Continuous Diagnostics and Mitigation (CDM)

Cybersecurity and Infrastructure Security Agency’s Continuous Diagnostics and Mitigation (CDM) Program is leading the effort to reduce cyber risk and provide visibility across the federal government.  

The CDM Program is delivering automated tools to federal agencies to strengthen their ability to monitor and manage the threat of cyber vulnerabilities. 

Learn more about CDM’s capabilities and how the program works in this introductory video, featuring CDM Program Manager Kevin Cox.

Consistent with the Federal Government's deployment of Information Security Continuous Monitoring (ISCM), the Continuous Diagnostics and Mitigation (CDM) Program is a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM Program provides cybersecurity tools, integration services, and dashboards to participating agencies to support them in improving their respective security posture. Program objectives are to:

  • Reduce agency threat surface;
  • Increase visibility into the federal cybersecurity posture;
  • Improve federal cybersecurity response capabilities; and
  • Streamline Federal Information Security Modernization Act (FISMA) reporting.

How CDM Works

The CDM approach is consistent with guidance from the Office of Management and Budget (OMB) and the National Institute of Standards and Technology (NIST) and helps meet federal reporting requirements. CDM offers industry-leading, commercial off-the-shelf (COTS) tools to support technical modernization as threats change. To start, agency-installed sensors are deployed and perform an ongoing, automated search for known cyber flaws. Results from the sensors feed into an agency dashboard that produces customized reports that alert network managers of their most critical cyber risks. Prioritized alerts enable agencies to efficiently allocate resources based on the severity of the risk. Progress reports track results, which can be used to compare security postures among agency networks. Summary information feeds into a federal enterprise-level dashboard to inform and provide situational awareness into cybersecurity risk posture across the Federal Government.

CDM Capabilities

The CDM Program delivers capabilities in five key areas, as identified in the diagram shown here and further described below.

The CDM Program delivers capabilities in five key areas, as identified in the diagram shown here and further described below

CDM Agency and Federal Dashboards

The dashboards receive, aggregate, and display information from CDM tools at the agency and federal levels. 

Asset Management: "What is on the network?"

Managing "what is on the network?" requires the management and control of devices (HWAM), software (SWAM), security configuration settings (CSM), and software vulnerabilities (VUL). 

Identity and Access Management: "Who is on the network?"

Managing "who is on the network?" requires the management and control of account/access/managed privileges (PRIV), trust determination for people granted access (TRUST), credentials and authentication (CRED), and security-related behavioral training (BEHAVE).  

Network Security Management: "What is happening on the network?"

Managing "what is happening on the network?" requires the management of network and perimeter components, host and device components, data at rest and in transit, and user behavior and activities. This includes management of events (MNGEVT); operate, monitor, and improve (OMI); design and build-in security (DBS); boundary protection (BOUND); supply chain risk management (SCRM); and ongoing authorization.  

Data Protection Management: "How is data protected?"

Managing “how is data protected?” requires management of the protection of data through the capabilities: data discovery/classification (DISC); data protection (PROT); data loss prevention (DLP); data breach/spillage mitigation (MIT); and information rights management (IRM).

Benefits of CDM

The CDM Program enhances government network security through automated control testing and progress tracking. This approach:

  • Provides services to implement sensors and dashboards;
  • Delivers near-real time results;
  • Prioritizes the worst problems within minutes, versus quarterly or annually;
  • Enables defenders to identify and mitigate flaws at network speed; and
  • Lowers operational risk and exploitation of government IT systems and networks.

Additionally, for federal cyber investments, the CDM program fulfills Federal Information Security Management Act (FISMA) mandates. 

The CDM program is designed to rigorously ensure personal privacy. Data sent from CDM participant networks to DHS does not include any Personally Identifying Information (PII) or information about specific department or agency computers, applications or user accounts.

CDM Acquisition Strategy

The CDM acquisition strategy is a two-pronged approach to provide products and services to meet the CDM program objectives. It includes services executed through the Dynamic and Evolving Federal Enterprise Network Defense (DEFEND), a series of Task Orders (TOs) against the Alliant GWAC, and CDM Tools Special Item Number (SIN) on GSA IT Schedule 70. 

CDM Dynamic and Evolving Federal Enterprise Network Defense (DEFEND)

The scope of CDM DEFEND encompasses all activities that support CDM capabilities, along with the following:

  • Deploys CDM capabilities across the .gov domain;
  • Deploys the capabilities within groups of agencies to achieve volume discounts and other cost efficiencies;
  • Provides flexibility for different requirements in terms of agency readiness, complexity, location of data (on premise/mobile/cloud), and mission objectives;
  • Supports the use of innovative products; and
  • Offers a “CDM Shared Services” delivery model enabling agencies to leverage CDM tools and infrastructure to increase network security.  

The DEFEND acquisition strategy gives DHS and agencies a vehicle to procure additional CDM tools from the CDM Approved Products List (APL) via the CDM Tools SIN as an option and services outside of what is being provided by DHS. The shared services approach is being deployed to government entities seeking a common platform across internal components or agencies lacking the infrastructure/resources for a standalone CDM implementation. 

CDM Special Item Number (SIN)

The CDM Tools SIN was awarded GSA IT Schedule 70 on August 3, 2017. DHS, in partnership with GSA, leveraged lessons learned from the past Blanket Purchases Agreements (BPAs), as well as best practices across the Schedules Program to create a vehicle to best support the CDM mission. The CDM SIN is a government-wide contracting solution that provides a consistent set of ISCM tools to federal, state, local, regional, and tribal governments. The SIN includes cybersecurity tools and sensors. CDM provides monthly opportunities to refresh and add new tools including innovative tools that meet the technical requirements of the CDM program via the CDM APL. 

The CDM Tools SIN is the first of its kind for the GSA IT Schedule 70 Program as a result of its unique features and contract mechanisms, including Supply Chain Risk Management (SCRM) review and analysis as well as the use of an approved products lists. The CDM APL is the authoritative product catalog that has been approved to meet CDM technical capability requirements. The CDM APL consists of products that have been approved against the BPAs, as well as products that have since been proposed and approved to meet the CDM technical requirements and conformance criteria. Products cannot be added to the CDM Tools SIN unless it exists on the CDM APL. The CDM APL accepts submissions on a monthly basis. 

For more information about CDM Tools SIN and the CDM APL, please visit or email

For more information or general questions related to the Continuous Diagnostics and Mitigation Program Fact Sheet, please contact



Was this document helpful?  Yes  |  Somewhat  |  No