New CDM bill aims for flexibility, newer tech

Rep. John Ratcliffe (R-Texas) introduced legislation designed to give the Department of Homeland Security more flexibility to implement and share a key cybersecurity program with partner agencies.

intrusion detection (sdecoret/

The Department of Homeland Security's Continuous Diagnostics and Mitigation program hasn't been around for very long, but overseers in Congress want to make sure the cybersecurity program remains on the cutting edge of the technology landscape for years to come.

A draft bill introduced by Rep. John Ratcliffe (R-Texas), chairman of the House Homeland Security subcommittee on Cybersecurity and Infrastructure Protection, would amend the 2002 Homeland Security Act to include CDM. The bill also gives the secretary of the Homeland Security added flexibility around purchasing and reimbursement decisions that have vexed agency partners in the past.

It would also call for "regular improvement" of the CDM program, saying the secretary should "regularly deploy new technologies and modify existing technologies" where appropriate.

"Our goal with this new legislation is to help boost the long-term success of the CDM program by ensuring it keeps pace with the cutting-edge capabilities in the private sector," Ratcliffe said in a statement. "We're also safeguarding agencies from getting stuck with technologies that will soon become outdated or unsupported by their vendors."

In comments first reported by FCW, Ratcliffe said in March that he was considering legislation to address a range of problems that have hampered agency compliance for CDM, which Congress views as a key bulwark protecting federal agency networks from cyberattacks.

A congressional source speaking on background said the goal of the legislation is "to codify the program to give it some direction and teeth during the appropriations cycle" while relying on further actions by Congress down the road both legislatively and through oversight hearings to achieve greater buy-in to the program from federal agencies.

In addition to fostering the use of newer technology, the bill would also "make program capabilities available for use by any federal agency, with or without reimbursement."

Many partner agencies have complained about a convoluted funding structure for CDM, where agencies receive only partial funding from DHS that rarely covers the full cost of implementation. The bill would also give the DHS secretary the ability to employ "shared services, blanket purchase agreements and any other economic or procurement models" that maximize the cost savings associated with implementation.

The legislation also requires DHS to develop a comprehensive strategy for the program, including detailed descriptions of coordination required by federal agencies to achieve compliance, any obstacles facing the program, guidelines for federal agencies to continuously upgrade the program's tech and recommendations for feeding the resulting information created through the program into a data analytics and reporting platform.

Outside of the legislative process, program managers have been tweaking the CDM contracting and communications process as well as the structure for new DEFEND task order contracts, with vendor integrators over the past year in response to feedback in order to foster better coordination between DHS and federal agencies.