A Guide to the Continuous Diagnostic and Mitigation Program by CISA

The Continuous Diagnostics and Mitigation (CDM) Program, established in 2012 by the Cyber Security Infrastructure Security Agency (CISA), provides a dynamic approach to fortifying the cybersecurity of Government networks and systems by improving security posture of participating agencies and mitigating risk to the nation’s cyber and physical infrastructure.  

Carahsoft’s long and supportive history of CISA’s CDM program allows Carahsoft to provide cutting edge software to benefit the governments pressing national security requirements. Currently, Carahsoft supports more than 70 vendor partners on the CDM Approved Products List, assisting in completing the submission process and maintaining communication with CISA for APL updates. Our extensive vendor and partner network allows the Government to procure asset and identity management, network security and data protection tools in support of the CDM program. 

How the CDM Program Works 

The goal of the CDM program is to find and prioritize risks in cybersecurity, increasing visibility into the Federal cybersecurity space and improving the Government’s ability to respond to issues or threats. In the past few years, the CDM program has grown to become a proactive, coordinated and efficient entity. In CISA’s projected budget for 2025, $469.8M will be allotted for the CDM program to strengthen the security posture of Federal Government networks and systems. 

Carahsoft CISA CDM Program Update Blog Embedded Image 2024

CISA has a congressional mandate at the national level to extend cybersecurity and the availability of CDM tools. It also supplies capabilities and knowledge into the framework of State and Local Governments and works to protect the nation’s vital infrastructure. Government agencies have specific funding that they can use—in essence as a grant. Different agencies and governmental entities can apply to get funding from the Department of Homeland Security (DHS) to enable the purchase of CDM technologies. DHS and CISA work with emerging, established and developing cyber technologies to counter threats from a wide variety of adversaries. 

The CDM Program APL and Procurement Process 

The CDM program offers a set of certified tools and sensors, known as the APL. To begin the process for a solution to be approved for the APL, a vendor must submit information about its capabilities to CISA. For example, where that tool sits in the network and what it is capable of. Tools that are part of the CDM program provide capabilities in the following 4 areas: 

  1. Asset Management 
  1. Identity and Access Management 
  1. Network Security Management 
  1. Data Protection Management 

The CDM office at CISA evaluates the offeror’s claims for that solution for acceptability and applicability onto the APL. If it meets the defined cybersecurity criteria, it is then classified into a specific category. Products labeled by CDM listed on the GSA MAS IT schedule through GSA Advantage have already been vetted and approved by CISA, signifying that they meet the technical standards needed for Government procurement. Therefore, agencies do not need to repeat the evaluation process when purchasing through GSA. While CISA manages the CDM program, GSA provides the ease of buying and the ability to expedite awards. CDM products can also be acquired through the NASA SEWP CDM catalog and are added to this contract via customer request.  

The CDM program includes cybersecurity tools and sensors reviewed for conformance with Section 508, Federal license users and CDM technical requirements. Each month, the program offers a weeklong submission window for new tools to be submitted for addition to the APL, which allows for unique flexibility for a Government program and strengthens the program over time. Since the acquisition of new and innovative technology can oftentimes lead to longer implementation timelines for the Government, monthly rolling submissions allow for a quicker and more flexible process for agencies obtaining new products. Not only is this a benefit for Government, but for industry, too, as a larger submission window allows technology vendors the opportunity for their products to be added to the APL more frequently.  

Cybersecurity threats are ever evolving—and consequently so are the tools and the defensive measures needed to mitigate them. CDM products expire from the APL every 3 years to ensure the products listed continuously comply with modern cybersecurity standards. For more information on the technical evaluation process, please review the APL Product Submission Instructions. 

Benefits of Acquiring CDM Tools for End Users 

Broad Base of Customers: The CDM program focuses on Federal infrastructure but works with GSA and its broad customer base, including buyers such as the Departments of Agriculture, Transportation, Justice and Education, as well as tribal and territorial Governments, for example. 

High Levels of Support: At CISA, the CDM program delivers high levels of support to Federal civilian agencies. It has direct program management resources, funding resources, and outreach resources, among others. 

Election Security: Election security is top of mind for 2024. The Help America Vote Act (HAVA) is an organization whose funding focuses on securing elections, ensuring confidence in election results, having robust voting technology and withstanding potential cyber threats. This is a bipartisan issue since all parties agree that user experience and cybersecurity require improvement. The CDM program and its robust suite of tools address these crucial objectives. 

