On Air: Federal News Network
Trending:
Listen Live
Acquisition Policy

DHS lays out new ‘cybersecurity readiness’ metrics for contractors

DHS plans to use its own approach for evaluating contractor cybersecurity rather than adopting the Pentagon's CMMC program.

Justin Doubleday@jdoubledayWFED
November 1, 2023 6:13 pm
3 min read
     

The Department of Homeland Security will use a “cybersecurity readiness” assessment to evaluate whether contractors have appropriate cyber defenses in place prior to making contract awards.

DHS published the details of the new “cybersecurity readiness evaluation factor” in a Nov. 1 notice signed by Kenneth Bible, DHS’ chief information security officer, and Sarah Todd, DHS’ executive director of acquisition policy and legislation.

The notice confirms DHS’ plan to use its own approach for evaluating contractor cybersecurity rather than adopting the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) program.

“It is the department’s intention to ensure that effective and appropriate cybersecurity measures are in place by vendors supporting work where such measures are necessary,” the DHS officials write in the new notice. “This new evaluation factor will enable DHS to evaluate vendors’ cybersecurity posture pre-award for applicable contracts to inform a best value tradeoff award decision.”

        Join us May 7 at 2 p.m. ET where government and industry leaders will discuss the benefits of digital-centric engineering vs. document-engineering approaches, best strategies and lessons learned, sponsored by Arcfield. | CPE eligible

The notice doesn’t state when the new evaluation factor will go into effect. But DHS is seeking feedback on its plans by Nov. 17.

In an attachment to the notice, DHS lays out more details on how it will evaluate “cybersecurity readiness” based on analyzing contractor responses to a questionnaire.

In cases where the readiness factor is used in a solicitation, companies will need to show how they meet National Institute of Standards and Technology cybersecurity controls for protecting a broad category of sensitive government data known as “controlled unclassified information” or “CUI.”

Companies will be assigned ratings based on “readiness results” stemming from their responses to DHS’ “standardized secure assessment instrument questionnaire.” The ratings range from a “high likelihood of cyber readiness,” to just a “likelihood” of readiness, to a “low likelihood.”

The metrics “will be tailored to individual solicitations when utilized,” the DHS notice states. And importantly, a company’s cybersecurity rating could either help or hurt their bid.

“At the present time, this Cybersecurity Readiness Factor will only be used for best value tradeoff award decisions for applicable solicitations,” the attachment states. “However, solicitation language may require a Plan of Action and Milestones as a post-award deliverable if an awardee’s assessment result does not meet DHS’ expectations of compliance with the applicable clauses upon award.”

DHS breaks from CMMC

The new readiness tool planned by DHS builds off previous efforts to scrub the “cyber hygiene” of its industrial base through a self-assessment sent to 400 contractors last year.

During a webinar hosted by Leadership Connect last week, Bible said the cyber hygiene work is based around a priority at DHS to “use our contracting to raise the cybersecurity posture of our industry base.”

        Read more: Acquisition Policy

Even though DHS contractors need to follow the same cybersecurity standards as defense contractors, Bible has previously said DoD’s plan to require many contractors to obtain third-party cybersecurity assessments under CMMC was not the right fit for DHS.

Bible reiterated that stance during last week’s event, saying CMMC “wouldn’t really work with our industry base,” which includes a substantial number of small businesses. DoD has had to significantly revamp the CMMC program due to concerns about costing out small-and medium-sized businesses.

Bible said DHS can implement its cybersecurity evaluation mechanism without any rulemaking. DoD’s CMMC process remains in the rulemaking stage, with it unlikely to become effective until later next year.

“It’ll start helping us to go look at this in advance of a contract award,” Bible said. “We’re trying to take steps that we can do now. Let’s just start. And in my mind, that’s what starts to build the public’s confidence if they can just see the government moving out to do the things that we’re asking them to do. And we’re starting to hold ourselves to the same standards. I think that goes a long way. And are we going to hit the mark every time? Probably not. But the point is that if we don’t start, then we’re never going to get there.”

Copyright © 2024 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.

READ MORE
     
Justin Doubleday

Follow @jdoubledayWFED

Related Stories

    (AP Photo/Lynne Sladky)FILE - In this Nov. 20, 2020, file photo a U.S. Department of Homeland Security plaque is displayed a podium as international passengers arrive at Miami international Airport where they are screened by U.S. Customs and Border Protection in Miami. The damned-if-you-pay-damned-if-you-don’t dilemma on ransomware payments has left U.S. officials fumbling about how to respond. While the Biden administration “strongly discourages” paying, it recognizes that failing to pay would be suicidal for some victims. (AP Photo/Lynne Sladky, File)

    DHS eyes plan to use self-assessments to evaluate contractor cybersecurity

    Cybersecurity Read more
    Amelia Brust/Federal News NetworkFederal Acquisition, GSA

    DHS chief information security officer wary of Pentagon’s changes to CMMC

    Cybersecurity Read more
Related Topics
Acquisition Acquisition Policy All News Contracting Cybersecurity Cybersecurity Maturity Model Certification Department of Homeland Security Kenneth Bible Technology Workforce