Government Procurement

A Guide to DHS CDM Program


Continuous Diagnostics and Mitigation (CDM) used to be a contract and a program, but now it is a program that sits on the GSA contract. It is run by the Department of Homeland Security (DHS) with the mission of reducing cyber risk and providing visibility across the federal government. The focus is on finding and prioritizing risks, dealing with cyber security risks, increasing visibility into the federal cyber security space, and improving the government’s ability to respond to issues or threats— whatever that might look like.

They have specific funding that agencies can use—in essence as a grant. Different agencies and governmental entities—such as the Department of Commerce—can apply to get funding from DHS to enable the purchase of CDM technologies.

How to Acquire Continuous Diagnostics & Mitigation Tools

CDM offers a set of certified tools, an Approved Products List (APL).  A vendor will submit information about the capabilities of a tool to CDM, where that tool sits in the network, and what that tool will allow and not allow for. Tools that are part of the CDM program provide capabilities in the following 5 areas:

  1. Data Protection Management
  2. Network Security Management
  3. Identity Access Management
  4. Asset Management
  5. Dashboards

The CDM office at DHS evaluates that tool for acceptability and applicability onto the APL. If a tool meets the criteria, it is then classified into a specific CDM category. All CDM tools are available on the GSA schedule via the CDM Special Item Number (SIN): 5415419CDM (formerly 132-44). From a purchasing standpoint, the process looks very much like a regular GSA purchase. This set of tools in this SIN have all been vetted by DHS, which manages the technical capability side of CDM while GSA manages the contractual side. DHS owns CDM and GSA provides the ease of buying and the ability to expedite awards.

CDM and DHS are working with emerging, established, and developing cyber technologies to counter threats from our adversaries. Essentially, CDM protects us, who we are, and what we do from a wide variety of threats from bad actor nation-states.

Benefits of Obtaining CDM Tools

Rolling Submissions:  CDM offers a rolling monthly submission of new tools for addition to the APL, which is nice flexibility for a government program. The acquisition of new and innovative technology is sometimes a challenge for the government, so rolling submissions allow for more flexibility and the ability to act in a more expedited way. Cyber security threats are always changing—and consequently so are the tools and the defensive measures to deal with them. The CDM stance of allowing for monthly rolling submissions strengthens the program over time.

Broad Base of Customers:  CDM focuses on federal infrastructure, but they work with GSA and its broad base of customers, including buyers such as tribals and territorial governments (For example, Guam or the Cherokee Nation).

High Levels of Support: At DHS, the CDM program delivers high levels of support to federal civilian agencies. They have direct program management resources as well as direct funding resources, outreach resources, and more.

CISA: CDM fits within a group called CISA (Cyber Security Infrastructure Security Agency), which has a congressional mandate at the national level to extend cyber security and the availability of CDM tools.  It also supplies capabilities and knowledge into the framework of state and local governments and works to protect our nation’s vital infrastructure.

Election Security:  One area of concern is election security. Help America Vote Again (HAVA) is an organization whose funding focuses on securing elections, ensuring confidence in election results, having robust voting technology, and withstanding potential cyber threats. This is a bipartisan issue since all parties agree that the user experience needs to be better and cyber security needs improve. CDM and its suite of tools address those threats.

Critical Infrastructure: DHS sees it as a high priority to offer protective services to critical infrastructure organizations like power companies, oil refineries, railroads, and beyond. It is likely we will see expansion of CDM into those areas through CISA’s outreach programs over the next few years.

Count on Carahsoft and our reseller partners to deliver and implement cutting-edge cloud solutions and services at the best value. Request a Quote Today and start the conversation with our team on how we can assist you this federal fiscal year-end.

Related Articles