Best Offers on Online Training Ending Soon! Get a 12.9" iPad Pro, Surface Pro or $350 Off - Only Four Days Left


Subscribe to SANS Newsletters

Join the SANS Community to receive the latest curated cyber security news, vulnerabilities and mitigations, training opportunities, and our webcast schedule.

Continuous Diagnostics and Mitigation: Making It Work - A SANS Survey

CDM Awareness Lacking at Operational Level; Inspector General Awareness Low; Obstacles to Adoption Include Staffing and Skills

  • Bethesda, MD
  • July 24, 2014

The Continuous Diagnostics and Mitigation (CDM) program is improving the security levels at federal agencies that are taking advantage of the program, according to a new SANS survey on CDM adoption. In it, 44% of those who reported implementing CDM are experiencing increased security as a result. Unfortunately, the same survey indicates that a very low number of respondents are adopting the controls.

"The survey results show some clear and reachable opportunities for agencies to better leverage their use of the CDM program and improve their security," says Tony Sager, director of the SANS Innovation Center. "It also clarifies how the other portions of the government cyber ecosystem (e.g., GSA, OMB, IGs, DHS) have to do their part if we are ever to achieve the potential of the DHS CDM program."

The goal of the survey, sponsored by FireMon, ForeScout, IBM and Symantec, was to learn what is working and what is not working for organizations implementing these controls in order to help the CDM program succeed at its goal of reducing risk through continuous monitoring and other controls.

Despite extensive outreach by DHS, the "trickle down" of information to security administrators, analysts and operations staff has been limited. CIOs (49%) and CSOs (49%) had levels of awareness significantly higher than that of security (36%) or IT administrators (21%). Even more distressing, only 5% of survey respondents reported awareness and support of their Inspectors General. This overall lack of information about the program hinders its adoption.

"While most of the technologies used in CDM are familiar, moving to continuous monitoring will require significant process change and skill enhancement," says John Pescatore, author of the report and senior director at SANS Institute. "This SANS survey showed that government security managers are worried about the training and staffing they will need to make the change from the traditional compliance-focused annual audit approach."

Lack of needed skills (36%), staffing (32%) and the ever-present budget concerns (40%) were cited as the key barriers once organizations have knowledge about the program.

Full results will be shared during an August 6 webcast at 1 PM EDT featuring Tony Sager, who formerly served in many capacities at the NSA, including as Chief Operating Officer. Register to attend the complimentary webcast at

Those who register for the webcast will also receive access to the published results paper developed by SANS Analyst and emerging technologies expert, John Pescatore.

Tweet This!

Early CDM adopters improving security: SANS survey webcast Aug 6 at 1 PM EDT. Register: #Gov #Technology

Govt IT Pros: hear results from SANS CDM Survey on Aug 6 at 1 PM EDT. Register: #Gov #Technology

What are the benefits to those taking advantage of the DHS CDM program? Webcast Aug 6: #Gov #Technology

Find Out Who's Taking Advantage of CDM. Survey Results Webcast 8/6, 1 PM EDT. Register: #Gov #Technology

SANS Media Contact

About SANS Institute

The SANS Institute was established in 1989 as a cooperative research and education organization. SANS is the most trusted and, by far, the largest provider of cyber security training and certification to professionals at governments and commercial institutions world-wide. Renowned SANS instructors teach over 60 different courses at more than 200 live cyber security training events as well as online. GIAC, an affiliate of the SANS Institute, validates a practitioner's qualifications via over 30 hands-on, technical certifications in cyber security. The SANS Technology Institute, a regionally accredited independent subsidiary, offers master's degrees in cyber security. SANS offers a myriad of free resources to the InfoSec community including consensus projects, research reports, and newsletters; it also operates the Internet's early warning system--the Internet Storm Center. At the heart of SANS are the many security practitioners, representing varied global organizations from corporations to universities, working together to help the entire information security community. (