Consistent with the Federal Government's deployment of Information Security Continuous Monitoring (ISCM), the Continuous Diagnostics and Mitigation (CDM) Program is a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM Program provides DHS, along with Federal Agencies with capabilities and tools and identify cybersecurity risks on an ongoing basis, prioritize these risks based on potential impacts, and enable cybersecurity personnel to mitigate the most significant problems first. Congress established the CDM program to provide adequate, risk-based, and cost-effective cybersecurity and more efficiently allocate cybersecurity resources.
How CDM Works
The CDM approach is consistent with guidance from the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST) and helps meet federal reporting requirements. CDM offers industry-leading, commercial off-the-shelf (COST) tools to support technical modernization as threats change. To start, agency-installed sensors are deployed and perform an on-going, automated search for known cyber flaws. Results from the sensors feed into an agency dashboard that produces customized reports that alert network managers to their most critical cyber risks. Prioritized alerts enable agencies to efficiently allocate resources based on the severity of the risk. Progress reports track results, which can be used to compare security postures among agency networks. Summary information feeds into a Federal enterprise-level dashboard to inform and provide situational awareness into cybersecurity risk posture across the Federal Government.
The CDM Program is organized by phases, as identified in the diagram shown here and further describes below.
Phase 1: "What is on the network?"
Managing "what is on the network?" requires the management and control of devices (HWAM), software (SWAM), security configuration settings (CSM), and software vulnerabilities (VUL).
Phase 2: "Who is on the network?"
Managing "who is on the network?" requires the management and control of account/access/managed privileges (PRIV), trust determination for people granted access (TRUST), credentials and authentication (CRED), and security-related behavioral training (BEHAVE). These four functions have significant interdependence and are thus managed together as part of Phase 2.
Phase 3: "What is happening on the network?"
Managing "what is happening on the network?" builds on the CDM capabilities provided by "what is on the network?" and "who is on the network?" These CDM capabilities include network and perimeter components, host, and device components, data at rest and in transit, and user behavior and activities. These capabilities move beyond asset management to more extensive and dynamic monitoring of security controls. This includes preparing for and responding to behavior incidents, ensuring that software/system quality is integrated into the network/infrastructure, detecting internal actions and behaviors to determine who is doing what, and finally, mitigating security incidents to prevent propagation throughout the network/infrastructure.
Phase 4: "How is data protected?"
CDM Phase 4 capabilities support the overall CDM Program goal to identify cybersecurity risks on an ongoing basis, prioritize these risks based upon potential impacts, and enable cybersecurity personnel to mitigate the most significant problems first.
CDM Agency and Federal Dashboards
At the agency level, security staff will be able to identify, analyze, and address priority vulnerabilities. Summary data from each participating agency's dashboard will be transmitted to the Federal Dashboard where the tactical data will be used to inform strategic decision making regarding systemic cybersecurity risks across the entire Federal civilian enterprise.
Benefits of CDM
The CDM Program enhances government network security through automated control testing and progress tracking. This approach:
- Provides services to implement sensors and dashboards;
- Delivers near-real time results;
- Prioritizes the worst problems within minutes, versus quarterly or annually;
- Enables defenders to identify and mitigate flaws at network speed; and
- Lowers operational risk and exploitation of government IT systems and networks.
Additionally, for federal cyber investments, the CDM program fulfills Federal Information Security Management Act (FISMA) mandates.
The CDM program is designed to rigorously ensure personal privacy. Data sent from CDM participant networks to DHS does not include any Personally Identifying Information (PII) or information about specific department or agency computers, applications or user accounts.
CDM Acquisition Strategy
In August 2013, DHS in partnership with the General Services Administration (GSA) established government-wide Blanket Purchase Agreements (BPAs) under Multiple Award GSA IT Schedule 70. The BPAs, known as the CDM Tools/Continuous Monitoring as a Service (CMaaS) BPAs, provided a consistent government-wide set of information security continuous monitoring (ISCM) tools and services at a reduced cost that enhances the government's ability to identify and mitigate the impact of emerging cyber threats. The CDM Tools/CMaaS BPAs, which are set to expire in August 2018, are being replaced by the Program's new acquisition strategy. The new acquisition strategy is a two pronged approach to provide both products and services to meet the CDM Mission:
- Products - the establishment of a CDM Special Item Number (SIN) on IT Schedule 70; and
- Services - the establishment of a series of Task Orders referred to as CDM Dynamic and Evolving Federal Enterprise Network Defense (DEFEND) against the Government-wide Acquisition Contract (GWAC), Alliant.
