CDM Frequently Asked Questions
What is Continuous Diagnostics and Mitigation (CDM)?
Consistent with the federal government’s four-year development of the Information System Continuous Monitoring (ISCM) methodology, the CDM program is a dynamic implementation approach to fortifying the cyber security of computer networks and systems.
The CDM program provides capabilities and tools that enable network administrators to know the state of their respective networks at any given time, by identifying and ranking problems for priority resolution.
Why is CDM needed?
The CDM program helps standardize security monitoring across the federal government. CDM’s intent parallels national priority for hardening defenses in federal networks. CDM has a number of benefits beyond those associated with certification and accreditation and continuous authorization supporting the Federal Information Security Management Act (FISMA) of 2002. CDM offers commercial off-the-shelf (COTS) tools, with robust terms for technical modernization as threats change.
How does the CDM program help protect networks?
The CDM program defends federal government information technology (IT) networks from cyber security threats and enhances risk-based decision-making within agencies, and across the federal government. CDM utilizes tools and services to improve agencies’ abilities to analyze critical security-related information. Continually monitoring networks for flaws and anomalies will alert network managers to attacks and intrusions, thereby enabling faster responses to fix vulnerabilities that allow attacks.
How is the federal government using CDM?
In partnership with the General Services Administration (GSA), the Department of Homeland Security (DHS) is structuring acquisition vehicles on behalf of federal civilian departments and agencies. Additionally, in its comprehensive cyber-defense role, DHS will make CDM tools and services available for use by defense organizations, in addition to State, local, tribal, and territorial (SLTT) governments.
Continuous Monitoring-as-a-Service (CMaaS) blanket purchase agreement (BPA) participants achieve cost savings through tiered-price and task-order discounts, enabling scarce resources to be spread further. This strategy results in an enterprise approach to continuous diagnostics, including consistent application of best practices.
The CDM Dashboard will identify and prioritize cyber problems for action at the department/agency level. Summary information will feed into a federal dashboard, which provides situational awareness of the government wide network security status.
How is DHS implementing CDM?
In 2010, the Office of Management and Budget delegated DHS to oversee and assist governmentwide and agency-specific efforts to provide adequate, risk-based, and cost-effective cybersecurity. Through its authority, DHS will ensure that the program is consistently implemented, meets critical requirements for effectiveness, and leverages centralized acquisitions to improve the speed of procurement and achieve strategic sourcing discounts.
The CDM Program Management Office is supporting participating Agencies through web-based toolkits, customer representative meetings, and agency-dedicated CDM advocates.
How does CDM protect data?
The Continuous Diagnostics and Mitigation (CDM) program is designed to rigorously ensure privacy. Review of all technical proposals announced on August 12, 2013 from among the winners of the CMaaS contract were found to strictly adhere to public safety, and the related design criteria necessary to fulfill critical Homeland Security mission requirements for information assurance.
Data sent from local Department and Agency (D/A) networks to DHS does not include any:
- Personally Identifying Information (PII);
- Data about specific D/A computers, applications or user accounts; and
- Data about the specific cyber security flaws on these computers or applications.
D/A system administrators do not gain any new access to sensitive information, such as PII or email contents that they did not already possess prior to CDM.
How does CDM comply with regulatory requirements (FISMA)?
The CDM Program helps federal agencies automate the FISMA reporting process. Agency-level CDM dashboards will automatically gather and report some of the FISMA-required information to the federal dashboard; the federal dashboard will then report this information to the CyberScope data reporting application that is managed by DHS.