Homeland Security

CDM-as-a-service great, but what next?

Shutterstock image: examining a line of code.

Small federal agencies like the option of obtaining the Continuous Diagnostics and Mitigation cybersecurity program from the Department of Homeland Security as a shared service. But some are also wondering how they can sustain their cybersecurity work into the future.

In late 2015, DHS and the General Services Administration began the process of offering CDM tools for 40 of the federal government's smallest agencies via cloud shared services to cut down on or eliminate the on-premises duplication across those smaller entities.  

The GSA acts as the procurement arm for CDM services, issuing an RFP to cover the smaller agencies in December.

CDM-as-a-service for small agencies, said Kirit Amin, CIO at the International Trade Commission, is a big help with a complex, yet critical area and is greatly preferable to being stuck with a cybersecurity mandate, a small budget and staff, and CDM contracts that would have to be renewed.

"If DHS told small agencies 'you will implement CDM,' it wouldn't happen," said Amin at an ITPA cybersecurity lunch panel in Arlington on March 3. "You can't just throw tech at an issue" and expect it to happen, said IT chief. CDM-as-a-service would go a long way in fulfilling the job of protecting electronic assets, especially for agencies with budgets as small as their single data center.

"GSA and DHS shared services are a good thing," said Esteve Mede, chief information security officer at the Federal Election Commission. The effectiveness of the program, he said, should be measured by how closely GSA and DHS will work with small agencies to help fit them into the larger federal cybersecurity strategy.

The move to provide CDM as a service, Amin told FCW after the panel, could only be a way station on a longer, possibly treacherous road for small agencies and cybersecurity.

While the CDM services can help cover cybersecurity needs, smaller agencies are feeling the technical personnel squeeze more acutely than larger agencies.

"It comes down to people" to watch and protect cyber systems in the federal government. The entire tech industry, Amin said, fights over qualified IT people and especially over excellent cybersecurity people. "How many cybersecurity experts are out there? It's a major challenge for small agencies," he said.

About the Author

Mark Rockwell is a senior staff writer at FCW, whose beat focuses on acquisition, the Department of Homeland Security and the Department of Energy.

Before joining FCW, Rockwell was Washington correspondent for Government Security News, where he covered all aspects of homeland security from IT to detection dogs and border security. Over the last 25 years in Washington as a reporter, editor and correspondent, he has covered an increasingly wide array of high-tech issues for publications like Communications Week, Internet Week, Fiber Optics News, tele.com magazine and Wireless Week.

Rockwell received a Jesse H. Neal Award for his work covering telecommunications issues, and is a graduate of James Madison University.

Click here for previous articles by Rockwell. Contact him at [email protected] or follow him on Twitter at @MRockwell4.


  • FCW Perspectives
    zero trust network

    Why zero trust is having a moment

    Improved technologies and growing threats have agencies actively pursuing dynamic and context-driven security.

  • Workforce
    online collaboration (elenabsl/Shutterstock.com)

    Federal employee job satisfaction climbed during pandemic

    The survey documents the rapid change to teleworking postures in government under the COVID-19 pandemic.

Stay Connected