DISA looks to the open market for secure web browsing contract


A contracting notice indicates that the Defense Department is looking to compete the service that protects its systems from web-based attacks.

The Defense Information Systems Agency is seeking information on potential providers for its cloud-based internet isolation platform, as expiration for the current contract looms.

The CBII approach, launched in 2020 via an other transaction authority agreement, routes commercial web traffic to a secure cloud environment to protect Department of Defense-owned networks.

The idea behind CBII is that the roughly 3.6 million users of DOD's Non-classified Internet Protocol Router Network do a fair amount of "non-mission essential" web browsing. This activity could potentially expose NIPRNET to cybersecurity exploits like clickjacking, malicious plug-ins, cross-site scripting attacks, SQL injections, man-in-the-middle attacks and more. 

In 2020, after a pilot program, DISA awarded a team led by By Light IT Professional Services a $198.9 million, 5-year OTA agreement to bring CBII into production. The agency said that the CBII approach could save as much as $300 million over the life of the contract as compared with upgrading cybersecurity tools to defend internet access points.

Now, with the expiration of the OTA looming in the not-so-distant future, DISA is paving the way for an open competition of the cloud-based internet isolation business. According to a contracting notice updated on Oct. 19, DISA is not planning to use other transaction authorities as the basis for the new award.

DISA is looking for a managed service hosted in a secure cloud that is "quickly accessible anywhere and at any time in the world" and can support as many as 3 million concurrent users. Required capabilities include supporting website whitelisting and blacklisting, content filtering, malware scanning and sandboxing — all in a FedRAMP Level 2 environment. Additionally, the CBII platform needs to integrate with all current DOD mobile device management solutions.

The first round of responses from industry were due Monday. There's no word on when a request for proposals from DISA is expected to be released.