New CDM bill aims for flexibility, newer tech

intrusion detection (sdecoret/ 

The Department of Homeland Security's Continuous Diagnostics and Mitigation program hasn't been around for very long, but overseers in Congress want to make sure the cybersecurity program remains on the cutting edge of the technology landscape for years to come.

A draft bill introduced by Rep. John Ratcliffe (R-Texas), chairman of the House Homeland Security subcommittee on Cybersecurity and Infrastructure Protection, would amend the 2002 Homeland Security Act to include CDM. The bill also gives the secretary of the Homeland Security added flexibility around purchasing and reimbursement decisions that have vexed agency partners in the past.

It would also call for "regular improvement" of the CDM program, saying the secretary should "regularly deploy new technologies and modify existing technologies" where appropriate.

"Our goal with this new legislation is to help boost the long-term success of the CDM program by ensuring it keeps pace with the cutting-edge capabilities in the private sector," Ratcliffe said in a statement. "We're also safeguarding agencies from getting stuck with technologies that will soon become outdated or unsupported by their vendors."

In comments first reported by FCW, Ratcliffe said in March that he was considering legislation to address a range of problems that have hampered agency compliance for CDM, which Congress views as a key bulwark protecting federal agency networks from cyberattacks.

A congressional source speaking on background said the goal of the legislation is "to codify the program to give it some direction and teeth during the appropriations cycle" while relying on further actions by Congress down the road both legislatively and through oversight hearings to achieve greater buy-in to the program from federal agencies.

In addition to fostering the use of newer technology, the bill would also "make program capabilities available for use by any federal agency, with or without reimbursement."

Many partner agencies have complained about a convoluted funding structure for CDM, where agencies receive only partial funding from DHS that rarely covers the full cost of implementation. The bill would also give the DHS secretary the ability to employ "shared services, blanket purchase agreements and any other economic or procurement models" that maximize the cost savings associated with implementation.

The legislation also requires DHS to develop a comprehensive strategy for the program, including detailed descriptions of coordination required by federal agencies to achieve compliance, any obstacles facing the program, guidelines for federal agencies to continuously upgrade the program's tech and recommendations for feeding the resulting information created through the program into a data analytics and reporting platform.

Outside of the legislative process, program managers have been tweaking the CDM contracting and communications process as well as the structure for new DEFEND task order contracts, with vendor integrators over the past year in response to feedback in order to foster better coordination between DHS and federal agencies.

About the Author

Derek B. Johnson is a former senior staff writer at FCW.


  • Defense
    Soldiers from the Old Guard test the second iteration of the Integrated Visual Augmentation System (IVAS) capability set during an exercise at Fort Belvoir, VA in Fall 2019. Photo by Courtney Bacon

    IVAS and the future of defense acquisition

    The Army’s Integrated Visual Augmentation System has been in the works for years, but the potentially multibillion deal could mark a paradigm shift in how the Defense Department buys and leverages technology.

  • Cybersecurity
    Deputy Secretary of Homeland Security Alejandro Mayorkas  (U.S. Coast Guard photo by Petty Officer 3rd Class Lora Ratliff)

    Mayorkas announces cyber 'sprints' on ransomware, ICS, workforce

    The Homeland Security secretary announced a series of focused efforts to address issues around ransomware, critical infrastructure and the agency's workforce that will all be launched in the coming weeks.

Stay Connected