Critical Infrastructure: DHS prioritizes protective services to critical infrastructure organizations like power companies, oil refineries and railroads. For example, $130.3M of CISA’s FY25 budget will ensure emergency communication interoperability and assistance.  

Integrators for the CDM Program 

Integrators are an integral part of the CDM Program, providing cybersecurity expertise, consulting, technology, tools, solutions and services to participating Government agencies. These organizations work directly with the agencies to strengthen IT security posture, zero trust maturity and other mission critical cybersecurity needs. The following integrators are currently the contract holders for agencies participating in the CDM Program in groups A-F, which are categorized by the task orders each agency holds. 

To learn more about defending Federal networks and systems with the CDM Program, the partners we support on the CDM APL and how you can sell your products under CDM, visit our CDM Program Overview and contact us today. 

Top 7 State and Local Contract Vehicles to Support Your SLG Fiscal Year Requirements

As we approach the end of the fiscal year, state and local governments and higher education institutions are ramping up purchasing to ensure every allocated budget dollar is spent and prepare their organizations for further IT advancements in the coming year. Leveraging the right contract vehicles can streamline procurement processes, ensuring timely and efficient acquisition of necessary technologies and services. These contracts can also provide technology vendors and resellers unique opportunities to expand their public sector businesses.

Below, we explore the top contract vehicles that state and local governments (SLG) and education institutions (EDU) are using as they close out their fiscal year with their preferred reseller partner this month.

1. NASPO ValuePoint

Carahsoft SLG EDU FYE Contracts Blog Preview Image 2024

NASPO ValuePoint is the cooperative purchasing arm of the National Association for State Procurement Officials, designed to provide access to the best possible IT solutions. It is considered to be the nation’s most significant public contracting cooperative. The contract offers a wide variety of technology solutions, including IaaS, PaaS & SaaS.

Carahsoft’s Contract: NASPO ValuePoint contract #AR2472 includes dozens of technology vendors.

Who Can Use It: State and local governments, municipalities, and public education entities (K-12 & Higher-Education.

2. GSA Cooperative Purchasing Program

The General Services Administration (GSA) Cooperative Purchasing Program grants state and local government entities access to federal GSA Schedule contracts, which are exclusively IT solutions and professional services. The GSA Cooperative Purchasing Program provides a streamlined procurement process for state and local governments to purchase IT solutions, often with pre-negotiated and cost-effective pricing structures.

Carahsoft’s Contract: GSA Schedule #47QSWA18D008F, aggregates solutions from many technology vendors.

Who Can Use It: State and local governments.

3. Texas Department of Information Resources (TX DIR)

The Texas Department of Information Resources (TX DIR) has established a Cooperative Contracts Purchasing Program which offers a wide range of product offerings, services and technology solutions to customers in Texas and nationwide. Public entities outside of Texas are also welcome to purchase through DIR contracts. The DIR contracts provide customers with streamlined procurement as all of the preliminary procurement work is done. TX DIR contracts offer a wide range of technologies including hardware, software, cloud, and professional IT services.

Carahsoft Contract: Carahsoft holds six TX DIR contracts, offering a wide variety of products and services from hundreds of technology vendors.

Who Can Use It: State and local governments, public education and other public entities nationwide.

4. California Software Licensing Program (CA SLP)

The California Software Licensing Program (CA SLP), established in 1994 and administered by the Department of General Services’ Procurement Division provides state and local government entities within the state of California with access to discounted software licensing agreements. This contract expedites and simplifies the procurement process while supporting state government modernization goals with a host of technology solutions.

Carahsoft Contract: Carahsoft holds 11 CA SLP contracts, offering solutions ranging from data management to cybersecurity and more.

Who Can Use It: State and local government agencies in California.

5. E&I Cooperative Services

E&I Cooperative Services is the largest and most experienced member-owned, non-profit purchasing cooperative focused on education. E&I provides education institutions with access to IT products and services, including learning management systems, classroom technologies and administrative software tailored to their unique needs.

Carahsoft Contract: E&I Cooperative Services contract #EI00063-2021MA provides E&I members with cloud and managed service solutions, and related IT products and services.

Who Can Use It: Educational institutions, including K-12 schools and higher education.

