House passes CDM bill

A bill to codify Continuous Diagnostics and Mitigation, a governmentwide cybersecurity program run out of the Department of Homeland Security, passed the House Sept. 4.

The bill, sponsored by Rep. John Ratcliffe (R-Texas), chair of the House Cybersecurity and Infrastructure Protection subcommittee, would add CDM to the Homeland Security Act, require federal agencies to develop reporting metrics for systemic cybersecurity risks and build in expectations that agencies will continually update and deploy new technologies to support the program. It also requires the secretary of Homeland Security to develop a strategic plan for the program six months after passage.  

"The CDM program has proven to be an indispensable tool for DHS and [the National Protection and Programs Directorate] in identifying and defending against cyber threats to our federal networks," Ratcliffe said in a statement. "Codification will help promote its ongoing success and improvement, so we can ensure our federal network protection efforts keep pace with the ever evolving threat landscape."

If enacted into law, it would represent the first attempt by Congress to bolster the program through legislation. Ratcliffe and other members of Congress have expressed confidence in DHS and the foundation of CDM; they have also expressed concern over slower than expected progress from many federal agencies.

The bill, while not as robust as some members and staffers hoped, is viewed as one step towards boosting adoption rates. A congressional aide told FCW in July shortly after the bill was released that the goal was to pair it with oversight hearings and possibly additional legislation down the road.

However, merely demonstrating that Congress still supports CDM could have a positive effect on the way federal agencies perceive and prioritize its program, according to Suzanne Spaulding, former undersecretary of NPPD. Unlike other cybersecurity programs like Einstein, Spaulding told FCW that DHS has had to push agencies to adopt CDM. Even as they expressed interest in the program and its benefits, many were wary of its invasive nature and daunting implementation and integration challenges. She said Congress passing this legislation would send a message to anyone sitting on the fence that it's worth the effort.

"There is expense and resources required in terms of time and effort to implement the technologies provided through CDM," Spaulding said. "If you wonder whether the support for this program is going to be sustained, you can stall, you can debate about 'should we be making this expenditure?' So just simply sending the signal that this program has support from Congress and isn't going away is a really important step in getting departments and agencies to undertake the burden, frankly, of implementing CDM."

The bill now moves to the Senate, where another DHS cyber reform bill, the Cybersecurity and Infrastructure Security Agency Act, has thus far become mired in jurisdictional turf wars between differing committees since being passed last year. Ratcliffe urged the Senate to swiftly consider and pass its own version of his CDM legislation.

The House also passed another significant piece of cyber-related legislation on Sept. 5. The Cyber Deterrence and Response Act  lays out a formal process for the president to enact diplomatic, economic and criminal sanctions against nation-states found to be engaging in malicious cyber activity.