Skip navigation
Industry News

Duo Approved for Federal Continuous Diagnostics & Mitigation (CDM)

Hey! What would it mean to you
to know that it'll come back around again?
Hey! Whatever it means to you,
know that everything moves in circles.

-"Circle" lyrics by Incubus

continuous adjective
con·​tin·​u·​ous |  \ kən-ˈtin-yü-əs \
Definition of continuous
1: marked by uninterrupted extension in space, time, or sequence


There is an old saying that sunlight is the best disinfectant. Basically, this means that visibility is key to understanding risk and how vulnerable you are to it.

I’m a “go with my gut” kinda guy. This has served me well in life for the most part, except the gut is not always right and there is just no substitute for useful, timely data. The Department of Homeland Security (DHS) realized this way back in 2012. At the time there didn’t seem to be a uniform way to get an assessment of any given federal agency’s security posture, including their own. So they did a wise thing. They created a program to help agencies do just that, and called it the Continuous Diagnostics & Mitigation Program (CDM Program).

Continuous in that it is an ongoing security journey and mitigation in that prevention is an important part of the program, not just the visibility part. They also partnered with the General Services Administration (GSA) to provide solutions, capabilities and, just as importantly, a procurement processes for putting these types of systems in place. I won’t go into the graphic details here (mostly because there are many other folks who are better versed than I) but the program is really about the security + data relationship and its entire lifecycle.

This was (and continues to be) a very large effort. This helped agencies get their hands around their security knowledge and required them to report progress via a scorecard (and don’t we all love scorecards?). This is another example of the public and private partnership working the way it was intended. Industry worked together and with government to provide technologies and services to help address the underlying security requirements -AND- help with the reporting (visibility) requirements.

Duo is excited to announce that we’ve been added to the Federal CDM Approved Products List (APL) and we’re proud to participate in this ecosystem of government partners to help federal agencies with their cloud/mobile zero-trust journey:

There is also a relationship with the current Trusted Internet Connection (TIC) standards and how they’re evolving to address the current cloud and mobile world we live in today with TIC 3.0.

To me, all of these policies play a role in helping agencies field the best security solution for them -AND- give the agencies leeway and flexibility to make risk-based decisions going forward as technology changes, without having to wait years for updated policy guidance.

Duo is compliant for federal government use, approved by the Department of Homeland Security and is listed on the Continuous Diagnostics and Mitigation (CDM) Approved Products List (APL). The CDM APL can be found at the General Services Administration's (GSA’s) CDM website. Agencies can purchase Duo today.

Learn more about Duo for federal and government agencies.