The Department of Homeland Security is testing out its own way of evaluating contractor cybersecurity measures, amid concerns about the efficacy of the Defense Department’s Cybersecurity Maturity Model Certification program.
DHS launched a pathfinder this summer to begin evaluating existing contractors with cyber hygiene clauses in their contracts, according to Ken Bible, chief information security officer at DHS. He said DHS has had those clauses in place since 2015, but has never held companies accountable for meeting the standards.
He said DHS has assessed one contractor so far on whether it is meeting the cybersecurity standards.
“We’re going to continue to expand upon that Pathfinder,” Bible said during a conference today hosted by SC Media. “I don’t know that we found from that one Pathfinder everything that we needed to really build out our DHS program in that area.”
DHS has been monitoring the Pentagon’s CMMC program as it builds out its own approach to contractor cybersecurity. Bible said initial impressions were that the Pentagon’s use of third-party audits would not work for DHS.
“We looked at that and said, ‘Well, that may be a little bit too heavy handed for the industrial base that supports the Department of Homeland Security, really didn’t want to disadvantage small businesses, which have been kind of at the heart of being able to innovate within the Department of Homeland Security,’” Bible said.
But now, DHS may be concerned the Pentagon has swung too far in the opposite direction.
Earlier this month, the Pentagon announced major changes to the CMMC model. Under the revamped “CMMC 2.0,” most defense contractors will only need to submit a self-attestation of their cybersecurity practices in order to win an award. About 40,000 businesses that handle more sensitive information will still need to obtain a third-party assessment prior to contract award.
“I do have concerns where even in CMMC 2.0, there’s this element of self-attestation that someone is meeting the standards,” Bible said. “I would like to be able to trust that when I came in, and I did some sort of validation inspection after a contract award, that everything would be on the up-and-up, and that it would still be meeting the standard. I’m less comfortable with that based on the experiences that I think that I and others have had when they actually peel back the covers.”
Bible said he wants industry to be able to show cybersecurity mechanisms are in place prior to contract award.
“That’s something I think that we’ve paid lip service to in the past,” he said. “We’ve never really inspected what we wanted until after we already had a contract. And we’re bending metal, using old shipyard terms, we’re actually building something. And then we decided how we wanted to go address cybersecurity. And I think that may be too late.”
DHS has thousands of contracts, and Bible conceded not all of the companies working under those deals will be managing sensitive information.
“But there’s a fair percentage that are and so we’re looking at how can we take in some sort of data about a larger swath of that industry sample set, and build some statistical means of seeing where we actually carry risk,” he continued.
He said the pathfinder is aimed at solving the problem without disadvantaging industry.
“It is a balance,” Bible said. “It is a systematic approach. But this is about managing risk, not necessarily trying to eliminate it, because I don’t think we will be able to eliminate it completely.”
DHS adopts supply chain strategy
The contractor cybersecurity push is one part of a broader supply chain risk management strategy, according to Bible. He said the new plans were developed in the wake of the SolarWinds attack last December.
One major effort has been simply “wiring” DHS to communicate about supply chain security issues.
“So being able to reach out to the procurement office and understand what suppliers were within a given program for delivering new capability to the department,” Bible said. “Or reaching out to the chief financial officer to understand how we would pay for some sort of remedial action if we decided we needed to do something with respect to a component that we found that needed to be removed or that we needed to modify in some way out of the budget cycle.”
He also said his office is working with the DHS Office of Intelligence and Analysis to determine whether the intelligence community has information about threats to specific suppliers.
The strategy also involves determining what software and services are critical to DHS operations.
Bible said his team worked with the SolarWinds chief information security officer to analyze remediation and corrective actions that were taken in the wake of the supply chain attack. The effort turned into a report that ultimately worked its way through the DHS CISO council up to Chief Information Officer Eric Hysen’s desk.
“We started to establish this pattern of how would we go look at products that were critical in our environment,” he said.
President Joe Biden’s May cybersecurity executive order advanced those efforts by directing the National Institute of Standards and Technology to come up with a definition for “critical software” that agencies must use going forward.
DHS is also using “open source tools” to scan its technical reference architecture – essentially the baseline of IT products used by the department – and determine whether there are any vulnerabilities or other concerning issues, according to Bible.
He said DHS is using those tools to produce on a bi-weekly basis “vendor due diligence assessments” for distribution throughout the department.
“Then we can start to make informed decisions about, do we want to keep on using those technologies? Or do we want to take those technologies out of the environment?” Bible said.