Personal CDM data could be used ‘inappropriately’ when integrators are involved

Third-party contractors are prohibited from using or sharing data collected with CISA in their task orders, but that's no guarantee.
security, data, storage, cdm, continuous diagnostics
(Getty Images)

There’s a risk personally identifiable information inadvertently obtained by integrators providing Continuous Diagnostics and Mitigation (CDM) capabilities to small agencies is used inappropriately, according to a Department of Homeland Security assessment.

A December DHS privacy impact assessment found that the CDM platform for smaller agencies exposes personal data to third-party contractors operating that cloud-based shared service.

DHS launched CDM in 2013 to provide federal, state and local agencies with tools to track and respond to cybersecurity incidents faster.

Generally, larger federal agencies deploy CDM capabilities themselves, and the Cybersecurity and Infrastructure Security Agency that oversees the program for DHS only has access to summary-level data pushed to the federal dashboard.


But the CDM Shared Service Platform (SSP) makes tools available to non-CFO Act agencies via third-party contractors, and those integrators do have the potential to access personal data collected through operations and maintenance. Currently, ManTech holds the contract to provide the shared service.

As a mitigation, integrators are prohibited from using or sharing data collected with CISA in their task orders, but that’s not a guarantee, according to DHS.

“As a contractor to CISA, the integrator is required to conduct its activities in accordance with DHS requirements, including having all contract staff complete privacy training,” reads the assessment. “Full disk encryption has been implemented across the entire shared service platform to meet applicable data-at-rest requirements.”

The platform also collects logs at the operating system and application levels, which all users are prevented from erasing.

The CDM SSP’s authority to operate expires March 28, 2021.


DHS also assessed the CDM Agency-Wide Adaptive Risk Enumeration (AWARE) algorithm used to score agencies cyber risk and found the measure doesn’t introduce new privacy risks to the federal or agency dashboards.

Latest Podcasts