Varonis announces strategic partnership with Microsoft to accelerate the secure adoption of Copilot.

Learn more

What is CDM and How Does Varonis Help?

The Continuous Diagnostics and Mitigation (CDM) program is a United States government cybersecurity initiative led by the Department of Homeland Security (DHS). The Cybersecurity and Infrastructure Security Agency (CISA) leads...
Michael Buckbee
4 min read
Last updated June 2, 2023

What is CDM?

The Continuous Diagnostics and Mitigation (CDM) program is a United States government cybersecurity initiative led by the Department of Homeland Security (DHS). The Cybersecurity and Infrastructure Security Agency (CISA) leads CDM with the stated purpose of:

  • Reducing agency threat surface
  • Increasing visibility into the federal cybersecurity posture
  • Improving federal cybersecurity response capabilities
  • Streamlining Federal Information Security Modernization Act (FISMA) reporting

In this blog, we will dig into how CDM helps accomplish those goals, and how Varonis supports a CDM strategy.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

The Four Phases of CDM

Phase 1: What is on the Network?To help agencies improve their cybersecurity posture, CISA defined four phases for agencies and private organizations to use as a model for their cybersecurity strategy.

Phase 1: What is on the Network?

In phase 1 of CDM, agencies are required to catalog and list the basic details of hardware, software, and configurations that live on their networks. In order to defend their entire network, each agency has to know exactly what computer, devices, and software they have to defend.

  • Hardware Asset Management (HWAM)
  • Software Asset Management (SWAM)
  • Configuration Settings Management (CSM)
  • Vulnerability Management (VUL)

Phase 2: Who is on the Network?

Phase 2 is all about the user accounts and how users interact with and use the agency’s network. Just as important as phase 1, phase 2 is about discovering what users and groups exist in Active Directory, Azure, local computer accounts, etc. When agencies map user accounts to file and folder access, they get a better picture of where sensitive data is exposed.

  • Manage Privileges (PRIV)
  • Manage Trust in People Granted Access (TRUST)
  • Manage Credentials and Authentication (CRED)
  • Manage Security Related Behavior (BEHAVE)

Phase 3: What is Happening on the Network?

In Phase 3, agencies need to monitor network and perimeter components, host and device components, data at rest and in transit, and user behavior and activities. Monitoring combined with the correct analytics is the best way to detect threats to data.

  • Manage Events (MNGEVT)
  • Operate, Monitor, and Improve (OMI)
  • Design and Build-in Security (DBS)
  • Boundary Protection (BOUND)
  • Supply Chain Risk Management (SCRM)

Phase 4: How is Data Protected?

Phase 4 requires agencies to enable several data protections. These controls are fundamental to any cybersecurity strategy because they allow organizations to answer questions like, “has sensitive data been compromised?” Without data classification and a forensic audit trail of how data has been accessed, agencies wouldn’t necessarily know if data breach included sensitive material, for example.


To help agencies track their progress through all four phases of the program, CISA created custom dashboards. These dashboards provide a picture of an agency’s cybersecurity posture and assets through a single pane of glass. They gather data from automated feeds – including Varonis – to ensure security controls and allow for prioritization of risk mitigation and remediation. There are web-based training about these dashboards on the CDM website.

How Does Varonis Help With CDM?

Varonis is a DHS-approved product that provides the core functionality needed to achieve the requirements set forth by the CDM across all phases. Phases 3 and 4 are underway right now, which are phases where Varonis can deliver significant value.

Varonis is a data-centric security suite that identifies permissions, classifies sensitive data, and detects threats to data. One of the core tenents of CDM is protecting data, and Varonis protects data first.

Phase 1: Asset Management

What is on the network?

What is on the network?

In addition to understanding what hardware and software exists on the network, it’s critical for agencies to understand where their most sensitive data is. With this visibility, agencies can ensure they have the proper controls in place to limit sensitive data exposure. Varonis builds a map of unstructured data across the cloud and on-premises data stores and email systems. We automatically discover and classify sensitive data that hides across the network and stale data that’s no longer needed to help visualize where data is most at-risk and enable action to limit that risk.

Phase 2: Identity and Access Management

Who is on the network?

Who is on the network?

Limiting access to sensitive data is a critical next step for agencies to undertake in order to minimize their threat surface. Varonis creates a searchable inventory of all users, groups, and computers in Active Directory, Azure AD, and all local system directories that agencies can use to review and remediate over-permissive and unneeded permissions. From the Varonis platform, agencies can resolve all user & group memberships and access levels, including complex and deeply nested relationships to align with a least privilege access model.Varonis learns typical behaviors for users, including usual locations, working hours, and user-device matches. and can alert on instances where behavior seems suspicious or consistent with a cyberattack.

Phase 3: Network Security Management

What is happening on the network?

What is happening on the network?

For agencies to be proactive in responding to threats, they need to understand what is happening on their network. From a data perspective, that means knowing when data has been accessed, changed, moved, or deleted. This knowledge of how data is being used combined with known threat models and indications of attacks can help agencies proactively identify and respond to threats before impact. Compromised users do things they don’t usually do, like login at odd times from unusual geo locations, access data they never tried to access before, or touch new systems. Varonis detects these abnormal behaviors and compares them to known threat models to warn of potentially dangerous user activity proactively.

Phase 4: Data Protection Management

How is data protected?

How is data protected?

The last and arguably most challenging phase of CDM involves protecting data. Several security solutions can help agencies gain greater visibility into their users, permissions, etc., but few can help them take action to actually protect data. Varonis limits agencies’ threat surface by automatically removing Global Access and fixing broken ACLs with just a few button presses. These changes can be sandboxed before committing them to ensure they don’t negatively impact users. In addition to these massive remediation efforts, Varonis can help keep risk low over time by scanning and classifying data as it’s created and implementing controls for managing access on an ongoing basis. Data that’s classified as sensitive can be automatically quarantined to ensure only the right people have access to it. Agencies can implement a user access approval model to put data owners in charge of access to their data and maintain oversight with regular audits.

Using Varonis to Succeed with CDM

Varonis is a DHS-approved product for helping organizations succeed with CDM. Using the Varonis Data Security Platform, agencies can monitor how data is flowing through their file and email systems, alert on anomalous user behavior, and quickly respond to suspicious activity. Varonis captures, normalizes, and analyzes data access events and combines access activity with additional context, like file content and sensitivity, permissions, and user profiles and behaviors with respect to systems and data. With that information as a baseline, Varonis determines what is normal behavior and detects anomalies which could indicate a threat. This proactive approach to data security can help agencies limit sensitive data exposure, identify potential issues in real time, and quickly remediate them.

Curious to see how Varonis can help detect threats?

Check out the Varonis Live Cyber Attack Lab to see Varonis in action as we demonstrate a real-world cyber attack.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

52 Key Cybersecurity Tips: Your Playbook for Unrivaled Security
With breaches on the rise, it’s crucial to make cybersecurity a priority. Follow these preventative cybersecurity tips for stronger security practices.
2024 Cybersecurity Trends: What You Need to Know
Learn more about data security posture management, AI security risks, compliance changes, and more to prepare your 2024 cybersecurity strategy.
NYDFS Cybersecurity Regulation in Plain English
Learn about the new NYDFS cybersecurity regulation and the rules for basic principles of data security, documentation of security policies, and much more.
What is Security Analytics? Guide for the Non-Analytical
Security analytics is the practice of analyzing raw security data to discover preemptive and actionable security measures to increase cybersecurity. It’s not necessarily a particular technique, but certainly involves aggregating...