DHS is considering how it might use self-assessments for vendors to measure their cyber hygiene—an approach that would set it apart from the Defense Department’s plans for third-party assessments.
The Department of Homeland Security isn’t planning on saddling contractors with a program like the Department of Defense’s Cybersecurity Maturity Model Certification program, a top DHS official said during an FCW event Wednesday.
When asked how the DHS approach to checking the cyber practices of its contractors might compare to the DOD’s planned use for third-party assessments as part of CMMC, Kenneth Bible, DHS chief information security officer, said that the department is looking at using self-assessments.
Bible’s comments come after DHS indicated in 2021 that it was potentially eying the DOD process. The department has since done pathfinder assessments to help find a strategy for ensuring contractors’ cyber hygiene practices.
As DHS was looking at building out how it will know that its contractors are using sound cyber hygiene practices, “we were able to actually take a statistically relevant subset of the contracts” and use a self-survey, Bible said.
“Did that give us a valid assessment of the maturity of our vendor base?” he continued. “We’re gaining more and more confidence that yeah, it could.”
Now, Bible said that DHS is looking at what to do before awards are given out.
“The real question is, can we take that technique and extend it so that we’re able to…not use a self-attestation, but use a self-assessment, to gauge the cyber maturity of a vendor and make that a criteria by which we would select for an award,” he said.
“What I like about what we’re doing is that I’m not only going to get that snapshot in advance of an award, but I'll be looking at it throughout the contract, which is pretty powerful,” he continued.
One reason for this approach is the “disadvantage” of a CMMC-like program for small businesses, which make up a “significant” part of DHS contractors, Bible said.
On the horizon is a final DHS rule meant to set security and privacy measures to ensure that controlled unclassified information is protected by DHS contractors. The DHS unified agenda has it scheduled for this fall.