6. OMNIA Partners Public Sector

OMNIA Partners is one of the largest public sector cooperative purchasing organizations, providing comprehensive access to a wide variety of technology contracts across hardware, software and cloud solutions. The cooperative purchasing program is focused on efficiency, compliance and value, aiming to further streamline the procurement process for the public sector entities that leverage this contract.

Carahsoft Contract: Carahsoft’s contract with OMNIA Partners, #R191902, provides state and local governments and education institutions with access to technology from over 150 vendors, addressing the IT needs for all OMNIA Partners participants.

Who Can Use It: State and local governments, public education institutions, and nonprofits.

7. The Quilt

The Quilt is a national coalition of advanced regional networks for research and education, providing members with access to IT services and technologies. The Quilt provides access to technologies that meet the specific needs of educational and research communities, offering high-performance computing, research networking and related IT services to hundreds of universities and thousands of other education institutions.

Carahsoft Contract: MSA – 05012019F, offers members with access to networking, cloud infrastructure, data management, cybersecurity, virtualization and enterprise technologies.

Who Can Use It: Higher education institutions, research institutions, and related organizations.

By turning to these popular contract vehicles, state and local governments and educational institutions can easily find and purchase the technologies that map to their modernization efforts while ensuring compliance and maximizing investments through their preferred resellers. As the fiscal year draws to a close, these contracts serve as a vital resource for timely and cost-effective procurement, driving end-of-year business to new heights and propelling public sector advancements.

For more information on Carahsoft’s contracts across each of these contract vehicles, please reach out to contracts@carahsoft.com.

Okta Cloud Identity Now Available on NJ NASPO Contract

Okta Cloud Identity solutions are now available to all New Jersey public and executive agencies on Carahsoft’s statewide NASPO ValuePoint contract. Carahsoft makes it easy for all agencies within the State of New Jersey to utilize this contract vehicle to procure cloud solutions via a state contract. Okta delivers the essential, modern identity and access management (IAM) capabilities that can assist the state’s modernization efforts for their workforce and constituents.

Okta’s Cloud Identity Solutions include:

  • Single sign on
  • Advanced Server Access
  • API Access Management
  • Multi-factor authentication
  • Access gateway
  • User management

Advantages of Software as a Service

New Jersey state agencies can reduce costs, accelerate services, and modernize their cybersecurity initiatives in several ways with the addition of an Identity as a Service (IDaaS) solution.

Okta’s standard SaaS product can offer:

  • Data transparency through data collection tools that can help explain analytics to users
  • Easy access to the cloud for employees that are working remotely
  • Enhanced security via the ability to update and oversee software to respond to threats
  • Service resources for citizens
  • Simplified cloud usage that will save money by removing the need to outsource IT

With this new addition to Carahsoft’s NASPO Contract, Okta is able to provide the state with modern and secure identity and access management solutions that are easy to maintain through the cloud.

Identity Access Management on StateRAMP

In September of 2021, Okta became one of the first organizations to be included on the StateRAMP authorized vendor list. StateRAMP aims to standardize and promote cybersecurity through education, advocacy, and policy development for state and local governments. Through their partnership, the two aim to improve cybersecurity on government websites to better serve the public.

As one of the first companies included in the StateRAMP authorized vendor list, Okta has illustrated its data security capabilities. Okta’s security solutions can abide by government regulations such as FedRAMP and HIPAA. Okta can also help companies become CJIS compliant. Targeted toward government and procurement officials, the StateRAMP list recognizes companies with established data security, as well as accomplished IaaS, SaaS, and/or PaaS solutions. With the rise in remote work, IT security has become more important than ever.

Identity Standardization in Kansas and Iowa

Okta has aided the Kansas and Iowa state government’s objectives in combating fraud and providing citizens secure access to critical online services. With the hurdles caused by the COVID-19 pandemic, work had changed dramatically. More citizens needed to file for unemployment benefits, and others had their work moved remotely. Okta was there to help agencies transition to modern technology platforms while maintaining the same level of security.

For government agencies, Okta’s identity security solution is vital to protection from cyber threats. Due to Okta’s efforts of employing Identity Access Management solutions on Kansas and Iowa websites, access security has improved for both the government workforce and public citizens. This pursuit has led to faster implementation, better time value, enhanced security, digital transformation, and a simplified experience for users.

