Are state and local governments ready for CDM?

A recent Ponemon Institute study found that, when compared federal agencies, the cybersecurity posture of state and local governments falls short -- especially in their ability to prevent, detect, contain and recover from cyberattacks.

There is, however, a tool to help those government bridge the gap: the Department of Homeland Security’s Continuous Diagnostics and Mitigation program, which is available to state and local agencies through a blanket purchase agreement managed by the General Services Administration.

Jim Quinn, DHS' lead system engineer for the CDM program, explained at a recent GCN virtual event that CDM provides agencies with both continuous monitoring of their networks and a dashboard to help identify and more quickly respond to cyber threats.

The program is being rolled out in three phases, and so far, Phase 1 tools -- covering endpoint security and vulnerability scanning – are now available to 97 percent of the federal executive branch, Quinn said..   

The same services are available for any state, local, regional and tribal agency capable of doing a purchase agreement -- though unlike most federal agencies, which have received congressional appropriations for CDM, non-federal entities must secure their own funding. After the agency gets approval to use a federal procurement vehicle, it can request a delegation of procurement authority from GSA Federal Systems Integration and Management center to begin leveraging the BPA.

When delegation is granted, the state and local governments can access detailed pricing information and a purchasing guide to directly interact with the 17 CDM BPA awardees. Representatives may then use the direct order and direct bill options to buy products and place orders.

So far, Quinn said, federal agencies make up the vast majority of the CDM user base.  State and local uptake has been “slow in comparison," he said.  "We’re hoping that now that they see how it’s working, they’ll start moving forward.”

Additionally, CDM dovetails with the National Institute of Standards and Technology’s Cybersecurity Framework, which is already being used by  many state and local entities. CDM can be integrated into NIST’s framework for protection and detection functions, according to Matthew Barrett, program manager with NIST Cybersecurity Framework, who also spoke at the GCN event.

As far as advancements in the CDM system itself, the definition of stages and processes for Phase 2 has just been completed. It will assess who is on the network and provide management for access control, security-related behavior and credentials, authentication and privileges.

Phase 3 will cover what is actually happening on the network. This includes boundary protection  and event management for managing the security lifecycle. According to Quinn, DHS intends to execute operational deployments of this phase in fiscal year 2017.

About the Author

Amanda Ziadeh is a former reporter/producer for GCN.


  • business meeting (Monkey Business Images/

    Civic tech volunteers help states with legacy systems

    As COVID-19 exposed vulnerabilities in state and local government IT systems, the newly formed U.S. Digital Response stepped in to help. Its successes offer insight into existing barriers and the future of the civic tech movement.

  • data analytics (

    More visible data helps drive DOD decision-making

    CDOs in the Defense Department are opening up their data to take advantage of artificial intelligence and machine learning tools that help surface insights and improve decision-making.

Stay Connected