Evolving CDM to Transform Government Cybersecurity Operations and Enable CISA’s Approach to Interactive Cyber Defense


Michael Duffy, Associate Director for Capacity Building, CISA

In recent weeks, a federal agency identified an active exploit targeting their network. The agency quickly shared cyber threat intelligence with our team at the Cybersecurity and Infrastructure Security Agency (CISA). Though the agency quickly mitigated the threat, CISA used our Continuous Diagnostics and Mitigation (CDM) Federal Dashboard and quickly detected several other vulnerable systems in the federal government related to this exploit. Within minutes, we leveraged this host-level visibility into federal agency infrastructure to confirm potential risks, alert affected agencies, and actively track mitigation – preventing an active exploit from causing widespread harm across agency systems and impacting essential services upon which Americans depend.  

A New Era for CDM 

The capabilities of CDM today are in stark contrast to those of just a few years ago. Previously, Federal Civilian Executive Branch (FCEB) operators and CISA counterparts lacked sufficient operational visibility – insight into what devices, software, and users were operating within the environment – to effectively mitigate risks prior to a breach. Operators had no automated way to share valuable intelligence with other federal agencies; it was all manual data calls. Now, because of the CDM program, agencies and CISA can respond to cyber threats in a coordinated and expedited fashion by sharing data between dedicated CDM Agency Dashboards and CISA’s CDM Federal Dashboard. 

CDM Agency Dashboards visualize cyber risk information collected from sensors and tools deployed within agencies’ environments. Each Agency Dashboard shares data with our Federal Dashboard, giving CISA an integrated view of the dynamic state of the federal enterprise’s unclassified domain, positioning cyber operators across the federal government to more effectively collaborate when responding to a cyber threat. 

Program Evolution Towards Operational Risk Reduction 

Within the last three years, the scope, scale, and impact CDM has had on federal cybersecurity has grown significantly. The CDM Dashboards are not just a tool for measuring progress or visualizing risk – CISA’s cyber defense operators are increasingly turning to the Federal Dashboard to aid in incident response while agency cyber leaders and practitioners alike are beginning to shape operational and strategic activities based on the evolving ‘current state’ data provided by CDM.  

Earlier this spring, we achieved a major milestone – all 23 Chief Financial Officer (CFO) Act agencies are now sharing cyber risk information with CISA on a continuous basis through their CDM Agency Dashboards. The frequency, precision, and level of detail of this information sharing has been a key enabler of CISA’s operational visibility throughout the FCEB. And this is only the start. 

CDM is no longer a static effort to standardize agency capabilities and collect cybersecurity information, but rather the U.S. government’s cornerstone for proactive, coordinated, and agile cyber defense of the federal enterprise. 

This month, CISA leveraged the CDM capabilities as part of a broader response to two concerning cyber events. CISA operators analyzed near real-time agency dashboard reports to coordinate targeted notifications for the MOVEit Transfer vulnerability and understand prevalence within minutes, again a significant improvement from pre-Dashboard days. Additionally, in response to the recent widespread email security gateway exploit, CISA threat hunters utilized the CDM Endpoint Detection and Response (EDR) platform in collaboration with the impacted agency to directly access the agency’s environment to search of instances of threat activity working shoulder-to-shoulder with agency staff. This demonstrates what the Government gains by evolving our collective, interactive cyber defense posture. 

This recent evolution of CDM was shaped by several major cyber events over the years that led to new and expansive authorities, increased demand for centralized services, and a resounding call to strengthen government data protection on behalf of the American people. The Biden-Harris Administration’s Cybersecurity Executive Order drove substantial changes to increase CISA’s operational visibility of granular data to the CDM Dashboards and advanced our relationship with agencies. Our relationships have progressed to much more effective, valued, and collaborative partnerships that promote identifying, understanding, and reducing risks across the federal enterprise.  

What’s Next? 

We’re proud of the progress we’ve made over the last decade and how CDM is helping to strengthen the federal government’s information infrastructure. We’re even more excited with where CDM will go in the next decade, and how we will advance cyber defenses to ensure our nation’s resilience to cyber threats. In the coming weeks, we’ll be sharing these details through additional blog posts – stay tuned!