Long hailed as a cybersecurity success, the CDM program faces new scrutiny after CISA’s latest directive.
The federal government’s billion-dollar cybersecurity visibility program just ran into a visibility problem of its own.
Last week, the Cybersecurity and Infrastructure Security Agency (CISA) admitted it didn’t actually know where all its F5 devices were located, despite having “thousands” in use across civilian agencies. That admission came alongside an emergency directive instructing every federal department to hunt down and patch those systems, after F5 revealed that a nation-state actor had burrowed deep into its own network.
The irony wasn’t lost on anyone: a program built to help CISA see everything was struggling to see one of the most critical pieces of its own infrastructure.
A Billion-Dollar Blind Spot
CISA’s Continuous Diagnostics and Mitigation (CDM) program was supposed to fix problems like this. Launched in 2012 with a $6-billion mandate, CDM promised agencies a unified dashboard showing every asset, user, and vulnerability in real time. The reality? It’s been great at tracking desktops and servers, not so great at the rapidly evolving world of network edge devices like F5 load balancers.
“These devices live at the edge, not the core,” said Jonathan Trull, CISO at Qualys. “They don’t behave like traditional assets, and you can’t just slap an agent on them.”
Sean Connelly, one of the architects of CDM, agreed. “The program was built to watch the inside of the house, not the fence line,” he said. And the fence line, it turns out, is where hackers like to sneak in.
Edge Devices: The Hacker’s Playground
Edge infrastructure: F5 load balancers, firewalls, VPN gateways, has become the hacker’s favorite entry point, especially for China-linked threat groups. These systems sit in the DMZ between an agency’s internal network and the public internet, making them a perfect beachhead for intrusion campaigns.
Matt Hartman, former deputy executive assistant director for cybersecurity at CISA, put it bluntly: “Visibility gaps in edge technologies create pivot points for adversaries. The devices that protect your perimeter can also be the ones that betray it.”
Visibility ≠ Insight
The problem isn’t that CDM doesn’t collect data, it does. The issue is that the data isn’t normalized, connected, or easily searchable when it counts.
“Agencies may technically have the asset data,” said Ensar Seker, CISO at SOCRadar, “but if it’s trapped in disconnected silos, it’s useless in a live incident.”
That’s exactly what the F5 crisis exposed: the distance between data collection and actionable awareness. In theory, CDM should’ve known every F5 endpoint in use. In practice, agencies were scrambling through procurement logs and old spreadsheets to locate them.
Not Broken, Just Behind
To be fair, CDM isn’t a failure. It’s just playing catch-up with the modern attack surface. The program has matured steadily, expanding visibility into cloud infrastructure and zero-trust frameworks. But as Matt House, CDM’s program manager, admitted last year, “We are largely blind when it comes to platform-as-a-service and SaaS.”
In other words, the government’s main cyber-visibility tool still sees best in yesterday’s IT environments.
Why It Still Matters
Despite its flaws, CDM remains the backbone of federal cyber readiness. When CISA issued its F5 emergency directive, CDM helped accelerate the discovery and patching process across agencies. “Without a mature CDM program, agencies would be flying blind,” said Bill Wright of Elastic.
The takeaway? CDM is both the hero and the cautionary tale. It enables rapid nationwide response, but it also exposes how fragile visibility can be when the tech ecosystem shifts faster than the tools meant to monitor it.
The Real Lesson
The F5 incident isn’t just about one vulnerability, it’s a mirror reflecting the tension between visibility and velocity in cybersecurity. The federal government can’t patch what it can’t see, and it can’t see what its systems were never designed to illuminate.
If CDM wants to live up to its “continuous” promise, it must evolve beyond dashboards and agents. It needs adaptive discovery, contextual awareness, and automation that can keep pace with dynamic, cloud-driven networks.
Because in cybersecurity, knowing where your stuff is, and what it’s doing, is half the battle. The other half is realizing how fast that map goes out of date.