Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne
The Department of Homeland Security is preparing a rule to ensure contractors are meeting cybersecurity requirements, with DHS touting a process for evaluating its vendor base through self-assessments rather than relying on a third-party certification program like the Pentagon.
DHS has spent the past year conducting multiple “pathfinders” to test out a method for ensuring companies are meeting cyber hygiene clauses in their contracts. DHS issued a self-assessment questionnaire to a subset of its contractors last fall. The questionnaire was geared at measuring whether the companies were complying with a 2015 Homeland Security Acquisition Regulation for safeguarding sensitive information.
Ken Bible, DHS’ chief information security officer, says the work has convinced DHS it can use the approach more broadly.
“We were able to actually take a statistically relevant subset of the contracts using not self-attestation, but a self-survey, and actually use statistical means to say, ‘Did that give us a valid assessment of the maturity of our vendor base?’” Bible said during an Aug. 24 event hosted by FCW. “And we’re gaining more and more confidence that, yeah, it could.”
The exercise identified “outliers,” with some companies struggling to document their compliance with security practices, according to Bible.
“And so now we’re looking at what do we do with that with respect to prior to award?” Bible said. “That’s really kind of the real question is, can we take that technique and extend it so that we’re able to not use a self-attestation, but use a self-assessment to gauge the cyber maturity of a vendor and make that a criteria by which we would select for an award.”
Bible declined to comment on the specifics of the forthcoming rule. But he said DHS will use standard contract processes, like those used to ensure International Traffic In Arms Regulations compliance, to assess cyber maturity.
“What I like about what we’re doing is that I’m not only going to get that snapshot in advance of an award, but I’ll be looking at it throughout the contract, which is pretty powerful,” Bible said. “I haven’t seen it really done in my career. Maybe somebody will correct me on that. But I’m pretty excited.”
The approach laid out by Bible stands in contrast to the Defense Department’s plan for ensuring contractors follow requirements for safeguarding controlled unclassified information. Both DHS and DoD require companies to protect CUI using the security requirements in the National Institute of Standards and Technology Special Publication 800-171.
DoD plans to require many contractors to pass a third-party security audit prior to contract awards under its Cybersecurity Maturity Model Certification program. The CMMC requirements are still being developed, however, and aren’t projected to come into effect until next summer at the earliest.
The Pentagon significantly revamped its plan for CMMC last year after concerns arose that the original requirements would be too onerous on small businesses.
Jacob Horne, chief security evangelist at Summit 7, said “the fallout of DoD’s CMMC program and DHS’ upcoming assessment program are leading indicators for the rest of the federal contracting base.” He said agencies are increasingly seeking methods to verify that contractors are meeting existing security requirements.
“The security requirements in NIST SP 800-171 are not new,” Horne said. “With Bible’s comments, another federal agency voice has joined in what will soon be a deafening chorus rather than a DoD anomaly.”
Additionally, DHS’ plans show supply chain security concerns are not unique to DoD.
“Agencies want assurance that security requirements are being met (especially when pathfinders illuminate systemically poor maturity in the supply chain),” Horne said. “Yet, actually requiring third party assessments a la DoD’s CMMC disadvantages a significant number of small and medium businesses.”
DHS considered the Pentagon’s CMMC approach last year. But Bible said the agency determined that requiring contractors to obtain third-party assessments would hurt its contractor base, particularly small businesses.
“What we realized was that if we took just the approach of saying, ‘Hey, go you get yourself a third party assessment, come to the table for a contract,’ we were disadvantaging a significant part of the DHS industry base,” he said. “DHS leverages small business quite a bit.”
Horne says the details in DHS’ final rule will be crucial, especially as other civilian agencies consider approaches to ensuring cybersecurity in their supply chains.
“Although DHS claims that they have found a way to gain assurance over their supply chain and ameliorate the impact of assessments, it seems we won’t know the details until the final HSAR CUI rule is out,” he said.