Are state and local governments ready for CDM?

A recent Ponemon Institute study found that, when compared federal agencies, the cybersecurity posture of state and local governments falls short -- especially in their ability to prevent, detect, contain and recover from cyberattacks.

There is, however, a tool to help those government bridge the gap: the Department of Homeland Security’s Continuous Diagnostics and Mitigation program, which is available to state and local agencies through a blanket purchase agreement managed by the General Services Administration.

Jim Quinn, DHS' lead system engineer for the CDM program, explained at a recent GCN virtual event that CDM provides agencies with both continuous monitoring of their networks and a dashboard to help identify and more quickly respond to cyber threats.

The program is being rolled out in three phases, and so far, Phase 1 tools -- covering endpoint security and vulnerability scanning – are now available to 97 percent of the federal executive branch, Quinn said..   

The same services are available for any state, local, regional and tribal agency capable of doing a purchase agreement -- though unlike most federal agencies, which have received congressional appropriations for CDM, non-federal entities must secure their own funding. After the agency gets approval to use a federal procurement vehicle, it can request a delegation of procurement authority from GSA Federal Systems Integration and Management center to begin leveraging the BPA.

When delegation is granted, the state and local governments can access detailed pricing information and a purchasing guide to directly interact with the 17 CDM BPA awardees. Representatives may then use the direct order and direct bill options to buy products and place orders.

So far, Quinn said, federal agencies make up the vast majority of the CDM user base.  State and local uptake has been “slow in comparison," he said.  "We’re hoping that now that they see how it’s working, they’ll start moving forward.”

Additionally, CDM dovetails with the National Institute of Standards and Technology’s Cybersecurity Framework, which is already being used by  many state and local entities. CDM can be integrated into NIST’s framework for protection and detection functions, according to Matthew Barrett, program manager with NIST Cybersecurity Framework, who also spoke at the GCN event.

As far as advancements in the CDM system itself, the definition of stages and processes for Phase 2 has just been completed. It will assess who is on the network and provide management for access control, security-related behavior and credentials, authentication and privileges.

Phase 3 will cover what is actually happening on the network. This includes boundary protection  and event management for managing the security lifecycle. According to Quinn, DHS intends to execute operational deployments of this phase in fiscal year 2017.

About the Author

Amanda Ziadeh is a former reporter/producer for GCN.


  • Records management: Look beyond the NARA mandates

    Pandemic tests electronic records management

    Between the rush enable more virtual collaboration, stalled digitization of archived records and managing records that reside in datasets, records management executives are sorting through new challenges.

  • boy learning at home (Travelpixs/

    Tucson’s community wireless bridges the digital divide

    The city built cell sites at government-owned facilities such as fire departments and libraries that were already connected to Tucson’s existing fiber backbone.

Stay Connected