CISA CDM — Continuous Diagnostics and Mitigation (AI-agent asset accountability) · vCISA CDM Program — DEFEND c…
CISA CDM — Continuous Diagnostics and Mitigation (AI-agent asset accountability)
CISA CDM — Continuous Diagnostics and Mitigation (AI-agent asset accountability) — 100% covered.
11 requirements · 11 enforced · 0 designed · 0 advisory · 0 deferred.
Source: CISA Continuous Diagnostics and Mitigation (CDM) Program — capability areas: Asset Management (HWAM/SWAM/CSM/VUL), Identity & Access Management (TRUST/CRED/PRIV/BEHAVE), Network Security Management (BOUND/MNGEVT), Data Protection Management (DPM). Mapped to the agentic-AI asset surface: an AI agent that holds credentials, reaches data, and acts on systems is a reportable cyber asset. · License: U.S. Government work — CISA CDM program documentation is public
By category
| Category | Reqs | Enforced | Designed | Advisory | Deferred | Coverage |
|---|---|---|---|---|---|---|
| Asset Management (what is on the network / acting) | 4 | 4 | 0 | 0 | 0 | 100% |
| Identity & Access Management (who/what is on the network) | 4 | 4 | 0 | 0 | 0 | 100% |
| Network Security Management (what is happening on the network) | 2 | 2 | 0 | 0 | 0 | 100% |
| Data Protection Management (how is data protected) | 1 | 1 | 0 | 0 | 0 | 100% |
Every requirement → the KYE™ artefact that enforces it
| ID | Title | Status | KYE™ enforcement |
|---|---|---|---|
cisa-cdm.HWAM |
Asset Management — HWAM: inventory every device/agent acting on the network (for AI: every agent that can act is a reportable asset) | enforced | registries: internalaudit_events: kye.compliance.attestation.v1constitution_refs: constitution/14-AGENTS-AND-ENGINES.md |
cisa-cdm.SWAM |
Asset Management — SWAM: inventory the software/models/tools each agent is composed of | enforced | registries: internalaudit_events: kye.compliance.attestation.v1constitution_refs: constitution/14-AGENTS-AND-ENGINES.md, constitution/52-DELEGATED-AGENT-BINDING.md |
cisa-cdm.CSM |
Asset Management — CSM: manage configuration settings against an approved baseline before deployment | enforced | audit_events: kye.compliance.attestation.v1constitution_refs: constitution/18-OPERATING-MODEL.md |
cisa-cdm.VUL |
Asset Management — VUL: detect deviation of live behaviour from the approved design (vulnerability/variance) | enforced | engines: internalaudit_events: kye.reality_coupling_check.v1, kye.agency_drift.event.v1constitution_refs: constitution/13-RESILIENCE-LOOP.md |
cisa-cdm.TRUST |
Identity & Access Management — TRUST: determine who/what is acting and on whose behalf | enforced | audit_events: kye.purpose.admissibility.v1, kye.evidence.decision_map.v1constitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/14-AGENTS-AND-ENGINES.md |
cisa-cdm.CRED |
Identity & Access Management — CRED: bind credentials/authority tokens with expiry and revocation | enforced | audit_events: kye.evidence.decision_map.v1constitution_refs: constitution/12-PURPOSE-PERMISSION.md, constitution/13-RESILIENCE-LOOP.md |
cisa-cdm.PRIV |
Identity & Access Management — PRIV: enforce least privilege / bounded purpose at the action boundary | enforced | audit_events: kye.purpose.admissibility.v1constitution_refs: constitution/12-PURPOSE-PERMISSION.md |
cisa-cdm.BEHAVE |
Identity & Access Management — BEHAVE: monitor agent behaviour against expected operating design | enforced | engines: internalaudit_events: kye.agency_drift.event.v1constitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/52-DELEGATED-AGENT-BINDING.md |
cisa-cdm.BOUND |
Network Security Management — BOUND: manage boundaries / isolate each tenant and trust domain | enforced | audit_events: kye.compliance.attestation.v1constitution_refs: constitution/16-EDGE-RUNTIME.md |
cisa-cdm.MNGEVT |
Network Security Management — MNGEVT: prepare for and respond to events (suspend / revoke / freeze) | enforced | audit_events: kye.evidence.decision_map.v1constitution_refs: constitution/13-RESILIENCE-LOOP.md, constitution/21-DELEGATED-AUDITABILITY.md |
cisa-cdm.DPM |
Data Protection Management — DPM: protect data with tamper-evident, replayable evidence of every access decision | enforced | audit_events: kye.evidence.pack.v1, kye.compliance.attestation.v1constitution_refs: constitution/30-AUDIT-WORM-RETENTION.md, constitution/21-DELEGATED-AUDITABILITY.md |