DHS CISO Questions Self-Assessment Rule in CMMC 2.0

Ken Bible, the Department of Homeland Security’s chief information security officer, has raised concerns about the adoption of self-assessments under the revamped version of the Department of Defense’s Cybersecurity Maturity Model Certification program.

The CMMC, which initially required all defense contractors to be evaluated by third-party assessors, was simplified so that companies seeking level 1 and 2 certification can conduct annual self-assessments instead.

Bible specifically questioned contractors’ honesty when evaluating their ability to meet the cybersecurity standards, Federal News Network reported Tuesday.

“I’m less comfortable with that based on the experiences that I think that I and others have had when they actually peel back the covers,” Bible said during a conference today hosted by SC Media.

The DHS has been testing out its own CMMC-like program in its bid to evaluate existing contractors with cyber hygiene clauses in their contracts. According to Bible, DHS contractors were never held accountable for meeting the clauses despite the fact that they have been in place since 2015.

The pilot program, dubbed Pathfinder, was aimed at evaluating contractor cybersecurity without adversely affecting small businesses, which the DHS relies on for innovation.

So far, the DHS has assessed one contractor. Pathfinder will be further expanded, Bible said, as it remains unclear whether the department obtained enough data.

Sign Up Now! Potomac Officers Club provides you with Daily Updates and News Briefings about Cybersecurity

Join Us Now