In GSA, the Special Item Number (SIN) refers to the unique number assigned to contractors under GSA Schedule based on their product and service requirements. There is a new SIN released under the cybersecurity subcategory of GSA IT Schedule 70. In 2017, the government issued IT Schedule Solicitation Refresh 44, and then they issued the SIN 132-44 Continuous Diagnostics and Mitigation (CDM) Tools.
Following the BPA’s expiration last August 2018, GSA worked with the Department of Homeland Security (DHS) to establish CDM SIN as a replacement. The CDM program’s ultimate goal is to promote cost-effective, sufficient, and risk-free cybersecurity services across the federal government. It was initially posted as a Request For Information (RFI) in March 2017 to make specific solicitation changes before its release the following month.
CDM BPA History
The Continuous Diagnostics and Mitigation (CDM) program aims to provide cybersecurity services that the federal government deserves. Establishing this program allows agencies to gain access to cybersecurity tools and services to strengthen their networks. Offering a plethora of services, federal agencies can monitor and detect cybersecurity risks consistently. This program allows them to find solutions for the potential hazards instead of waiting for the significant impact to affect their systems. Overall, knowing the potential problems can help their workforce focus on certain specific aspects of weakness.
The CDM program started as a partnership between the Department of Homeland Security (DHS) and the General Services Administration (GSA) in August 2013. Before implementing CDM, the two agencies coordinated to establish the government-wide Blanket Purchase Agreements (BPAs) under Multiple Award GSA IT Schedule 70. These agreements refer to the information security continuous monitoring (ISCM) tools and services given to federal agencies at a reduced cost. Also known as Continuous Monitoring as a Service (CMaaS) BPAs, the ultimate goal is to enhance the government’s ability to identify and eliminate any cyber threat form.
There are cumulative quantity discounts available for federal buyers looking to purchase, offering 34 tiers of price bands. The BPAs eventually came to an end in August 2018, which resulted in the emergence of the CDM program.
The program features a modified acquisition strategy for cybersecurity-related tools and services and offers the following objectives:
- Mitigate the impact of the cybersecurity threat within the federal agency.
- Streamline the submission of the Federal Information Security Modernization Act (FISMA) report.
- Improve the implementation of a sound disaster response plan in case cybersecurity issues arise.
- Expand the knowledge of federal agencies to cybersecurity.
Under the program, GSA CDM offers tools that passed the Department of Homeland Security (DHS). This delineation means that GSA Schedule holders can only provide hardware and software products recognized by the agency. On top of that, acquiring such tools should involve maintenance and other relevant activities like training. Here are the capabilities that businesses should implement under the CDM program:
- Asset Management
- Identity and Access Management
- Network Security Management
- Data Protection Management
- Future Capabilities
What CDM Tools SIN 132-44 Covers?
Continuous Diagnostics and Mitigation (CDM) under SIN 132-44 should cover software and hardware products that aim to strengthen and secure the federal government’s cybersecurity. As mentioned above, GSA contract holders need to have their products approved by the DHS before making a sale. Otherwise, the hardware and software products should make the Approved Products List (APL) from the IT Solicitation Refresh 44. Nevertheless, the full complement of CDM tools must cover the development, its associated maintenance, and other relevant activities like training.
Subcategories of CDM Capabilities Specified Under SIN 132-44
Here are the subcategories of CDM capabilities based on SIN 132-44:
- Technical Tools: Hardware and software tools should acknowledge the configuration requirements that come with the installation. It should also express the security vulnerabilities that users need to consider before making the purchase.
- System Authorization: The users and the systems that have access authorization must have sufficient identification. This system determines the authenticated permissions and granted resource rights.
- Network Protection: The government must determine the particular actions and behavior within the network boundaries. In other words, there are extreme measures taken to protect data within the infrastructure.
- Risk Assessment: The business must inform federal buyers of what happens during cyber threats. The schedule holder should take measures to reduce the impact of data breaches and other incidents. They should be able to identify risks after analyzing a large volume of data at a given time.
- Other Technologies: This involves other CDM cybersecurity tools not mentioned in different subcategories.
How to get into GSA CDM
GSA Schedules can get into the program by following these steps:
- GSA contractors can have their products and services listed under SIN 132-44 by requesting to be part of the CDM Approved Product List (APL).
- All you need to do is fill out the form to identify your products and tools’ subcategories.
- GSA Schedules need to wait until their products get approved for the CDM APL, or they can add the SIN Mods from their Schedule 70 to get submitted to GSA.
There is a SIN-specific technical evaluation for 132-44 of Product Qualification Requirements. Along with the offer, potential GSA contractors need to submit the following:
- Business Experience/Track Record
- Past Performance Evaluation
- Quality Control, and CDM Tools SIN Specific Technical Factor of Product Qualification Requirements (CDM APL requirement)
For existing GSA contractors under Schedule 70 that are looking to add the new SIN, they need to submit the following:
- SIN Specific Technical Factor of Product Qualification Requirements (on CDM APL)
- Modification Request to add a new SIN
- Offerings to GSA
In the digital age, federal agencies must implement extra measures that strengthen their cybersecurity and mitigate the risks of compromising data. Handling sensitive and confidential data has to be taken seriously following the rise of cyber threats over the years. For this reason, the General Services Administration (GSA) partnered with the Department of Homeland Security (DHS) to establish a cybersecurity program that highlights best practices. Although this partnership initially operated under a Blanket Purchase Agreement (BPA), it eventually expired in August 2018. Therefore, the Continuous Diagnostics and Mitigation (CDM) program provided a new Schedule 70 Special Item Number (SIN), 132-44.