With the implementation of Okta Identity Cloud, the Kansas Department of Labor and/or Iowa were able to:

  • Stop over 7 million bots and fraudulent login attempts to their unemployment benefit site
  • Utilize Okta’s customer identity products to connect citizens to new online services as they helped affected citizens with rental and utility assistance
  • Connect all its citizens with easy online access to agency services
  • Strengthen their government services to better serve their constituents

With Okta’s cybersecurity protection from bad actors and bots, and their endeavor to provide secure, simplified, and centralized identity access management, this dream approaches reality.

Visit our website to learn more about solutions for State and Local Government agencies.

New Collaboration Tools to Help Government Agencies Advance Their Digital Operations

Government agencies have long depended on secure collaboration tools. Now, as these agencies focus on modernization initiatives, they require an integrated solution that can securely manage software development workflows and digital operations.

In addition, these new tools need to drive improved productivity, and support compliance requirements. That’s why Mattermost has invested in enhancing its messaging collaboration platform with new solutions for playbooks, workflow management, task management and tool integrations.

Customizable Playbooks for Recurring Procedures

Many government organizations rely on complex processes to enable their operations. Manual, inconsistent approaches result in errors, omissions and missed steps. Digitizing these processes can increase productivity and improve effectiveness. A proven way to achieve those goals is through playbooks.

Playbooks from Mattermost offer prescribed workflows that streamline and optimize recurring processes. They make any structured process repeatable and predictable through checklists, automated triggers and actions, status dashboards and updates, and retrospective timelines and reports.

As a result, federal agencies can better orchestrate work across teams and tools. They can document complex operations, and they can better support scenarios and use cases that require repeatable and reliable process steps. That way, they can achieve consistent processes, predictable outcomes and continuous improvement.

By taking advantage of these playbooks, agencies across government can:

  • Orchestrate digital processes that span teams, tools and missions – Built-in task checklists and real-time messaging enable all stakeholders to understand what’s in progress and what actions to take next.
  • Improve visibility and quality – Prescribed checklists make sure every team member follows best practices, the first time and every time. Status updates eliminate confusion and ensure stakeholders remain informed on workflows.
  • Streamline tasks with triggers and actions A no-code framework enables teams to automate repetitive work, freeing up time for more strategic priorities.
  • Improve with every iteration Retrospective reports and timelines enable teams to retrace what happened and benefit from key takeaways. Incorporating learnings back into playbooks makes processes more effective and scalable.
  • Integrate and extend – Because playbooks are built on an open source platform, they allow for customization and extensibility. Team members can leverage other tools they’re already using through APIs, plug-ins and an ecosystem of community-built integrations.
  • Maintain tight security – Built-in security and firewalls, as well as secure cloud-deployment options, make sure sensitive data remains protected in a broad range of collaboration scenarios.

Built on a Unified Collaboration Hub

Additional Mattermost capabilities and offerings further support agencies in shifting to digitized operations. For starters, a single command-and-control hub optimizes team collaboration. In addition to playbooks, the platform provides channels for real-time and asynchronous messaging, as well as boards for Kanban-style project and task management. Integrations with an ecosystem of developer-centric applications include GitLab, Jira and Confluence.

High-availability, mission-critical security and privacy provide the information safeguards agencies need. Public sector organizations can deploy the platform on-prem, in air-gapped environments or in a secure cloud to maintain complete control of their data. Strict, customizable access controls help ensure military-grade protections. They also assist organizations in complying with standards such as those associated with HIPAA, FINRA, GDPR and regulatory requirements.

What’s more, a single, flexible licensing mechanism covers multiple networks. Separate teams can benefit from the same tools and practices, even across multiple air-gapped environments.

Finally, these capabilities are available across a number of governmentwide acquisition contracts (GWACs), including NASA Solutions for Enterprise wide Procurement (SEWP). A variety of channel partners can help agencies meet their small-business goals. The platform also meets requirements for the Voluntary Product Accessibility Template (VPAT) for Section 508 compliance.

Designed for Agency Deployment

Mattermost’s new and enhanced collaboration tools are offered as part of a growing portfolio of solutions specifically designed for government organizations.

As government agencies and defense organizations navigate the shift to always-on digital operations, effective alignment of people, tools and processes can help teams better achieve their missions. By replacing manual tasks, fragmented communication and fragile workflows with digitized, repeatable process frameworks, they can operate more efficiently and effectively to meet changing use cases and demands.

View Our Free Resource, the Mattermost Government Solutions Guide, and learn more about Mattermost at www.mattermost.com