Continuous Diagnostics and Mitigation (CDM) is the federal government’s program for giving agencies the tools and capabilities to identify and reduce cybersecurity risks in real time. For technology and cybersecurity contractors, CDM represents both a compliance framework and a significant market opportunity. Here is what it is and why it matters.
What is Continuous Diagnostics and Mitigation (CDM)?
CDM is a program led by the Cybersecurity and Infrastructure Security Agency (CISA) that provides federal agencies with capabilities and tools to continuously monitor their networks, identify vulnerabilities, and prioritize risks for remediation—moving security from periodic audits to ongoing visibility.
What does CDM cover?
- Asset management — what is on the network
- Identity and access management — who is on the network
- Network security management — what is happening on the network
- Data protection — how data is safeguarded
What CDM means for contractors
Agencies acquire many CDM tools and services through GSA vehicles, so cybersecurity providers can reach this demand with a GSA Schedule. CDM also sits alongside other federal security requirements such as Section 889. For definitions of related acronyms, see our contracting glossary.
Frequently asked questions
Who runs the CDM program?
CISA, within the Department of Homeland Security, administers the CDM program for federal civilian agencies.
How do contractors sell CDM tools to the government?
Approved cybersecurity products and services are commonly offered through GSA Schedules and other governmentwide vehicles aligned to CDM requirements.
Selling cybersecurity solutions to federal agencies? Book a free discovery call. — Reviewed by the GSA Focus team.
