CDM: The Old and The New

The Continuous Diagnostics and Mitigation Program

The Continuous Diagnostics and Mitigation (CDM) Program was originally a multiple award IDIQ released under the GSA Schedule 7o Blanket Purchase Agreement (BPA). It was created to establish “a dynamic approach to fortifying the cybersecurity of government networks and systems.”

The program was designed to provide the Department of Homeland Security and other federal agencies with the capabilities, resources, and tools to 1.) Identify cybersecurity risks on an ongoing basis, 2.) Prioritize these risks based upon potential impacts, and 3.) Enable cybersecurity personnel to mitigate the most significant problems first.

As threats changed, the CDM program offered federal agencies COTS tools to support technical modernization efforts. Additionally, CDM provided a structured methodology to allow for risk prioritization based on perceived impact, with the goal of mitigating the most significant risks, flaws, and bugs first. To do this, CDM used a four-phase process with an end goal of collecting and analyzing vulnerabilities data to make “strategic decisions regarding systematic cyber security risks across the entire Federal civilian enterprise.”

Ultimately, CDM provided a means to address and react to threats as they occurred, which decreased vulnerabilities and mitigated the risk of network exploitation.

Since its inception, the acquisition strategy for the CDM program changed. As stated, it originally was a DHS issued Blanket Purchase Agreements (BPA) under the GSA IT Schedule 70 contract, known and referred to as the CDM Tools/Continuous Monitoring as a Service (CMaaS) BPAs. These BPAs expired in August of 2018. 

To continue the mission and goals of the program, the following two acquisition strategies were developed to allow Vendors to compete on projects that address the mission of CDM:

  • For Products (SW & HW) – Issuance of a CDM Tools SIN (132-44) under the GSA IT Schedule 70
  • For Services – Task Orders referred to as CDM Dynamic and Evolving Federal Enterprise Network Defense (DEFEND) under the GSA GWAC Alliant

The programs are still consistent with NIST and OMB guidance as well as fulfillment of the Federal Information Security Management Act (FISMA).

CDM Tools SIN (132-44)

The new SIN is organized into five subcategories based on CDM capabilities:

  1. Manage “What is on the network?”
  2. Manage “Who is on the network?”
  3. Manage “How is the network protected?”
  4. Manage “What is happening on the network?”
  5. Emerging Tools and Technology

To be added to the CDM Tools SIN, Vendors must submit their product for qualification review. Prior to applying, vendors must first have their product listed on the DHS Approved Products List (APL), and second, be a current holder of the GSA Schedule 70 GWAC. Acceptance onto the APL is reviewed on a monthly basic – the process to being added can be found here.

A current list of all vendors and products currently available for procurement under the CDM Tools SIN can be found here.

For help with requirements or other certification related concerns, please reach out and discuss with a Corsec expert – Connect


Stay Up to Date:

Stay up to date with Corsec as we bring you all the most recent updates to the standards, certifications, and requirements – Subscribe


Press Contact:

Jake Nelson
Corsec Director of Marketing