DHS eyes CMMC model

NOTE: This article appeared first on
The Department of Homeland Security wants to explore its options on creating a verifiable cybersecurity standard for contractors and looks to be taking cues from the Defense Department's Cybersecurity Maturity Model Certification program.

DHS' Office of the Chief Procurement Officer issued a special notice on Aug. 10, noting that it is looking for a way to check contractors' compliance with its cyber hygiene clauses released in 2015.

"In light of recent events, DHS seeks to advance our process in assessing industry compliance with Cyber Hygiene clause requirements," wrote DHS CIO Eric Hysen, and Acting Chief Procurement Officer Paul Courtney in the notice.

"DHS has been closely monitoring the Department of Defense's implementation of the Cybersecurity Maturity Model Certification (CMMC) program to identify lessons learned and best practices for consideration by DHS as we advance our process."

No attachments or further details were revealed with the announcement, which lists Sept. 30 as the response date.

The notice indicates that DHS is conducting a pathfinder assessment to determine its strategy with an ultimate goal of having "a means of ensuring a contractor has key cybersecurity and cyber hygiene practices in place as a condition for contract award."

Expansion of the CMMC program to civilian agencies has long been suggested. The General Services Administration began preparing guidance for civilian agencies looking to insert CMMC requirements earlier this year after announcing that it would be a part of the Polaris small business contracting vehicle.

DHS' interest in the model also comes as the Defense Department undergoes reviews pertaining to its compliance with the CMMC standard, implementation and the overall program, which has come under scrutiny, particularly regarding cost and ease of adoption by the more than 300,000 defense industry contractors, most of which are small businesses.

During the first year of implementation, Katie Arrington, the Pentagon's chief information and security officer for acquisition, said the move would largely require contractors to do basic cyber hygiene "controls you should be doing everyday anyway."

In June, small business companies told lawmakers that prime contractors should take the brunt of CMMC requirements, with Jonathan Williams, a partner at the law firm PilieroMazza in Washington, D.C., saying that "many small businesses will be unable to compete if more than a Level 1 is required."

However, amid recent high-profile cybersecurity attacks on critical infrastructure, such as with the Colonial Pipeline ransomware hack, questions about whether a fully implemented CMMC could have prevented them will become even more pertinent as DHS looks for assurances in its own contracting process.

About the Author

Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.

Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.

Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at, or follow her on Twitter @lalaurenista.

Click here for previous articles by Wiliams.

Reader Comments

Please post your comments here. Comments are moderated, so they may not appear immediately after submitting. We will not post comments that we consider abusive or off-topic.

Please type the letters/numbers you see above.


WT Daily

Sign up for our newsletter.

Terms and Privacy Policy consent

I agree to this site's Privacy Policy.