WASHINGTON – The U.S. Department of Homeland Security plans to create a $6 billion shopping hub for federal, state and local agencies seeking to shield their computer networks from hackers.
Contracts for what may become the biggest unclassified cybersecurity program in the U.S. government will be awarded as early as this month.
The agreement has attracted interest from dozens of companies seeking opportunities in a $512 billion federal contracting market that is shrinking with the wars’ end and U.S. budget cuts. The list of bidders includes top contractors such as Lockheed Martin, Northrop Grumman and SAIC.
We’re not talking about buying pencils; we’re talking about an advanced technology architecture system, said Michael Carpenter, president of U.S. sales for Santa Clara, Calif.-based McAfee Inc., which is interested in doing work under the program. This is the first time I’ve seen in civilian government where they’ve come together for an entire joint acquisition.
The program follows a February executive order from President Barack Obama, which directed the Homeland Security Department to ensure that unclassified government networks are constantly scanned for threats, defended from attacks and audited for performance to ensure federal agencies are complying with computer-security rules.
Agencies such as the Agriculture Department, Environmental Protection Agency and Social Security Administration have struggled to meet those requirements, according to a March 2013 White House report to Congress.
The program will enable Homeland Security to work with federal civilian departments and agencies in developing capabilities that will improve their cyber security posture, S.Y. Lee, a department spokesman, said in an email.
As many as five companies will be awarded contracts by the General Services Administration, according to a request for bids. The $6 billion is the maximum value of those contracts during as many as five years under the so-called Continuous Diagnostics and Mitigation program managed by Homeland Security.
The suppliers will provide central hubs in which government agencies can buy computer hardware and software as well as consulting services to help manage employees’ access to networks, according to the government’s request for bids. Those controls have been under scrutiny following defense contractor Edward Snowden’s leaks of classified U.S. surveillance programs.
Technology can be used to develop an electronic, early-warning radar to identify emerging threats and provide agencies the tools they need to thwart them, John Bordwine, global government chief architect for Symantec Corp., a network-security company in Mountain View, Calif., said in a phone interview.
The program is designed for civilian government agencies, though it also will be available to the Defense Department and intelligence agencies, according to the federal request for bids.
State and local agencies will also be able to benefit from the consistency, pricing and purchasing speed that federal agencies will gain under the program, according to the request.
While the program may turn out to be the largest unclassified cyber security contract in the federal government, it might not reach $6 billion, William Loomis, a managing director at Stifel Nicolaus & Co., a brokerage and investment banking firm in St. Louis, said in a phone interview.
Loomis said one challenge is that Homeland Security can’t compel agencies to buy through the contracts. He said he believes smaller agencies are likely to buy the services.
Congress appropriated $202 million to Homeland Security for the program during the current year ending Sept. 30, which equates to $185 million after automatic U.S. spending cuts under a process known as sequestration. The department has requested $168 million for the program in fiscal 2014.
The only sure-fire money here is the $200 million a year that the department gets, said Brian Friel, a contracts analyst for Bloomberg Industries.
Ron Gula, chief executive officer of the network-security company Tenable Network Security Inc., said it also isn’t clear if Homeland Security will buy products and services for agencies. The company is based in Columbia, Md.
Everybody knows this is a significant procurement, but nobody knows how it’s going to happen, Gula said. What strings are attached to that? I don’t think anybody knows.
Lockheed Martin, based in Bethesda, Md., has bid to be a prime, or direct, contractor, company spokeswoman Sheila Collins said in an email.
The Pentagon’s top contractor is committed to supporting Homeland Security in the effective deployment of this important information security capability across the federal government, Collins said.
Spokesmen for Falls Church, Va.-based Northrop Grumman, McLean, Va.-based SAIC and Falls Church, Va.-based Computer Sciences Corp. also said the companies had bid.
The Homeland Security Department will get access to information about threats and electronic attacks on civilian government networks under the program.
In April, lawmakers in the House of Representatives fought over whether the department or the National Security Agency should be the primary federal agency to receive cyber security threat data from companies as part of an information-sharing cyber security bill.
The bill passed by the House directs companies to send data on intrusions to the Homeland Security Department unless they have a preexisting relationship for doing so with the Pentagon.
The Obama administration’s decision to give more cybersecurity work to Homeland Security under the Continuous Diagnostics and Mitigation program may help settle the dispute over which agency is best suited to provide cyber security services, analyst Friel said.
This establishes Homeland as the lead for civilian agencies, and Defense can keep managing its own cyber security programs, Friel said. This is a program that DoD could have managed. In a way, it’s sort of settling the turf war.