CISA’s Continuous Diagnostics and Mitigation (CDM) Program provides a dynamic approach to fortifying the cybersecurity of government networks and systems. The CDM Program delivers cybersecurity tools, integration services, and dashboards that help participating agencies improve their security posture.
The CDM Program’s Approved Products List (APL) is the authoritative catalog for approved products that meet CDM technical requirements. Software and hardware manufacturers and resellers can submit products for APL consideration monthly. CISA reviews each submission against established CDM Program criteria to validate the vendor’s claim that each product meets the requirements for the capability category for which it was submitted.
The CDM APL is managed by the CISA Cybersecurity Division’s Capacity Building Acquisition and Budget office. Capacity Building Acquisition and Budget ensures that federal agencies have several ways to purchase approved CDM products. See below for details.
→ Download the November 2022 CDM Approved Products List (APL) (xlsx; 8,707KB)
Offering Tools and Services on the CDM APL
APL Submission Process
The CDM Program includes cybersecurity tools and sensors that are reviewed by the program for conformance with Section 508, federal license users, and CDM technical requirements. Each month, the program sponsors an open season to encourage cybersecurity original equipment manufacturers and others to update, refresh, and add new and innovative tools to the CDM APL.
APL submission documents (updated December 2022) include:
- CDM APL Submission Instructions FY2023 (pdf, 216KB)
- CDM APL Submission Form FY2023 (xlsx, 634KB)
- CDM APL SCRM Plan Background FY2023 (pdf, 161KB)
- CDM APL SCRM Plan Questionnaire FY2023 (xlsx, 110KB)
- Voluntary Product Accessibility Template (VPAT) – A template used to document a product’s conformance with accessibility standards and guidelines (available for download at Section508.gov). Offerors should use this template to explain how their information and communication technology (ICT) products (software, hardware, electronic content, and support documentation) meet Section 508 standards.
- End User License Agreement (EULA) – A legally binding document defining the user’s rights and restrictions for using the offeror’s products; also known as a commercial supplier agreement.
Additional resources:
- CDM Technical Capabilities, Volume One: Actual Desired States, Version 1.1 (pdf, 653KB)
- CDM Program Technical Capabilities, Volume Two: Requirements Catalog, Version 2.4 (pdf, 708KB)
- (ARCHIVED 2020 Version) CDM Technical Capabilities, Volume Two: Requirements Catalog (pdf, 1,955KB)
- (ARCHIVED 2018 Version) CDM Technical Capabilities, Volume Two: Requirements Catalog (pdf, 708)
CISA accepts submissions to the CDM APL on a monthly basis. Offerors can submit to CISA starting the Monday of the first full or partial week of the month, with submissions being accepted through Friday of that week. See submission calendar below.
| Submission Period – Month | Period Start Date | Period End Date |
|---|---|---|
| 64 – December 2022 | Nov. 28 | Dec. 2 |
| 65 – January 2023 | Jan. 2 | Jan. 6 |
| 66 – February 2023 | Jan. 30 | Feb. 3 |
| 67 – March 2023 | Feb. 27 | March 3 |
| 68 – April 2023 | April 3 | April 7 |
| 69 – May 2023 | May 1 | May 5 |
| 70 – June 2023 | May 29 | June 2 |
| 71 – July 2023 | July 3 | July 7 |
| 72 – August 2023 | July 31 | Aug. 4 |
| 73 – September 2023 | Aug. 28 | Sept. 1 |
For current agency partners who would like access to approved submission documents, including end user license agreements, Supply Chain Risk Management (SCRM) plans, and Voluntary Product Accessibility Templates (VPATs): please visit the CDM APL page on the Office of Management and Budget’s MAX.gov.
Purchasing CDM APL Tools and Services
GSA Alliant I and II — CDM DEFEND Task Order Series
Participating agencies can make purchases through the CDM Dynamic and Evolving Federal Enterprise Network Defense (DEFEND) task order series. CDM DEFEND is executed through Alliant, a General Services Administration (GSA) government-wide acquisition contract (GWAC) vehicle.
GSA MAS Information Technology (legacy GSA IT Schedule 70)
Purchases can also be made through GSA Advantage! via the Multiple Award Schedule (MAS) Information Technology (IT) contract. MAS IT is one of the larger contracts in the federal government. Agencies use it to buy technology products and services. For information on buying CDM APL tools and services through MAS IT, please visit GSA. CDM products are tagged on GSA Advantage!, giving purchasers the confidence that these products are CDM approved.
Note: The CDM Tools Special Item Number (SIN) retired on June 30, 2022.
NASA SEWP CDM Catalog
In addition, the CDM Program has partnered with the National Aeronautics and Space Administration’s Contract Solution for Enterprise-Wide Procurement (NASA SEWP), a GWAC authorized by the U.S. Office of Management and Budget (OMB) and managed by NASA, to provide a catalog for purchasing CDM APL products.
All federal civilian agencies can purchase from the NASA SEWP CDM Catalog. Non-federal entities, including CDM DEFEND system integrators, can buy from the NASA SEWP CDM Catalog with a Letter of Authorization.
If you have questions about CDM Program acquisitions or the CDM APL, please email us at csd_cb.acqbudg@cisa.dhs.gov.