DHS CISA Expands the Continuous Diagnostics and Mitigation Approved Product List to Secure Firmware Supply Chain, A First for the Agency

Eclypsium selected as the first company to help fortify the supply chain of hardware and firmware in government networks and systems

PORTLAND, Ore.--()--Eclypsium® today announced that it has been added to Cybersecurity and Infrastructure Security Agency’s (CISA) Continuous Diagnostics and Mitigation (CDM) Approved Products List (APL). The inclusion reinforces CISA’s ongoing adaptation to the evolving threat landscape and the role of firmware in supply chains, the economy and national security of the United States Government.

The Eclypsium platform is the only supply chain security solution for enterprise hardware and firmware listed on the CDM APL, recognized as an instrumental Asset Management and Network Security Management solution, in helping organizations “improve their respective security postures by delivering better visibility and awareness of their networks and defending against cyber adversaries.”1 Prior to Eclypsium joining the CDM APL, no other technology solution provided visibility into the firmware and hardware foundations of devices, or could thereby reduce supply chain risk.

“With the availability of the Eclypsium Platform, United States Government agencies can now make technical assessments and apply effective and accurate operational monitoring of supply chains, significantly strengthening security resilience and reducing the threat surface currently driven by firmware vulnerabilities,” said Richard Wajsgras, President of Federal Sales and Global Channels & Alliances at Eclypsium. “CISA acknowledges that firmware has become a top target for real-world adversaries and is taking proactive action to equip every government entity with the solutions that will protect federal information systems and reduce cyber incidents.”

The Eclypsium platform aligns with the requirements outlined in the recent Executive Order on Improving the Nation’s Cybersecurity and also CISA’s Known Exploited Vulnerabilities (KEV) Catalog. The KEV Catalog was published in November 2021 to help government agencies and private sector organizations prioritize the vulnerabilities known to be actively exploited by malicious actors. As of July 9, 2022, the list contained 786 actively exploited CVEs, 185 of which were caused by firmware vulnerabilities.

In response to the growing threats, CISA also released the Binding Operational Directive 22-01, which requires Federal Civilian Executive Branch agencies to report and remediate each exploited vulnerability according to the timelines set forth in the CISA-managed KEV catalog. The immediate actions of CISA are a strong defense against the large-scale firmware attacks targeting enterprise and network infrastructure.


Eclypsium’s cloud-based platform identifies, verifies, and fortifies firmware in enterprise hardware infrastructure: in laptops, servers, network gear, and connected devices. The Eclypsium platform secures your hardware supply chain by monitoring devices for firmware threats, critical risks, and patching firmware across the entire hardware fleet. For more information, visit eclypsium.com.

1 https://www.cisa.gov/sites/default/files/publications/cdm-program-overview-fact-sheet-012022-508.pdf



Release Summary

Eclypsium has been added to Cybersecurity and Infrastructure Security Agency’s (CISA) Continuous Diagnostics and Mitigation Approved Products List.