Privacy assessment finds risk with CDM shared service platform

dashboards (NicoElNino/ 

An updated assessment from the Department of Homeland Security finds that a shared services platform designed to help smaller agencies use the Continuous Diagnostics and Mitigation program brings with it new but manageable privacy risks.

Over the past year, DHS has made a concerted effort to bring smaller, non-Chief Financial Officer Act federal agencies onboard CDM while also rolling out a new risk scoring system that it hopes will better gauge the program's effectiveness. To accomplish the first goal, the General Services Administration incorporated a new cloud-based shared services platform from contractor ManTech that opens up a number of CDM capabilities to smaller agencies.

That platform now ingests data collected from CDM tools and sensors at these microagencies, leading DHS to revisit how that information is being protected and kept private. Unlike DHS, which only receives summary data from agencies through its federal dashboard, the contractor-mananged shared services platform collects a richer set of data from agencies, including personally identifiable information.

Because of this increased collection, there is a risk that personal data captured through the platform could be misused, according to a recent privacy impact assessment from DHS. The assessment puts responsibility for keeping that data safe on the contractor, and according to the agency, requirements in the new task order have ensured that ManTech put in place the necessary security measures.

The platform deploys full disk encryption to protect data at rest, while operational components collect logs of all activity at the operating system and application layers to track and identify any potential unauthorized access, with all users restricted from deleting audit logs. Contractor staff are also required to complete privacy trainings.

"The integrator has instituted controls to ensure that agency data is logically separated and segregated so that agencies subscribing to the shared service are only given access and user roles that are specific to their respective agency," the assessment stated.

A similar assessment of the program's new AWARE risk scoring algorithm found that it did not introduce any additional privacy concerns.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • People
    Federal CIO Suzette Kent

    Federal CIO Kent to exit in July

    During her tenure, Suzette Kent pushed on policies including Trusted Internet Connection, identity management and the creation of the Chief Data Officers Council

  • Defense
    Essye Miller, Director at Defense Information Management, speaks during the Breaking the Gender Barrier panel at the Air Space, Cyber Conference in National Harbor, Md., Sept. 19, 2017. (U.S. Air Force photo/Staff Sgt. Chad Trujillo)

    Essye Miller: The exit interview

    Essye Miller, DOD's outgoing principal deputy CIO, talks about COVID, the state of the tech workforce and the hard conversations DOD has to have to prepare personnel for the future.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.