Privacy assessment finds risk with CDM shared service platform

dashboards (NicoElNino/ 

An updated assessment from the Department of Homeland Security finds that a shared services platform designed to help smaller agencies use the Continuous Diagnostics and Mitigation program brings with it new but manageable privacy risks.

Over the past year, DHS has made a concerted effort to bring smaller, non-Chief Financial Officer Act federal agencies onboard CDM while also rolling out a new risk scoring system that it hopes will better gauge the program's effectiveness. To accomplish the first goal, the General Services Administration incorporated a new cloud-based shared services platform from contractor ManTech that opens up a number of CDM capabilities to smaller agencies.

That platform now ingests data collected from CDM tools and sensors at these microagencies, leading DHS to revisit how that information is being protected and kept private. Unlike DHS, which only receives summary data from agencies through its federal dashboard, the contractor-mananged shared services platform collects a richer set of data from agencies, including personally identifiable information.

Because of this increased collection, there is a risk that personal data captured through the platform could be misused, according to a recent privacy impact assessment from DHS. The assessment puts responsibility for keeping that data safe on the contractor, and according to the agency, requirements in the new task order have ensured that ManTech put in place the necessary security measures.

The platform deploys full disk encryption to protect data at rest, while operational components collect logs of all activity at the operating system and application layers to track and identify any potential unauthorized access, with all users restricted from deleting audit logs. Contractor staff are also required to complete privacy trainings.

"The integrator has instituted controls to ensure that agency data is logically separated and segregated so that agencies subscribing to the shared service are only given access and user roles that are specific to their respective agency," the assessment stated.

A similar assessment of the program's new AWARE risk scoring algorithm found that it did not introduce any additional privacy concerns.

About the Author

Derek B. Johnson is a senior staff writer at FCW, covering governmentwide IT policy, cybersecurity and a range of other federal technology issues.

Prior to joining FCW, Johnson was a freelance technology journalist. His work has appeared in The Washington Post, GoodCall News, Foreign Policy Journal, Washington Technology, Elevation DC, Connection Newspapers and The Maryland Gazette.

Johnson has a Bachelor's degree in journalism from Hofstra University and a Master's degree in public policy from George Mason University. He can be contacted at [email protected], or follow him on Twitter @derekdoestech.

Click here for previous articles by Johnson.


  • Veterans Affairs
    Blue Signage and logo of the U.S. Department of Veterans Affairs

    VA health record go-live pushed back to July

    The Department of Veterans Affairs is delaying a planned initial deployment of its $16 billion electronic health record project by four months, but is promising added functionality at the go-live date.

  • Workforce
    The Pentagon (Photo by Ivan Cholakov / Shutterstock)

    Esper says he didn't seek the authority to gut DOD unions

    Defense Secretary Mark Esper told lawmakers he was waiting for a staff analysis of a recent presidential memo before deciding whether to leverage new authority.

Stay Connected


Sign up for our newsletter.

I agree to this site's Privacy Policy.