CDM: Making US Federal Agencies More AWARE of Cyber Exposure

At a recent Tenable sponsored MeriTalk event, Kevin Cox, program manager for Continuous Diagnostics and Mitigation (CDM), provided a preview of coming attractions regarding the CDM federal dashboard. As of this writing, the CDM dashboard is in its initial production stage, with agency exchanges being set up to aggregate the data to be fed into the dashboard. At least five agencies are reportedly on track to have data uploaded to the CDM dashboard during the first quarter of 2018. Agency-Wide Adaptive Risk Enumeration (AWARE): New scoring algorithm for cyber hygiene Looking ahead, Cox announced that Release 5 of the CDM dashboard, due out in the spring, will introduce a new scoring algorithm that provides a single-number summary of each federal agency’s “cyber hygiene” status. This new algorithm, which will be known as Agency-Wide Adaptive Risk Enumeration (AWARE), is an evolving concept intended to drive CDM toward the goal of improving the way the government measures its cyber risk – that is, the degree to which known vulnerabilities continue to provide an unprotected attack surface for potential adversaries. AWARE will provide a raw risk score, which gives an agency, at a glance, a rough idea of its overall cyber...
Read more

From Off-the-Rack to Custom Tailored?

A Government Perspective on the Changing CDM LandscapeAs the Continuous Diagnostics & Mitigation Program (CDM) begins its next phase of task orders, it is useful to look back at the earlier stages of the program to help us understand the importance of changes now being implemented in the program’s contractual and programmatic structures. CDM began as a group of GSA Schedule 70 Blanket Purchase Agreements (BPAs), awarded in August 2013 to 17 companies. The first four task order awards were for tools, with choice of vendor based on lowest price for each respective tool. These were followed by Continuous Monitoring as a Service (CMaaS) task order awards, organized into six different government agency groups. To compete for CMaaS task orders, contractors architected solutions that included the tools they selected from the CDM Approved Product List. Upon the award of each CMaaS task order, the winning contractor set about implementing their solution for all agencies in the CDM “Group,” regardless of the tools already in place at a particular agency. For some agencies, this was not a problem because they already had the same tools, and CDM simply provided them with additional product and integration funded by DHS. For...
Read more