2019 in review: CDM program continues to wait for nod from Congress

The program, which the Department of Homeland Security uses to monitor and protect federal networks, is adding more data and connections all the time. Congress enters another year without giving it official legislative authority.
Kevin Cox, CDM, Department of Homeland Security, DHS
Kevin Cox speaks April 25, 2019, at the Security Through Innovation Summit presented by McAfee and produced by FedScoop and CyberScoop. (FedScoop)

Lawmakers recessed for 2019 without codifying the Department of Homeland Security’s program for monitoring federal networks — despite bipartisan legislation introduced the Senate and House.

Sponsors say they will keep pushing for action in 2020. The goal is to give full congressional authorization to the exiting Continuous Diagnostics and Mitigation (CDM) program, which DHS launched in 2013 to provide federal, state and local agencies with tools to track and respond to cybersecurity incidents faster.

The legislation ran into a “time crunch” this year in the House, according to a spokesperson for a sponsor of the House bill, Rep. John Ratcliffe, R-Texas.

“Regardless, we’re hopeful the bill will move quickly through the legislative process, so we can continue equipping the federal government with the tools they need to properly handle cyberattacks and other intrusions,” the spokesperson told FedScoop.


Ratcliffe and bill cosponsor Ro Khanna, D-Calif., had “great conversations” with their parties concerning the legislation and are “optimistic that it will be brought to the floor at some point,” the spokesperson said.

The House passed similar legislation in the previous Congress, and its Homeland Security Committee unanimously approved the bill again in October.

In the Senate, the bill has yet to be scheduled for markup by the Homeland Security and Governmental Affairs Committee — a fact that sponsor Maggie Hassan, D-N.H., noted during a meeting of the panel in November.

“We also need to be doing more to assist our communities in addressing cyberthreats — specifically against the recent, overwhelming wave of ransomware attacks,” Hassan said. “Toward that end, I am a little concerned that my bipartisan legislation with Sen. [John] Cornyn, the Advancing Cybersecurity Diagnostics and Mitigation Act, was not included for consideration at today’s markup.”

CDM is run by the Cybersecurity and Infrastructure Security Agency (CISA) within DHS. The program’s manager, Kevin Cox, told FedScoop in October that more than 50 agencies now reporting summary data about their networks to the CDM dashboard. Under the bill, CISA would be required to report potential vulnerabilities and breaches using program data.


If CDM is codified, it will most likely happen as a standalone bill, Ratcliffe’s spokesperson said.

“This would send a message to departments and agencies that Congress supports the program’s ongoing success and improvement, while also sending a message to the American people that we are focused on improving our federal network protection efforts in stride with the ever-evolving threat landscape,” the spokesperson said.

The Congressional Budget Office estimated the legislation’s reporting requirement wouldn’t cost more than the administrative burden on CISA from 2020 to 2024 in a November report. Statutory pay-as-you-go procedures would not apply.

Most agencies are behind in implementing CDM’s network security and data protection capabilities with the departments of Energy and Health and Human Services citing a need to take stock of and secure their data first.

CISA would be required to submit a program strategy to Congress within 180 days of the legislation’s enactment detailing the launch of new CDM tools and upgrading of existing ones.


Congress resumes on Jan. 3, 2020.

Introducing cyber risk scores

CDM began showing agencies their cyber risk scores via their dashboards in October, so they can compare them to the federal average.

Initially the 23 Chief Financial Officers Act agencies and 30 others began receiving their Agency-Wide Adaptive Risk Enumeration (AWARE) scores with 40 more planned.

The AWARE algorithm measures agencies’ progress on basic security practices like vulnerability, patch and configuration management in near real time. The smaller the cumulative score, the smaller the cyberattack surface.


“We want to be careful not to share the scores out publicly because we know adversaries will be looking to see which agencies are having problems so they can go target them,” Kevin Cox, CDM program manager for CISA, told FedScoop at the time. “But there may be ways where, once everybody feels comfortable with their AWARE score — all the data is in good shape — that we share it with the deputy secretaries and everybody sees everybody else’s score.”

In May, DHS awarded ECS Federal a $276 million contract to provide the governmentwide dashboard for CDM, but agencies like NASA remain concerned that without additional funding the program could fail.

“That’s what keeps you up at night with CDM is that ongoing cost—the refreshes six, seven years down the line—who’s going to take on that cost?” said Willie Crenshaw, program executive for CDM and risk management in the Office of the CIO at NASA, in April. “And if we don’t have an influx of funding at the agency level, then what’s going to happen is CDM is going to be this success story but then is going to fizz out because we weren’t able to maintain it.”

More 2019 in review:


The Pentagon’s JEDI cloud wars
A tense homestretch for 2020 census prep
2019 in review: A chief data officer in every agency
Agencies embrace RPA — AI less so
Building more tech capacity on Capitol Hill

Latest Podcasts