Why the CDM program needs an overhaul

Shutterstock image (by Sergey Nivens): Security concept, lock on a digital screen. 

The Department of Homeland Security has described the Continuous Diagnostics and Mitigation (CDM) program as “a dynamic approach to fortifying the cybersecurity of government networks and systems.” That fortification is meant to be achieved through three distinct phases.

Phase 1 covers the asset management process for categorizing hardware and software assets across the IT landscape at federal agencies. Phase 2 is designed to enhance the management processes for monitoring and auditing personal activities based on credentials, privileges and expected behavior. Phase 3 defines requirements for management aspects of the security life cycle, including planning for events, documentation requirements and quality management.

However, despite being well-intentioned, the CDM program has been plagued by slow delivery cycles, inadequate definitions of requirements and an overall ineffective approach to cross-agency security improvements. Notably, only one line item in the program is intended to thwart threats: Phase 3’s “Boundary Protection (Network, Physical, Virtual)” encompasses IT technology capabilities that federal agencies already have in place at their network boundaries.

Given ongoing breaches and hacks, it’s clear that deficiencies still exist at the federal level, and CDM is missing the point by failing to adequately define phases that help government entities identify and mitigate threats to improve their overall cybersecurity posture.

By attempting to address an issue via an archaic set of processes, CDM is fixing the wrong problem. The program looks backward at legacy attack vectors and does not address emerging threats. One primary limitation to CDM efficacy is the fact that the program does not focus on application programming interfaces (APIs), which have become the epicenter of industry innovation and the primary driver of mobility, cloud, internet of things and enhanced protection of data and services.

The emergence of API security gateway technology has changed IT security capabilities in profound ways to reduce most modern threats. The technology, similar to the web application firewall evolution that occurred nearly a decade ago, has emerged as an essential architecture capability to prevent modern threats. It encompasses the fundamental tenets of the CDM initiative by combining identification and enforcement as architecture capabilities rather than using disparate processes and event monitors.

In other words, although the CDM initiative aims to streamline processes and simplify risk management, the framework fails to address a technology that has prevented many of today’s threat challenges.

The other significant hindrance to CDM success is that it only provides access to technologies and companies that are included in the blanket purchase agreement. That approach restricts the ability of viable vendors to offer their services by limiting participation to selective BPA partnerships. It leads to discrete, non-repeatable and hand-coded solutions to problems rather than best-of-breed industry products that have been proven in the commercial sector and are substantially more cost-efficient to deploy and maintain.

Further, the CDM program creates silos of agency groupings that the limited set of BPA integrators are able to bid on, thus stifling the ability to realize economies of scale and establish consistent solutions that can be applied across the entire federal government.

DHS touts CDM as achieving a “consistent application of best practices.” Applying best practices is indeed a laudable approach, but if you are practicing for the wrong game, what’s the point? Best practices need a strategy, and CDM needs to be augmented to focus on existing industry technologies such as API security gateways and others that are already solving cybersecurity problems but will likely take years for the CDM program to discover.

About the Author

Jason Macy is the CTO of Forum Systems.


  • Workforce
    White House rainbow light shutterstock ID : 1130423963 By zhephotography

    White House rolls out DEIA strategy

    On Tuesday, the Biden administration issued agencies a roadmap to guide their efforts to develop strategic plans for diversity, equity, inclusion and accessibility (DEIA), as required under a as required under a June executive order.

  • Defense
    software (whiteMocca/

    Why DOD is so bad at buying software

    The Defense Department wants to acquire emerging technology faster and more efficiently. But will its latest attempts to streamline its processes be enough?

Stay Connected