US flag signifying that this is a United States Federal Government website   Official website of the Department of Homeland Security

Homeland Security

Implementation of Continuous Diagnostics and Mitigation (CDM)

CDM Implementation

DHS and GSA are structuring acquisition vehicles on behalf of CDM participants. The CDM Blanket Purchase Agreement (BPA) is open to any government entity, including the Federal Civilian Executive Branch (.gov), as well as state, local, tribal, and territorial departments and agencies. For more information about the CDM contract award, visit

For Federal Civilian Executive Branch departments and agencies, DHS:

  • Optimizes CDM acquisitions;
  • Organizes Task Order participants;
  • Buys sensors and services with DHS-appropriated funds for .gov departments and agencies;
  • Provides services to implement sensors and agency dashboards for .gov departments and agencies; and
  • Provides federal dashboard-related infrastructure.

State, local, regional, and tribal governments may use the Direct Order/Direct Bill option to procure products and/or services from the CDM BPA via the delegated procurement authority, GSA Federal Systems Integration and Management Center (FEDSIM). For specific ordering options, please see GSA’s CDM/CMaaS Ordering Guide, 2013, via

Based upon Congressional authorization and OMB guidance, DHS will work with departments and agencies to implement CDM in a consistent manner that demonstrates measureable cybersecurity results and leverages strategic sourcing to achieve cost savings. DHS will continue to actively collaborate with public sector partners every day to respond to and coordinate mitigation in the face of attempted disruptions to the Nation’s critical cyber and communications networks and to reduce adverse impacts on critical network systems.

The CDM Program covers 15 continuous diagnostic capabilities. The first phase of CDM focuses on endpoint integrity: management of hardware and software assets, configuration management, and vulnerability management, which are foundational capabilities to protect systems and data. Phases 2 and 3 are being further defined to include Least Privilege and Infrastructure Integrity, and Boundary Protection and Event Management, respectively.

CDM Phases

Phase 1:

  • HWAM – Hardware Asset Management
  • SWAM – Software Asset Management
  • CSM – Configuration Settings Management
  • VUL – Vulnerability Management

Phase 2: Least Privilege and Infrastructure Integrity

  • TRUST –Access Control Management (Trust in People Granted Access)
  • BEHV – Security-Related Behavior Management
  • CRED – Credentials and Authentication Management
  • PRIV – Privileges
  • Boundary Protection (Network, Physical, Virtual)

Phase 3: Boundary Protection and Event Management for Managing the Security Lifecycle

  • Plan for Events
  • Respond to Events
  • Generic Audit/Monitoring
  • Document Requirements, Policy, etc.
  • Quality Management
  • Risk Management
Last Published Date: April 3, 2014
Back to Top