The Department of Homeland Security will use a “cybersecurity readiness” assessment to evaluate whether contractors have appropriate cyber defenses in place prior to making contract awards.
DHS published the details of the new “cybersecurity readiness evaluation factor” in a Nov. 1 notice signed by Kenneth Bible, DHS’ chief information security officer, and Sarah Todd, DHS’ executive director of acquisition policy and legislation.
The notice confirms DHS’ plan to use its own approach for evaluating contractor cybersecurity rather than adopting the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) program.
“It is the department’s intention to ensure that effective and appropriate cybersecurity measures are in place by vendors supporting work where such measures are necessary,” the DHS officials write in the new notice. “This new evaluation factor will enable DHS to evaluate vendors’ cybersecurity posture pre-award for applicable contracts to inform a best value tradeoff award decision.”
The notice doesn’t state when the new evaluation factor will go into effect. But DHS is seeking feedback on its plans by Nov. 17.
In an attachment to the notice, DHS lays out more details on how it will evaluate “cybersecurity readiness” based on analyzing contractor responses to a questionnaire.
In cases where the readiness factor is used in a solicitation, companies will need to show how they meet National Institute of Standards and Technology cybersecurity controls for protecting a broad category of sensitive government data known as “controlled unclassified information” or “CUI.”
Companies will be assigned ratings based on “readiness results” stemming from their responses to DHS’ “standardized secure assessment instrument questionnaire.” The ratings range from a “high likelihood of cyber readiness,” to just a “likelihood” of readiness, to a “low likelihood.”
The metrics “will be tailored to individual solicitations when utilized,” the DHS notice states. And importantly, a company’s cybersecurity rating could either help or hurt their bid.
“At the present time, this Cybersecurity Readiness Factor will only be used for best value tradeoff award decisions for applicable solicitations,” the attachment states. “However, solicitation language may require a Plan of Action and Milestones as a post-award deliverable if an awardee’s assessment result does not meet DHS’ expectations of compliance with the applicable clauses upon award.”
DHS breaks from CMMC
The new readiness tool planned by DHS builds off previous efforts to scrub the “cyber hygiene” of its industrial base through a self-assessment sent to 400 contractors last year.
During a webinar hosted by Leadership Connect last week, Bible said the cyber hygiene work is based around a priority at DHS to “use our contracting to raise the cybersecurity posture of our industry base.”
Even though DHS contractors need to follow the same cybersecurity standards as defense contractors, Bible has previously said DoD’s plan to require many contractors to obtain third-party cybersecurity assessments under CMMC was not the right fit for DHS.
Bible reiterated that stance during last week’s event, saying CMMC “wouldn’t really work with our industry base,” which includes a substantial number of small businesses. DoD has had to significantly revamp the CMMC program due to concerns about costing out small-and medium-sized businesses.
Bible said DHS can implement its cybersecurity evaluation mechanism without any rulemaking. DoD’s CMMC process remains in the rulemaking stage, with it unlikely to become effective until later next year.
“It’ll start helping us to go look at this in advance of a contract award,” Bible said. “We’re trying to take steps that we can do now. Let’s just start. And in my mind, that’s what starts to build the public’s confidence if they can just see the government moving out to do the things that we’re asking them to do. And we’re starting to hold ourselves to the same standards. I think that goes a long way. And are we going to hit the mark every time? Probably not. But the point is that if we don’t start, then we’re never going to get there.”