CDM Updates to Product Listing Requirements

By Amanda Mull, Contract Specialist

The federal Continuous Diagnostics and Mitigation (CDM) program includes cybersecurity tools and sensors that are reviewed by the program for conformance with Section 508, federal license users and CDM technical requirements. Manufacturers are encouraged to update, refresh and add new and innovative tools to the CDM Approved Products List (APL).

To maintain currency with federal and requirement and the constant evolution of the cyber/IT landscape, the CDM APL product submission requirements have been revised several times in FY2021.

The most recent updates reflect heightened security policies and protocols required for a more mobile workforce. Others support the full realization of the federal CDM Dashboard expected by year-end. The CDM Dashboard is intended to gauge agency cybersecurity posture. It also monitors the achievement of directives meant to raise the overall level of security and privacy in cyber/IT tools and technology across the federal government.

There have been several recent updates to CDM Common Requirements for Approved Product Listings (APL):

  • The IPv6 common requirement has been aligned with the Office of Management and Budget (OMB) Memorandum 21-07 (M-21-07) – PDF. This is critical for heightened cyber security and privacy on networks, and to support large data transfers as well as safe use of mobile devices.   
  • To support the federal CDM Dashboard data collection, all products reporting data must maintain data currency of 72 hours or less. Devices reporting data must also scale to support growth of the numbers of users and devices on the networks. Baseline user and device inventories are expected to increase over time as system usage expands.
  • Responding to feedback from applicants offering cloud products on the CDM APL, new subcategory definitions were added for “in” and “of” the cloud security products and tools.
  • In addition to some formatting updates, changes to the Potential CDM Capabilities questions were revised to better assess emerging products and determine if these capabilities should be considered for eventual addition as CDM capability categories. 

Beginning in FY21, CDM APL products listed over three years must be recertified under current standards. Quarterly lists of expiring product approvals are sent to contract holders. 

Need help understanding the CDM Program?  immixGroup, Inc. can help you get your products listed on the GSA Schedule for CDM sales. For more information, contact immixGroup, Inc., at

Keep up to date on the latest IT trends in government. Subscribe to immixGroup’s Government Sales Insider blog now.

About Amanda Mull
Currently a Contract Specialist for immixGroup, Inc. I help public sector sales professionals understand federal contracting vehicles, and respond to IT sales opportunities. Special knowledge of the DHS/CISA CDM Program for the GSA IT Schedule 70 and the U.S. Army ITES-SW2 Contract via the CHESS IT E-Mart. 20+ years as ACO for GSA schedule 84 Security, Access Control and Surveillance System Products & Services Company; 10 + years as a Corporate Compliance Officer.

Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s

%d bloggers like this: