House passes CDM bill


A bill to codify Continuous Diagnostics and Mitigation, a governmentwide cybersecurity program run out of the Department of Homeland Security, passed the House Sept. 4.

The bill, sponsored by Rep. John Ratcliffe (R-Texas), chair of the House Cybersecurity and Infrastructure Protection subcommittee, would add CDM to the Homeland Security Act, require federal agencies to develop reporting metrics for systemic cybersecurity risks and build in expectations that agencies will continually update and deploy new technologies to support the program. It also requires the secretary of Homeland Security to develop a strategic plan for the program six months after passage.  

"The CDM program has proven to be an indispensable tool for DHS and [the National Protection and Programs Directorate] in identifying and defending against cyber threats to our federal networks," Ratcliffe said in a statement. "Codification will help promote its ongoing success and improvement, so we can ensure our federal network protection efforts keep pace with the ever evolving threat landscape."

If enacted into law, it would represent the first attempt by Congress to bolster the program through legislation. Ratcliffe and other members of Congress have expressed confidence in DHS and the foundation of CDM; they have also expressed concern over slower than expected progress from many federal agencies.

The bill, while not as robust as some members and staffers hoped, is viewed as one step towards boosting adoption rates. A congressional aide told FCW in July shortly after the bill was released that the goal was to pair it with oversight hearings and possibly additional legislation down the road.

However, merely demonstrating that Congress still supports CDM could have a positive effect on the way federal agencies perceive and prioritize its program, according to Suzanne Spaulding, former undersecretary of NPPD. Unlike other cybersecurity programs like Einstein, Spaulding told FCW that DHS has had to push agencies to adopt CDM. Even as they expressed interest in the program and its benefits, many were wary of its invasive nature and daunting implementation and integration challenges. She said Congress passing this legislation would send a message to anyone sitting on the fence that it's worth the effort.

"There is expense and resources required in terms of time and effort to implement the technologies provided through CDM," Spaulding said. "If you wonder whether the support for this program is going to be sustained, you can stall, you can debate about 'should we be making this expenditure?' So just simply sending the signal that this program has support from Congress and isn't going away is a really important step in getting departments and agencies to undertake the burden, frankly, of implementing CDM."

The bill now moves to the Senate, where another DHS cyber reform bill, the Cybersecurity and Infrastructure Security Agency Act, has thus far become mired in jurisdictional turf wars between differing committees since being passed last year. Ratcliffe urged the Senate to swiftly consider and pass its own version of his CDM legislation.

The House also passed another significant piece of cyber-related legislation on Sept. 5. The Cyber Deterrence and Response Act  lays out a formal process for the president to enact diplomatic, economic and criminal sanctions against nation-states found to be engaging in malicious cyber activity.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Cybersecurity
    CISA chief Chris Krebs disusses the future of the agency at Auburn University Aug. 22 2019

    Shared services and the future of CISA

    Chris Krebs, the head of the Cybersecurity and Infrastructure Security Agency at DHS, said that many federal agencies will be outsourcing cyber to a shared service provider in the future.

  • Telecom
    GSA Headquarters (Photo by Rena Schild/Shutterstock)

    GSA softens line on looming EIS due date

    Think of the September deadline for agencies to award contracts under the General Services Administration's $50-billion telecommunications contract as a "yellow light," said GSA's telecom services director.

  • Defense
    Shutterstock photo id 669226093 By Gorodenkoff

    IC looks to stand up a new enterprise IT program office

    The intelligence community wants to stand up a new program executive office to help develop new IT capabilities.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.