House Passes Legislation to Codify CDM Program

John Ratcliffe

Rep. John Ratcliffe introduced the Advancing Cybersecurity Diagnostics and Mitigation Act

The House of Representatives today approved by voice vote HR 6443, the Advancing Cybersecurity Diagnostics and Mitigation Act, which would codify the Department of Homeland Security’s (DHS) Continuous Diagnostics and Mitigation (CDM) Program into law.

HR 6443 was introduced on July 18 by Rep. John Ratcliffe, R-Texas, and approved by the House Homeland Security Committee on July 24.

CDM is a multibillion dollar program led by DHS and aimed at safeguarding Federal agency networks by providing monitoring-as-a-service tools, which give agencies better knowledge of the endpoints, data, and activities occurring on their networks.

The just-passed bill would provide legislative backing to ensure that the CDM Program continues to employ leading-edge network monitoring technologies. It would also require the DHS Secretary to submit a strategy to Congress–within 180 days of the bill’s enactment–on how to carry out the program effectively.

“The CDM program has proven to be an indispensable tool for DHS and NPPD in identifying and defending against cyber threats to our Federal networks,” Ratcliffe said in a statement following the bill’s passage. “Codification will help promote its ongoing success and improvement, so we can ensure our Federal network protection efforts keep pace with the ever-evolving cyber threat landscape.”

While the bill was able to rapidly garner wide bipartisan support in the House, it does not currently have companion legislation in the Senate, so is unlikely to become law this year unless the Senate takes quick action.

The CDM program has, however, seen a number of notable steps in recent days. CDM Program Manager Kevin Cox said on Aug. 30 that all Federal civilian CFO Act agencies will be connected to CDM’s governmentwide cybersecurity dashboard this month, following successful tests with the final three agencies.

The same day, Cox said all of the CDM DEFEND task orders would be finalized by October–all five groups have been awarded, with one currently under protest–and that the program now offers flexibility for emerging needs, like mobility and cloud security.

Federal CIO Suzette Kent said on Aug. 28 that about half of the Federal agencies in the CDM Program are entering the DEFEND stage, which primarily covers Phase 3 of CDM rollout.

During today’s debate over the bill on the House floor, Ratcliffe cited the Federal Cybersecurity Risk Determination Report and Action Plan, released in May, as an example of agencies’ “inability to understand cybersecurity risks,” and said the CDM bill would help to close that knowledge gap and also allow DHS to “make smarter choices about where taxpayer dollars are going.”

Rep. Bennie Thompson, D-Miss., a cosponsor of the bill, noted that the “CDM deployment schedule has been plagued with delays” and pointed to the requirement in the bill of a DHS strategy for CDM as a way to prevent lagging implementation at agencies.

In light of those comments, Rep. Jim Langevin, D-R.I., expressed his support for the bill on the House floor but offered one criticism: HR 6443 does not address, Langevin noted, how it would work to actually incentive Federal agencies not named DHS to actually adopt CDM tools. He flagged that issue, rather than any failings on the part of DHS, as one of the major roadblocks in CDM thus far.

Recent