Cyber

CISA’s first shared-services offering is delayed by protest

The award of the vulnerability disclosure policy (VDP) platform contract is under protest from HackerOne.

November 2, 2020

(Getty Images)

The Cybersecurity and Infrastructure Security Agency’s first shared-services offering has hit a snag, with HackerOne protesting the award of the vulnerability disclosure policy (VDP) platform contract.

HackerOne filed a bid protest of the General Services Administration’s $13.5 million award to EnDyna, Inc. with the Government Accountability Office on Oct. 9. The goal of the contract is to create a platform that agencies can use to safely collect information about security flaws in their networks.

A decision isn’t due until Jan. 19, 2021.

“We believe the security of our national cyber infrastructure depends significantly on the efforts of security researchers. CISA’s requirements are clear on what they need in a vendor to support this bold initiative,” said a HackerOne spokesperson. “We can confirm that we have filed a protest challenging the award to EnDyna to ensure eligibility requirements to carry out this vital task are fully met, and that the vendor selected can support the work CISA is entrusting them to do.”

McLean, Virginia-based consulting firm EnDyna planned to provide the centrally managed system in early 2021 for processing reports from freelance researchers as they find vulnerabilities in agencies’ externally facing IT systems. San Francisco-based HackerOne is known for running bug bounty competitions for the U.S. military and other large organizations.

The VDP platform was the first of three initial shared services CISA intended to offer agencies as an officially designated quality services management office (QSMO).

CISA will eventually manage a marketplace of cloud-based systems and services, offered by federal shared service providers, for agencies to choose from — rather than finding or developing their own.

GSA’s Federal Acquisition Service partnered with CISA to acquire the VDP platform on Sept. 25, so both the service and the acquisition vehicle eventually will be available to agencies through the marketplace.

The next shared-services project for CISA is a security operations center-as-a-service (SOCaaS) that the Department of Justice will provide small agencies, with commercial providers being identified later.

CISA’s first shared-services offering is delayed by protest

More Like This

ICE pursuing privacy approvals related to controversial phone location data

House Modernization panel advances bill to improve CRS’s data access in first-ever markup

Federal CIO calls on Congress to fund Technology Modernization Fund

Top Stories

State Department encouraging workers to use ChatGPT

GSA administrator: Generative AI tools will be ‘a giant help’ for government services

Congressional panel outlines five guardrails for AI use in House

With 2023 tax season in the rearview, IRS commissioner eyes expansion of AI capabilities

CMS’s financial office is using LLM pilot to combat loss of institutional knowledge

Top public sector takeaways from Google Cloud Next 2024

Commerce requests information about AI, open data assets, data dissemination

More Scoops

CISA still working with some agencies to fully follow federal vulnerability disclosure policy rules

Ongoing bug-bounty pilot pinpoints many vulnerabilities in DOD’s cyberspace

OPM was quietly redesignated the point office for HR shared services

Hack the Army event yields 102 critical security gaps

CISA launches platform to allow hackers to report flaws in federal tech

Krebs to Congress: Empower CISA’s shared services office

Laying the terms for partnerships with ethical hackers

Latest Podcasts

CISA’s first shared-services offering is delayed by protest

AI Week 2024 has Come and Gone

Darryl Peek on Elastic’s role in enhancing public sector search and data analytics with AI and Google collaboration

Danny Werfel on How Automation has Enhanced his Agency’s Operations.

Tech

Defense

Cyber

Acquisition