The Continuous Diagnostics and Mitigation (CDM) program – the Federal government’s primary program to improve civilian agency cyber security – is running short on money and putting its four prime contractors on half rations until the funding situation improves.
That’s the news in recent days from sources in the Federal contracting community who work with the program and who spoke with MeriTalk on condition of anonymity. The CDM Program Office, which is part of the Cybersecurity and Infrastructure Security Agency (CISA), did not offer comment for this story.
Contracting community sources estimate that the CDM program, which received about $281 million of funding for Fiscal Year 2020, is now looking at a budget shortfall of between $80 million to $100 million relative to the booming demand from Federal agencies for the contract’s services.
Prime contractors to the CDM program were informed late last month – the day after CISA Director Christopher Krebs was fired by President Trump over an election security dispute – that the CDM Program Office was scaling back near-term payments by 50 percent.
The impact of those cuts means that some program initiatives that were planned for FY2021 may be pushed further out into FY2022, sources said.
In the absence of a further funding boost, the CDM Program Office is likely to stick to its core mission goals including installation of enhanced dashboards at the agency and Federal levels, improving data quality, and asset, identity, and access management initiatives. The office’s contractual vehicles remain in place and won’t be changing, but the level of funding for those will determine how much they get accomplished on the agency level in the near term.
Service Demand Outstrips Funding
By all accounts, the CDM funding shortfall is the result of higher demand for services overwhelming the supply of funding during a year of unprecedented crisis caused by the coronavirus pandemic. Widespread teleworking that started in the Spring has driven agencies to defend expanded attack surfaces.
A lot has changed over the past year-plus that impacts CDM demand since the FY2020 budgets were drawn up, including:
Expedited work that the CDM Program Office undertook as the COVID-19 pandemic emerged to help agencies respond quickly to the crisis; and
An uptick in demand for services related to cloud and mobile security that were not foreseen in FY2020 budget drafting. CDM Program Manager Kevin Cox has highlighted the growing demand for pilots for those services, along with high-value asset protection, in recent public discussions about the program.
Potential Funding Lifelines
The current funding picture for the CDM program remains lean – not only due to high service demand this year, but also in the bigger Federal budget picture.
Right now, the government is funded through Dec. 11 under a continuing budget resolution based on FY2020 budget levels. Another continuing resolution will likely be necessary before Congress works on FY2021 funding in earnest.
Despite that apparent near-term budget logjam on Capitol Hill, one lifeline for the CDM program lies in a proposed $40 million additional budget appropriation proposed in the Senate, that would also need House approval. Word is these funds would be allocated to Department of Health and Human Services (HHS) and Small Business Administration CDM initiatives.
Sources say that House and Senate Appropriations committee leaders have been briefed on the CDM funding issue, but probably need to hear more from CISA and Department of Homeland Security (DHS) officials about the current budget shortfall problem.
Numerous members of Congress – among them Reps. Gerry Connolly, D-Va., and Jim Langevin, D-R.I., and Sens. Tom Carper, D-Del., Maggie Hassan, D-N.H., John Tester, D-Mont., and Joe Manchin, D-W.Va. – are among those likely to have sympathetic ears to the CDM program’s funding plight.
Another important lifeline for the CDM program is likely to arrive at DHS early next year in the form of Alejandro Mayorkas, who was tapped late last month by President-Elect Joe Biden as the next DHS Secretary, subject to Senate confirmation. Mayorkas was DHS Deputy Secretary during the second Obama administration, during which he developed a considerable profile in cybersecurity and the fight against cyber crime.
The timing for a protracted CDM budget squeeze could hardly be worse given the pressing cyber security needs faced by Federal agencies.
First, COVID-19 caseloads are spiking throughout the United States as colder weather descends. And while several coronavirus vaccines are up for quick Federal approval, their widespread distribution throughout the country won’t come until mid-year at the earliest. To make matters worse, the government cannot afford a major cyber attack directed at the vaccine distribution operation.
Widespread Federal telework is likely to continue until at least mid-year, if not far beyond, given the efficiencies that remote work has yielded. The benefits of telework, however, are accompanied by well-documented security problems that expanded attack surfaces create – and thus the need for government to contain those through the benefits that the CDM program provides.
And in the face of expanded attack surfaces, Federal agencies that have spent money on buying software to enable CDM services will suffer from having a lack of services to put that software to work to improve their security posture – when that help is needed the most.
To get the latest information on the CDM program and what it’s doing next, please join MeriTalk on Dec. 3 for our virtual CDM Central conference from 8:50 a.m. to 12:40 p.m. Eastern time. And for a deeper dive into how the program defends Federal agencies’ high value assets, please take a look at MeriTalk’s latest CDM research report, “Defending HVAs: How Can CDM be the Security Hero?”