CISA selects EnDyna for vulnerability disclosure platform shared service

The shared service is the first of three initial ones the agency will offer as a recently designated quality service management office.
CISA, DHS, Department of Homeland Security, RSA 2019
(Scoop News Group photo)

The Cybersecurity and Infrastructure Security Agency awarded EnDyna, Inc. a $13.5 million contract Friday to support its governmentwide vulnerability disclosure policy (VDP) shard service for agencies looking to work with researchers to find security flaws.

Based in McLean, Virginia, the consulting firm plans to begin providing the centrally managed system in early 2021 for processing reports from researchers as they find vulnerabilities in agencies’ externally facing IT systems.

The VDP platform is the first of three initial shared services CISA will offer agencies as an officially designated quality services management office (QSMO).

“CISA, designated by the White House as the Cybersecurity Quality Services Management Office in April, will build on its current cybersecurity offerings to provide a marketplace of services to agencies to protect and defend systems and operations and deliver cybersecurity solutions that continuously leverage industry innovation, in alignment with the National Cybersecurity Strategy,” said Bryan Ware, assistant director for cybersecurity, in the announcement Friday.


The first of the four original QSMOs made official, CISA will eventually manage a marketplace of cloud-based systems and services, offered by federal shared service providers, for agencies to choose from — rather than finding or developing their own solutions.

CISA partnered with the General Services Administration to acquire the VDP platform on Sept. 25, so both the services and the acquisition vehicle will be available to agencies through the marketplace.

The second marketplace offering is a security operations center-as-a-service (SOCaaS) the Department of Justice will provide to small agencies, though commercial providers will also be identified.

And the final marketplace offering will be a protective Domain Name Service (DNS) for blocking access to malicious websites when translating their people-friendly domain names into the numerical Internet Protocol addresses computers use. That award is expected to go to a commercial vendor next fiscal year.

Latest Podcasts