DHS’s CDM Program – Progress, Challenges, and What Comes After

Published: May 11, 2016


Nearly three years into the Continuous Diagnostics and Mitigation (CDM) program to improve the cybersecurity effectiveness of federal agencies officials at DHS and GSA report that progress has been made, but challenges and future objectives remain.

A recent FCW event, Face to Face Cyber Security, focused on the elements, strategies, and status of the CDM program. Participants included government officials from GSA, DHS, OPM, the Navy, and the Federal Elections Commission (FEC). Their presentations were interspersed with industry speakers from several of the solutions providers on the Blanket Purchase Agreement (BPA).

CDM Task Order 2 Participants & Status

One slide in a presentation by DHS Jim Quinn, Lead System Engineer for the CDM Program at the Department of Homeland Security (DHS) provided a current status of CDM Task Order 2 participant department and agencies. For background, Phase 1 Task Order 2 for $29 million for implementing cybersecurity tools and services at DHS was awarded in February 2015. Task Order 2B for $39 million covering Group B of federal agencies was awarded in April 2015. Task Orders for Groups C-E for a total nearly $140 million were awarded in July 2015.

The progress of the different Groups follows the staggered pace at which these awards have been made. (See table below.)

According to officials, the five awards for Groups A-E mean that the CDM program covers over 98% of the federal civilian workforce.

Other Observations

  • Spending on the BPA is primarily going though GSA IT Schedule 70, although agencies may get permission from GSA to use other contract vehicles like Enterprise Infrastructure Solutions (EIS) when including CDM elements among larger IT contract purchases or if CDM elements are embedded in larger IT modernization/infrastructure work, provided the agency can document the savings from pursuing those routes versus the BPA.
  • The definition of “now” under the CDM program equals within 72 hours of currency. If monitoring was reported any faster, agencies wouldn't be able to respond effectively anyhow. If reporting were done any slower the risk postures would then increase too much.
  • Competing requirements – By the end of 2015 they had finalized an approved products list, but the Cybersecurity Sprint required them to step back and look at strong authentication, including Privileges (PRIV) and Credentials and Authentication Management (CRED). 
  • Phase 3 of Boundary Protection and Event Management for Managing the Security Lifecycle is so complicated that they have split it into 3 parts: 1) Managing events, 2) Operate, Monitor and Improve and 3) Design and Build Improved Security. DHS expects to get through Phase 3 in 2016.
  • Phase 4 - Protecting Data on the Network will be the challenge in 2017.

Life after CDM

During a question and answer portion of the event, Jim Piché, Group Manager at GSA’s Federal Systems Integration and Management Center which administers the CDM BPA was asked what industry might expect after the 5-year BPA expires.

His answer was to the effect of “BPAs are good for getting pre-priced tools acquired and installed, but not as good for supporting ongoing, operational cybersecurity. There has been an RFI released from elsewhere within GSA (not FEDSIM) that is looking for a cyber- vehicle or cyber- SIN as the next landing place for the BPA.” He is not sure if they will extend or renew the current BPA. Discussions on the way forward are underway.