Third-party contractors are prohibited from using or sharing data collected with CISA in their task orders, but that's no guarantee.

The program, which the Department of Homeland Security uses to monitor and protect federal networks, is adding more data and connections all the time. Congress enters another year without giving it official legislative authority.

The scores won't be public, though, "because we know adversaries will be looking to see which agencies are having problems," says Continuous Diagnostics and Mitigation program manager Kevin Cox.

App vetting solutions, in particular, vary in their strengths and weaknesses, so it's up to agencies to determine what meets their needs.

John Cornyn, R-Texas, and Maggie Hassan, D-N.H., introduced the Advancing Cybersecurity CDM Act, which would make the program law.

The overall purpose, a DHS official said, is to "provide actionable information to allow agencies to 'fix the worst problems first'" across their networks.