CISA’s first shared-services offering is delayed by protest

The award of the vulnerability disclosure policy (VDP) platform contract is under protest from HackerOne.
cybersecurity incident, bug, vulnerability, malware
(Getty Images)

The Cybersecurity and Infrastructure Security Agency’s first shared-services offering has hit a snag, with HackerOne protesting the award of the vulnerability disclosure policy (VDP) platform contract.

HackerOne filed a bid protest of the General Services Administration’s $13.5 million award to EnDyna, Inc. with the Government Accountability Office on Oct. 9. The goal of the contract is to create a platform that agencies can use to safely collect information about security flaws in their networks.

A decision isn’t due until Jan. 19, 2021.

“We believe the security of our national cyber infrastructure depends significantly on the efforts of security researchers. CISA’s requirements are clear on what they need in a vendor to support this bold initiative,” said a HackerOne spokesperson. “We can confirm that we have filed a protest challenging the award to EnDyna to ensure eligibility requirements to carry out this vital task are fully met, and that the vendor selected can support the work CISA is entrusting them to do.”


McLean, Virginia-based consulting firm EnDyna planned to provide the centrally managed system in early 2021 for processing reports from freelance researchers as they find vulnerabilities in agencies’ externally facing IT systems. San Francisco-based HackerOne is known for running bug bounty competitions for the U.S. military and other large organizations.

The VDP platform was the first of three initial shared services CISA intended to offer agencies as an officially designated quality services management office (QSMO).

CISA will eventually manage a marketplace of cloud-based systems and services, offered by federal shared service providers, for agencies to choose from — rather than finding or developing their own.

GSA’s Federal Acquisition Service partnered with CISA to acquire the VDP platform on Sept. 25, so both the service and the acquisition vehicle eventually will be available to agencies through the marketplace.

The next shared-services project for CISA is a security operations center-as-a-service (SOCaaS) that the Department of Justice will provide small agencies, with commercial providers being identified later.

Latest Podcasts