What's in store for CDM in 2019 and beyond?

digital planet (ShutterStock image) 

The Continuous Diagnostics and Mitigation program will spend the next two years focusing on standing up its new risk scoring algorithm, transitioning smaller agencies onto a shared services platform and making program data more useful and actionable for federal agencies and overseers.

CDM Program Manager Kevin Cox outlined the Department of Homeland Security's goals for the program over the next two years at a March 27 technology conference hosted by the Advanced Technology Academic Research Center.

The program's new risk scoring algorithm, AWARE, will have a "soft rollout" in October, keeping tabs on basic agency metrics like vulnerability management, patching and configuration. Down the line, Cox said, DHS wants AWARE to drill down to the individual system level. However, another DHS cybersecurity program, the Government Cybersecurity Architecture Review, which is designed to look at agency-specific vulnerabilities through the eyes of a hostile attacker, recommended the program focus on lower hanging fruit first. Cox said there's little point focusing on higher level attack vectors when "the front door is wide open" because agencies are still skimping on the fundamentals.

"If you look at the way the adversaries are trying to get in on government networks, they are doing things like cryptojacking and more advanced attacks, " he said. "But at the end of the day they're going to go at the easier targets to be able to get a foothold and then expand out and move laterally across the network."

It's the latest reminder that, for all the discussion around advanced nation-state threats and the role emerging technologies like artificial intelligence and quantum computing can play in cybersecurity, the federal government remains far too susceptible to compromise through poor hygiene.

Attackers aren't burning high-value tools when targeting federal systems. The National Security Agency apparently hasn't responded to a Zero-day attack on government systems in the last four years, largely because hackers have found plenty of success through basic attack vectors like phishing and credential theft.

"This sounds incredibly silly to say, but the basic step of verifying that you actually own the networks that you think you do is really impactful," said Marshall Kuypers, senior director of cyber risk at Expanse, a cloud and cybersecurity company based in Silicon Valley.

While AWARE is scheduled to launch in October, agencies won't have to start looking over their shoulders right away.

"The idea is we're not going to turn it on and then immediately come down and beat the agencies up because they haven't patched their systems properly," Cox said. "We want to make sure the information they're seeing is the information we're seeing, help to identify the areas where they need to put more information on and then provide support."

DHS will also spend the year pulling smaller, non-CFO Act "micro" agencies onto a shared service CDM platform. The program expects to have 19 such organizations on the platform by the end of March.

Cox said agency leaders, member of Congress and the Office of Management and Budget have all pushed for more operational data from CDM. To that end, DHS expects to award a new dashboard contract in May that will build in new capabilities around data analytics and protecting high-value data for federal agencies.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at, or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Defense
    Ryan D. McCarthy being sworn in as Army Secretary Oct. 10, 2019. (Photo credit: Sgt. Dana Clarke/U.S. Army)

    Army wants to spend nearly $1B on cloud, data by 2025

    Army Secretary Ryan McCarthy said lack of funding or a potential delay in the JEDI cloud bid "strikes to the heart of our concern."

  • Congress
    Rep. Jim Langevin (D-R.I.) at the Hack the Capitol conference Sept. 20, 2018

    Jim Langevin's view from the Hill

    As chairman of of the Intelligence and Emerging Threats and Capabilities subcommittee of the House Armed Services Committe and a member of the House Homeland Security Committee, Rhode Island Democrat Jim Langevin is one of the most influential voices on cybersecurity in Congress.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.