Continuous Diagnostics & Mitigation (CDM) Program
The Continuous Diagnostics and Mitigation (CDM) program is a dynamic approach to fortifying the cybersecurity of government networks and systems. CDM provides federal departments and agencies with capabilities and tools that
- Identify cybersecurity risks on an ongoing basis;
- Prioritize these risks based upon potential impacts; and
- Enable cybersecurity personnel to mitigate the most significant problems first.
For CDM Tools SIN (132-44) Information for Ordering Organizations.
For CDM Tools SIN (132-44) Information for Vendors.
Get more information on the CDM Program.
Key Program objectives are to:
- Reduce agency threat surface;
- Streamline Federal Information Security Modernization Act (FISMA) reporting;
- Increase visibility into the federal cybersecurity posture; and
- Improve federal cybersecurity response capabilities.
The DHS acquisition strategy and objectives to support the program utilizes a two-pronged approach to provide both products and services to meet the CDM Mission:
- Products - the establishment of a CDM Tools Special Item Number (SIN) (132-44)* on IT Schedule 70; and
- Services - the establishment of a series of task orders referred to as CDM Dynamic and Evolving Federal Enterprise Network Defense (DEFEND) against the Governmentwide Acquisition Contract (GWAC), Alliant.
*Only products that have been validated by the CDM program and added to the Approved Product List (APL) can be offered on the CDM Tools SIN. More information on the APL and how to submit products for consideration is available on the Information for Vendors web page.
In August 2013, the Department of Homeland Security (DHS) in partnership with the General Services Administration (GSA) established governmentwide Blanket Purchase Agreements (BPAs) under Multiple Award GSA IT Schedule 70.
The BPAs, known as the CDM Tools/Continuous Monitoring as a Service (CMaaS) BPAs, provided a consistent governmentwide set of information security continuous monitoring (ISCM) tools and services at a reduced cost that enhances the government's ability to identify and mitigate the impact of emerging cyber threats. The BPA offered 34 tiered price bands, providing for cumulative quantity discounts for each product available for purchase. The CDM Tools/CMaaS BPAs expired in August 2018 and was replaced with the CDM program’s new acquisition strategy.
CDM delivers capabilities to agencies across all aspects of the program and at varying timelines, tailored to best meet agency readiness and agency specific needs.
These capabilities are outlined in two volumes:
- CDM Technical Capabilities Volume One Actual Desired States [PDF - 652 KB] – This document discusses how agencies can define the desired state within the CDM program, leveraging three frameworks: that of the CDM architecture, the Cybersecurity Framework, and the security controls framework outlined by the National Institute of Standards and Technology (NIST).
- CDM Technical Capabilities Volume Two Requirements Catalog [PDF - 707 KB] – This document describes the requirements for the CDM program that are consistent with the overarching goal of enabling U.S. government entities to assess and improve the security posture of agencies’ information systems. These requirements will be used for the CDM solicitations called DEFEND (Dynamically Evolving Federal Enterprise Network Defense).
For more information on CDM capabilities, please visit the DHS CDM website.
- OMB Directive M-15-01: FY 2014-2015 Guidance on Improving Federal Information Security and Privacy Management Practices [PDF - 6.46 MB]
- OMB Directive 10-28: Clarifying Cybersecurity Responsibilities and Activities of the Executive Office of the President and the Department of Homeland Security [PDF - 7.35 MB]
- OMB Directive 14-03: Enhancing the Security of Federal Information and Information Systems [PDF - 868 KB]
Resources for assessing and managing information risk:
- NIST 800-30 Rev 1: Guide for Conducting Risk Assessments
- NIST 800-37 Rev 1: Guide for Applying the Risk Management Framework to Federal Information Systems: A Security Life Cycle Approach [PDF - 935 KB]
- NIST 800-39: Managing Information Security Risk
- NIST 800-53 Rev 4: Security and Privacy Controls for Federal Information Systems and Organizations
- NIST 800-137: Information Security Continuous Monitoring for Federal Information Systems and Organizations
- DHS CDM Website: Provides an overview of how CDM Works, CDM capabilities, Benefits of CDM, and the CDM Acquisition Strategy.
- Federal Information Security Modernization Act (FISMA) Website: Links to FISMA 2014 updates to the federal government’s cybersecurity practices and provides related documents for FY14-FY18.
- US-Cert Website: DHS CDM’s training program website with access to trainings, guides, and CDM resources.
- All acquisition-related questions, eligibility requirements, and ordering guide requests:
- CDM Tools SIN: firstname.lastname@example.org
- Technical questions regarding the program:
CDM Program Office – email@example.com
- CDM Approved Products List and CDM Tools SIN questions:
DHS Acquisition and Requirements Management – firstname.lastname@example.org
CDM Contact Information
All acquisition-related questions, eligibility requirements, and ordering guide requests:
CDM Tools SIN - email@example.com
Technical questions regarding the program:
CDM Program Office - firstname.lastname@example.org
CDM Approved Products List questions:
DHS Acquisition and Requirements Management - email@example.com
Great Government through Technology
5 Considerations for Using the CDM Tools SIN(10/10/2018)
CDM Tools SIN Ordering Guide [DOCX - 1 MB]
CDM Approved Products List (APL) [XLSX - 11 MB]
CDM APL Product Submission Instructions [PDF - 425 KB]
CDM APL Product Submission Form [XLSX - 126 KB]
CDM APL SCRM Plan [PDF - 56 KB]
Attachment A - CDM APL SCRM [XLSX - 14 KB]
CDM Technical Capabilities Volume One Actual Desired States [PDF - 652 KB]
CDM Technical Capabilities Volume Two Requirements Catalog [PDF - 707 KB]
Vendor Process Guide on Applying for the CDM Tools SIN [DOCX - 75 KB]