The Department of Homeland Security (DHS) is looking use self-assessments to evaluate the cybersecurity posture of agency contractors, rather than conduct third-party assessments like the Department of Defense (DoD) is doing with its Cybersecurity Maturity Model Certification (CMMC) program.
Ken Bible, chief information security officer at DHS, explained that following the SolarWinds cyberattack that emerged in late 2020, he wanted to ensure that industry partners doing work for DHS had “sound cyber hygiene practices and processes in place for themselves.”
To do this, Bible said DHS applied CMMC’s criteria – which includes a third-party assessment – to one of its existing vendors, and the results were “stunning.”
“It didn’t turn out too well for the industry partner. What we realized was that if we took just this approach of saying, ‘Hey, go you get yourself a third-party assessment and come to the table for a contract,’ we were disadvantaging a significant part of the DHS industry base,” Bible said during an August 24 FCW event.
Instead of taking a snapshot in time with a third-party assessment, he said DHS wanted to find a methodology that would assess the cybersecurity of the entire contract portfolio. The agency launched a “pathfinder assessment” to establish a stronger cyber path forward.
“We were able to actually take a statistically relevant subset of the contracts using not self-attestation, but a self-survey, and actually use statistical means to say, ‘Did that give us a valid assessment of the maturity of our vendor base?’” Bible said. “And we’re gaining more and more confidence that, yeah, we could.”
Now, he said DHS is looking at what it can do with that self-assessment prior to making a contract award.
“The real question is, can we take that technique and extend it so that we’re able to not use a self-attestation, but use a self-assessment to gauge the cyber maturity of a vendor and make that a criteria by which we would select for an award,” Bible said. “And so we’ve been able to wrap in not only the cyber maturity, but also some aspects of the complexity of a contract through some of the standard processes that we use for approving a contract.”
Bible said such a rule has been in the works since 2017, but declined to comment on the rule’s specifics. DHS plans to publish a final rule on safeguarding controlled unclassified information (CUI) this September.
Bible emphasized that although the requirement has never changed, DHS is now “just talking about how do we assess the maturity of industry.”
“What I like about what we’re doing is that I’m not only going to get that snapshot in advance of an award, but I’ll be looking at it throughout the contract – which is pretty powerful,” he said. “I haven’t seen it really done in my career. Maybe somebody will correct me on that, but I’m pretty excited about it.”