U.S. Flag Official website of the Department of Homeland Security

Continuous Diagnostics and Mitigation (CDM)

The Continuous Diagnostics and Mitigation (CDM) Program provides tools and services that enable Federal and other government entities to strengthen the security posture of their cyber networks.

Federal, state, local, and regional governments, in addition to defense organizations, can benefit from a new blanket purchase agreement (BPA) called Continuous Monitoring as a Service (CMaaS) to strengthen their information technology networks. The CMaaS BPA is managed by the U.S. Department of Homeland Security’s Continuous Diagnostics and Mitigation Program (CDM) and the General Services Administration (GSA).

The goal of the CMaaS BPA and CDM Program is to provide a consistent, government-wide set of continuous diagnostic solutions to enhance defenders’ abilities to identify and mitigate emerging cyber threats through risk-based decision making. For an overview of the CDM program, please visit DHS.gov/cdm.

CDM Technical Resources

The information contained here is primarily intended for government cybersecurity professionals who are either implementing or considering participating in the Continuous Diagnostics and Mitigation (CDM) program.

The following FAQs offer CDM stakeholders detailed insight into various aspects of the program, including capabilities and maturity models:


Capability Definitions and Data Sheets

  • CDM Program Overview [pdf]
  • Intro to Hardware Asset Management (HWAM) [pdf]
  • Intro to Software Asset Management (SWAM) [pdf]
  • Intro to Vulnerability Management (VUL) [pdf]
  • Intro to Configuration Settings Management (CSM) [pdf]
  • HWAM Capability Description v3 [pdf]
  • HWAM Data Sheet v3 [pdf]
  • SWAM Capability Description v3 [pdf]
  • SWAM Data Sheet v3 [pdf]
  • VUL Capability Description v3 [pdf]
  • VUL Data Sheet v3 [pdf]
  • CSM Capability Description v3 [pdf]
  • CSM Data Sheet v3 [pdf]

Training Materials

  • CDM Training - Vulnerability Management Implementation - 2014-09-29 [pdf]
  • CDM Training - Software Asset Management Implementation - 2014-07-29 [pdf]
  • CDM Training - Configuration Settings Management Implementation - 2014-06-26 [pdf]
  • CDM Training - Hardware Asset Management Implementation - 2014-05-05 [pdf]
  • CDM Training - Ongoing Assessment - Automated Assessment Concepts - 2014-04-10 [pdf]
  • CDM Training - Ongoing Assessment - Automated Assessment Practicals - 2014-04-10 [pdf]
  • CDM Training - Ongoing Assessment - NIST's Role in Ongoing Assessments - 2014-04-10 [pdf]
  • CDM Training - Ongoing Assessment - Ongoing Authorization Guidance - 2014-04-10 [pdf]
  • CDM Training - Overview Modules - 2014-04-07 [pdf]

Contact Us

  • GSA provides contracting vehicles that allow DHS to centrally oversee the procurement, operations, and maintenance of commercial off-the-shelf (COTS) diagnostic tools. GSA-FEDSIM manages the CMaaS BPAs, and offers an assisted acquisitions capacity for customers who need guidance on orders against the BPAs.

    For more information about the CDM/CMaaS acquisition contracts or ordering guide, visit the GSA-FEDSIM CDM Website or email cdm@gsa.gov.
  • DHS ensures that the CDM program is consistently implemented, meets critical requirements for effectiveness, and leverages centralized acquisitions to improve the speed of procurement and achieve strategic sourcing discounts.

    For technical questions about CDM, email the DHS CDM Program Management Office at cdm.fnr@hq.dhs.gov.
Back to Top