US flag   Official website of the Department of Homeland Security

Implementation of Continuous Diagnostics and Mitigation (CDM)

CDM Implementation

DHS has partnered with the General Services Administration to award a multi-vendor, five-year blanket purchase agreement contract for the CDM program, that will provide real-time diagnostic and mitigation services to federal executive branch civilian agencies, state and local entities, and the defense industrial base sector. The BPA is an overarching contract with an estimated ceiling of $6 billion over its five year duration (one-year contract with four additional one-year options) and is open to all Federal civilian departments and agencies, the defense industrial base sector, as well as state, local, tribal, and territorial governments. This significant contract award is designed to support Federal civilian networks and the extensive number of cybersecurity requirements for any Federal custom and cloud application over the life of the contract, and will be funded through each participating department and agency, not solely by DHS.

Through its authority, DHS will ensure that CDM is implemented consistently, meets critical requirements for effectiveness, and leverages centralized acquisition in the form of strategic sourcing. DHS will continue to actively collaborate with public sector partners every day to respond to and coordinate mitigation in the face of attempted disruptions to the Nation’s critical cyber and communications networks and to reduce adverse impacts on critical network systems.

The CDM Program covers 15 continuous monitoring capabilities:

  • Hardware inventory management
  • Software inventory management
  • Configuration setting management
  • Vulnerability management
  • Network/physical access control management
  • Trust-in-people granted access (access control management)
  • Security-related behavior management
  • Quality management
  • Credentials and authentication management
  • Privilege management
  • Prepare for incidents and contingencies
  • Respond to incidents and contingencies
  • Requirements, policy, and planning
  • Operational security
  • Generic audit/monitoring

Capabilities are established at every level of the network, not just the periphery, which gives agencies the ability to see how effective their systems are. The first phase of CDM focuses on four functional capabilities: management of hardware and software assets, configuration, and vulnerability, which are baseline capabilities to protect data. DHS is working with the Federal CIO Council’s Information Security and Identity Management Committee to identify terms of implementation for the remaining capabilities.

Back to Top