Orders against the CDM Tools/CMaaS BPAs can continue to be placed until expiration (August 12, 2018), with the period of performance of the orders extending for one year past the period of performance of the underlying contract (BPA).
CDM Special Item Number (SIN)
The CDM Tools SIN was awarded GSA IT Schedule 70 on August 3, 2017. DHS is partnership with GSA leveraged lessons learned from the BPAs, as well as best practices across the Schedules Program to create a vehicle to best support the CDM mission. The CDM Tools SIN is a government-wide contracting solution established to continue to provide a consistent set of Information Security Continuous Monitoring (ISCM) tools to Federal, State, Local, Regional, and Tribal Governments. It provides ease of use and access for customers while also providing advantageous pricing. In addition, it provides an avenue for offerors to bring new and innovative solutions to the CDM Program improving Government access to the best available technology.
The CDM Tools SIN has streamlined the CDM capability requirements by organizing the previously known "15 tool functional areas" info four subcategories: What is on the Network? Who is on the Network? How is the Network Protected? What is happening on the Network? The fifth is focused on Emerging Tools and Technology.
The CDM Tools SIN is the first of its kind for the GSA IT Schedule 70 Program as a result of its unique features and contract mechanisms, including Supply Chain Risk Management (SCRM) review and analysis as well as the use of an Approved Products List (APL). The APL is the authoritative product catalog that has been approved to meet CDM technical capability requirements. The APL consists of products that have been approved against the BPAs, as well as products that have since been proposed and approved to meet the CDM technical requirements. Products cannot be added to the CDM Tools SIN, unless on the CDM APL. The CDM APL accepts submissions on a monthly basis.
The CDM Tools SIN is managed by GSA IT Schedule 70 and the CDM APL and corresponding process is managed by DHS CDM PMO.
CDM Dynamic and Evolving Federal Enterprise Network Defense (DEFEND)
To satisfy the services portion of the acquisition strategy, DHS in partnership with GSA anticipates utilizing the Alliant Government-Wide Acquisition Contract (GWAC) to deliver CDM services to the .gov agencies. This new acquisition strategy offers and all-encompassing approach for addressing CDM requirements by giving DHS, as well as Agencies, the ability to procure CDM capabilities. The full scope of the CDM DEFEND in inclusive of all activities that support all Phases of the CDM Program and:
- Support existing CDM Solutions at Agencies
- Expands CDM capabilities to include CDM Phase 3 and Phase 4 functionality
- Provides the ability to supply a full CDM Solution to entities within an Agency that did not participate in a TO2 series, PRIVMGMT and/or CREDMGMT.
Additionally, CDM DEFEND supports the transformation of the system authorization process by developing and implementing more efficient ongoing assessment and authorization across the Federal enterprise. CDM DEFEND is anticipated to support, among other activities, enhanced Cloud and mobile cybersecurity, a more standardized approach for incident response across the Federal enterprise environment, and more robust boundary protections aligned with the ongoing IT modernization efforts.
CDM DEFEND Task Orders aim to:
- Provide flexibility that can account for a dynamic cyber environment, varying implementation timelines, and agency specific needs by utilizing flexible contract types list cost plus award fee.
- Ensure delivered CDM capabilities are fully implemented at receiving Agencies by implementing longer period of performance
- Ensure clear and effective communications that accurately depict status to CDM stakeholders early and often
- Achieve the most advantageous cost and price discounts
- Provide access to qualified vendors that understand CDM
The new acquisition strategy will allow for a seamless transition from the current BPA to new Task Orders, as well as give DHS and Agencies a vehicle to procure additional CDM tools (from the CDM APL via the CDM Tools SIN, as an option) and services outside of what is being provided by DHS.
For more information on CDM's acquisition strategy, please contact firstname.lastname@example.org.