What has DHS learned from phases 1 and 2 of CDM?

data scan (Titima Ongkantong/ 

Halfway through a four-phase implementation, feds running the Continuous Diagnostics and Mitigation program want to retool the process to ensure the back half runs smoother than the front half did.

Kevin Cox, program manager for CDM at the Department of Homeland Security, detailed at a May 22 cybersecurity event how the department has taken lessons learned from phases 1 and 2, making changes to the surrounding task order contracting process, the structuring of deadlines around critical milestones and overhauling the way program officials communicate with public and private stakeholders.

In the procurement space, task order contracts under CDM DEFEND, the acquisition strategy that will guide procurement around phases 3 and 4, will be longer and have less rigid requirements built in compared to the task orders crafted for phases 1 and 2. The original orders "were defined very specifically [and] the requirements were set from year one," Cox said at the Washington event, hosted by McAfee and Scoop News Group.

The end result is that DHS had to manage against those requirements throughout the course of the task order, leaving little room to pivot or incorporate new ideas. The new task orders are also longer, spanning five to six years as opposed to the two- or three-year timespan given to contractors under phases 1 and 2. Cox said he hoped that change will allow DHS and other agencies to incorporate new requirements or capabilities when necessary.

"With DEFEND, we've built in a lot more flexibility based on lessons learned we've had working with the vendor community, the agencies and integrators to be able to define requirements throughout the life of the CDM task order," said Cox.

Program managers have also overhauled their communications strategy, setting up more outreach events with industry, putting together a coordinated media and social media strategy to communicate the latest guidance and establishing a customer advisory forum that allows agencies to have a vote on certain aspects of how the program is run.

"We're really working to follow the principle that if you want to get your message out, you need to communicate it seven times, seven different ways," said Cox.

While Congress has generally been supportive of the way DHS has overseen implementation, some members -- including Rep. Jim Langevin (D-R.I.) -- have pressed department officials in oversight hearings to look for ways to combine phases 3 and 4, which focus on network activity and data protection respectively, as a means of speeding up the process. Cox seemed to endorse some form of that strategy, saying "we want all these activities to run parallel."

However, he warned that doing so will come with tradeoffs.

I will say with having this greater flexibility [and] the ability to use new innovative technology, it does introduce more complexity than we had before," Cox said. "Because with phases 1 and 2 we had defined requirements. Everyone knew what those requirements were, we had a schedule for that. Now, it's wide open."

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.