of IT assets, including misconfigurations of hardware devices (to include physical, virtual, and operating system) and software. Once a misconfiguration of hardware devices is discovered by the contractor provided tools, the supported department / agency will be responsible to take any needed action to resolve the problem or accept the risk. Over 80% of known vulnerabilities are attributed to misconfiguration and missing patches. Cyber adversaries often use automated computer attack programs to search for and exploit IT assets with misconfigurations, especially for assets supporting Federal agencies, and then pivot to attack other assets.
TOOL FUNCTIONAL AREA 4 - VULNERABILITY MANAGEMENT
The Vulnerability Management (VUL) Function is to discover and support remediation of vulnerabilities in IT assets on a network. Vulnerability management is the management of risks presented by known software weaknesses that are subject to exploitation. The vulnerability management function ensures that mistakes and deficiencies are identified. Once the contractor provided tool(s) identify these mistakes and deficiencies, the agency will take action to remove or remediate these from operational systems so that they can no longer be exploited. (An information security vulnerability is a deficiency in software that can be directly used by a hacker to gain access to a system or network.).
TOOL FUNCTIONAL AREA 5 - MANAGE NETWORK ACCESS CONTROLS
The Manage Network Access Controls (NAC) Function is to prevent, and allow the agency to remove and limit, unauthorized network connections/access to prevent attackers from exploiting internal and external network boundaries and then pivoting to gain deeper network access and/or capture network resident data in motion or at rest. Boundaries include firewalls as well as encryption (virtual private networks). Additionally, the function will prevent, remove, and limit unauthorized physical access.
TOOL FUNCTIONAL AREA 6 - MANAGE TRUST IN PEOPLE GRANTED ACCESS
The Manage Trust in People Granted Access (TRU) Function is to prevent insider attacks by carefully screening new and existing persons granted access for evidence that access might be abused. The Manage Trust in People Granted Access capability informs the Manage Account Access (Section 184.108.40.206) capability by providing background information and potential risk, or compromise, factors. These factors are used to determine if someone should be granted access, under the Manage Account Access capability, to certain resources (e.g., sensitive data).
TOOL FUNCTIONAL AREAS 7 - MANAGE SECURITY RELATED BEHAVIOR
The Manage Security Related Behavior (BEH) Function is to prevent general users from taking unnecessary risks to prevent attackers from exploiting network and application users via social engineering scams. BEH prevents users with elevated privileges and special security roles from taking unnecessary risks to prevent attackers from exploring poor engineering and/or remediation. The Manage Security Related Behavior capability addresses the behavior of someone who has been granted access to information technology devices and systems. Information from this capability feeds into the Manage Trust in People Granted Access capability (Section 220.127.116.11) where determinations will be made about someone's suitability for continued access based, in part, on their behavior.
The Manage Credentials and Authentication (MCA) Function is to prevent a) the binding of credentials to or b) the use of credentials by other than the rightful owner (person or service) by careful management of credentials, preventing attackers from using hijacked credentials to gain unauthorized control of resources, especially administrative rights. The MCA capability ensures that account credentials are assigned to, and used by, authorized people. This capability will rely on the results of the Manage Account Access capability (Section 18.104.22.168) to ensure that only trusted people receive credentials. This covers credentials for physical and logistical access.
TOOLS FUNCTIONAL AREA 9 - MANAGE ACCOUNT ACCESS
The Manage Account Access (MAA) Function is to prevent access beyond what is needed to meet business mission by limiting account access and eliminating unneeded accounts to prevent attackers from gaining unauthorized access to sensitive data. The Manage Account Access capability will assign access to computing resources based, in part, on their level of trustworthiness (as determined in Functional Area 6, Section 22.214.171.124).
TOOLS FUNCTIONAL AREA 10 - PREPARE FOR CONTINGENCIES AND INCIDENTS
The Prepare for Contingencies and Incidents (CP) Function is to prevent loss of confidentiality, integrity, and/or availability by being prepared for unanticipated events and/or attacks that might require recovery and/or special responses, preventing attacker's compromises from being effective by adequate recovery as needed, and natural events from causing permanent loss by adequate preparation as needed.
TOOLS FUNCTIONAL AREA 11 - RESPOND TO CONTINGENCIES AND INCIDENTS
The Respond to Contingencies and Incidents (INC) Function is to prevent repeat of previous attacks and limit the impact of ongoing attacks by using forensic analysis, audit information, etc. to a) appropriately respond to end ongoing attacks and to b) identify ways to prevent recurrence to prevent attackers from maintaining ongoing attacks and exploiting weaknesses already targeted by others.
TOOLS FUNCTIONAL AREA 12 - DESIGN AND BUILD IN REQUIREMENTS POLICY AND PLANNING
The Design and Build in Requirements Policy and Planning (POL) Function is to prevent exploitation of the system by consciously designing the system to minimize weaknesses and building the system to meet that standard in order to reduce the attack surface and increase the effort required to reach the parts of the system that remain vulnerable. The Design and Built in - Requirements, Policy, and Planning capability includes software assurance best practices to ensure that security is built into the System Development Lifecycle. This capability addresses how to avoid or remove weaknesses and vulnerabilities before the system is released into production caused by poor design and insecure coding practices.
TOOLS FUNCTIONAL AREA 13 - DESIGN AND BUILD IN QUALITY
The Design and Build in Quality (QAL) Function is to prevent attackers from exploiting weaknesses by finding and prioritizing weaknesses and fixing the most important weaknesses first. This capability addresses software before it is installed and operational.
TOOLS FUNCTIONAL AREA 14 - MANAGE AUDIT INFORMATION
The Manage Audit Information (AUD) Function is to prevent persistent attacks and weaknesses by using audit information to identify them and initiate an appropriate response. The function addresses agency efforts to monitor the behavior of employees (for example, downloading pornography, unusual times/volumes of access, etc.). The results of these audits feed into the Manage Trust in People Granted Access (Section 126.96.36.199) capability where determinations will be made about someone's suitability for continued access based, in part, on their behavior.
TOOLS FUNCTIONAL AREA 15 - MANAGE OPERATION SECURITY
The Manage Operation Security (OPS) Function is to prevent attackers from exploiting weaknesses by using functional and operational control limits to help senior managers determine when to authorize operation of systems, and when to devote extra attention to reducing risks to prevent attackers from exploiting preventable weaknesses and analyze prior failures to identify and resolve system weaknesses. This activity receives information from the Manage Audit/Information (Section 188.8.131.52) capability to help support leadership decisions to enable improvement of security. It covers information about all operational capabilities and, therefore, does not apply to the creation of a system.
PROVIDE ANCILLARY HARDWARE
When required by orders under this BPA, the contractor shall provide ancillary IT hardware as needed to support the operation of the contractor's CDM Tool(s). All ancillary IT hardware must be on the contractor's GSA Schedule 70 contract or, in the event of a Contractor Teaming Arrangement (CTA), the contract of a teaming partner. The Government may allow the offeror to add a Contractor Teaming member after award if the Contracting Officer determines that it is in the best interest of the Government.