A unique opportunity to strengthen the CDM program
Matthew Shallbetter, the director of strategy for federal civilian at Armis, explains how to make the CDM program more valuable through better data integration.
Matthew Shallbetter
November 17, 2025 4:55 pm
5 min read
In June 2025, the Government Accountability Office issued a report somewhat critical of the Cybersecurity and Infrastructure Security Agency’s Continuous Diagnostics and Mitigation (CDM) program. The GAO found that the CDM program — designed to give agencies cybersecurity tools for strengthening the networks and systems they use to meet their missions — had met some of its goals, but fallen short on others.
The report stated that 21 of 23 participating agencies had not yet fully implemented network security and data protection capabilities, citing a lack of guidance as contributing to the slow implementation. And while 22 of the 23 agencies reported that CDM is helpful in reducing their attack surface, 20 of them noted data integration and data quality as a challenge.
There appears to be a recent recognition and willingness to address these kinds of issues from the highest levels of the federal government. CISA expressed its intention to increase collaboration with the private sector to manage the layer between agency operations and its oversight of CDM. And in a recent LinkedIn post, Federal Chief Information Officer Gregory Barbaccia wrote: “If we’ve only changed the medium and not the actual process, then transformation hasn’t occurred. It’s not enough to change the platform. You have to change the practice.” This lesson can be applied to CDM.
As agencies look for strategies to address shortfalls, such as those identified by GAO, and manage the impact of reduced staff and budgets, focusing on cloud platforms and funded government-wide programs is a clear way to modernize and stretch their own budgets. Technology programs like CDM can be transformative if leaders engage the opportunity by changing operational culture. By collaborating with CISA, mission stakeholders and internal teams, agency CIOs can provide a desperately needed service and finally enable comprehensive risk management that covers both IT and mission-focused systems.
]]>
As they get started on initiatives to reimagine their approach to CDM, agencies should focus on three areas:
Ensure that CIO operational processes are tied into the CDM stream as the trusted source for all data and risk tracking over time. Data that is used is data that is useful. Instead of treating CDM as a CISA tool, CIOs must identify operational processes that can be improved and made more efficient with CDM data. These processes may include incident response, audit automation, continuous authorization, network access control, technology rationalization and even software license management. Responding to incidents is faster when inventories are up-to-date and system ownership is clear. System authorization reviews are faster if auditors can trust that vulnerability programs are well managed and data is continuously updated. Networks are more trusted if asset risk is comprehensively assessed in CDM and integrated with access control solutions.
CDM data is foundational to a number of cyber risk processes. Every agency CIO will have ways to improve their own programs by integrating CDM data, but the starting place will be unique to each, depending on staff skills and program maturity. Identifying and automating these touchpoints needs to be an iterative part of program maturity. Driving this integration ensures the mission is better secured against the next big attack, and that the solutions are in place to quickly onboard third-party response, whether federal or commercial.
Consolidate vulnerability scans from audits, IT teams and CISA, and feed them into the CDM stream. For complex and sensitive environments, which are more likely to be targeted for attacks, automated scans across an organization’s entire environment are the only practical way to manage vulnerabilities at scale and in real time. Remediation of vulnerabilities must be a priority for impacted organizations. By merging the results of these scans into the CDM stream, agencies can more efficiently respond to threats and report on vulnerabilities.
Delivering vulnerability scans as a service is a common approach to risk assessments. Typically, the owner of a federal system will receive separate reports from CISA, inspectors general, chief information security officers and authorization efforts. Aggregating and tracking these reports to closure is often a manual and labor-intensive effort. Consolidating all this vulnerability data into CDM allows the program to begin deduplicating and providing the initial risk assessment.
Delivering this to system owners as the single view of vulnerability reduces their load and provides critical feedback to ensure assets are correctly assigned to systems and owners — further improving the overall vulnerability management processes.
Maximize agency use and reuse of CDM data. Requiring CDM to feed Federal Information Security Management Act data is a great start, but agency leadership must prioritize efforts to directly leverage CDM data for mission operations. Furthermore, CIOs and CISOs must provide mission owners with the necessary tools to more easily tailor data for their own use and become active participants in maintaining data quality through regular reuse.
]]>
CDM data doesn’t stand alone; it exists within a complex web of usable data. In the reality that is bottom-up federal funding, mission owners deploy tools and compile islands of operational data. By working to integrate this into the CDM data and developing the tools to enable mission engagement, agency leadership will have a single source for comprehensive situational awareness that is accurate, timely and continuously updated.
If agencies engage and reinforce CDM as a foundation, all risk management becomes much easier. Effective risk management requires more than a technical solution; it requires agencies to embrace cultural change at a time when cultural change management is not a place where the government spends a lot of time. Engaging in this process may be difficult at first, but agencies that do will reap the rewards.
Matthew Shallbetter is director of strategy for federal civilian at Armis Federal.
Copyright
© 2025 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.
