Is CDM the Prescription for What Ails Agencies?

Following the historic Office of Personnel Management (OPM) hack and the theft of data from the Internal Revenue Service (IRS) – for the second time in a year – agencies are searching for a long-term cure to cybersecurity woes.

Continuous Diagnostics and Mitigation (CDM) could be the medicine they need. A panel of CDM experts at the recent Symantec Government Symposium said CDM is one of the key proven defenses against pervasive threats.

“We have seen some significant benefits from CDM,” said Rod Turk, Chief Information Security Officer, Department of Energy.

Sounds like CDM may be just what the doctor ordered.

Moving Ahead
Nearly two years after its August 2013 launch, CDM remains in Phase 1 (which focuses on endpoint security through hardware and software asset management, configuration settings, and vulnerability management).

CDM may be “a few months behind schedule” due to funding fights, said Christopher Cummiskey, a former acting under secretary for management at the Department of Homeland Security (DHS).

Andy Ozment, assistant secretary of the DHS Office of Cybersecurity and Communication, said in April DHS just needs time to get the program implemented and the CDM will fully cover Federal systems by the end of next year.

“We think we’re in good shape,” he said.

DHS on May 7 awarded a $39 million contract to Booz Allen Hamilton, which will – along with its partners – provide monitoring services for OPM and the departments of Energy, Interior, Transportation, Agriculture, and Veterans Affairs.

Mark Kneidinger, Senior Advisor, Federal Network Resilience Office, DHS, said the schedule for the rest of the agencies under the CDM program is on track, with the next wave of awards likely to come in the fourth quarter of this year.

No News is Good News
Agencies realize that CDM will help keep agencies out of the news, said Grant Schneider, CDM Oversight Lead, Office of Management and Budget.

“CDM is really giving us a level of foundational and fundamental situational awareness about our systems and our environment so that we can have much more mature risk conversations with the mission owners,” Schneider said. “Deputy secretaries are very interested in cybersecurity. They might not have been a couple years ago, but Target, Home Depot, Sony Pictures, and all the government [breaches] — they kind of all realize, ‘That could be me on the front page of the paper.’ So they’re interested in having the conversation.”

They’re viewing CDM as a cyber flak jacket.

Paradise by the Dashboard Light
But more than a flak jacket, CDM is a window on your cyber security. Kneidinger said DHS will begin moving dashboards to some departments and agencies as soon as next month, giving them real-time visibility into their systems.

Early next year, DHS and OMB will launch a Federal dashboard, Kneidinger said. Vendors will connect the department and agency dashboards to the Federal dashboard, providing data and trends.

“We’re starting to move forward. The implementation activities, the dashboards are ready to come out. That’s the exciting part. We’re geared up for it,” Kneidinger said.

Phase II of the program will address identity, credentials, and access management, writes Aaron Boyd in Federal Times.

But the acquisition cycle has not been formalized. Phase II remains a work in progress, Kneidinger said.

Will CDM move fast enough to allow agencies to stay ahead of the next cyber threat? Is your agency eager to put CDM to use?

Learn more: Listen to the full discussion on CDM, read the complete Internet Security Threat Report, or see a list of all session podcasts.

Feel like sharing something Noteworthy? Post a comment below or email me at

Bill Glanz is the content director for MeriTalk and its Exchange communities. In the past 14 years, he has worked as a business reporter, press secretary, and media relations director in Washington, D.C.