DHS Eyeing Implementation of CMMC-Like Program

The Department of Homeland Security is considering implementing a program similar to the Pentagon’s Cybersecurity Maturity Model Certification to further protect sensitive information stored on contractor networks.

The effort is still in its infancy, with the DHS conducting a pathfinder assessment to determine the need to launch its own contractor cyber compliance program, FedScoop reported.

“Our end goal is to have a means of ensuring a contractor has key cybersecurity and cyber hygiene practices in place as a condition for contract award,” DHS Chief Information Officer Eric Hysen said in a special notice posted Tuesday on SAM .gov.

Hysen initially hinted at the DHS’s intention to adopt a CMMC-like program at the April IT Modernization Summit, saying the agency has been looking to pilot that approach within its own vendor base.

Under CMMC, defense contractors are no longer allowed to self-report their adherence to the Pentagon’s cybersecurity requirements. Companies’ cyber readiness is now validated through a five-tier cyber hygiene certification system, which looks at their ability to meet various levels of security controls.

Per the timeline set by the Pentagon, CMMC implementation will follow a phased rollout approach from fiscal years 2021 through 2025, with the goal of having all defense contracts complying with the new cybersecurity standards starting 2026.

So far, the DHS has yet to communicate its plans with the organization that oversees the accreditation of the cyber assessors involved in the CMMC program.

A spokesperson for the CMMC Accreditation Body recently told FedScoop that its CEO, Matthew Travis, is currently restricted from talking with the DHS due to ethics restrictions.

Sign Up Now! Potomac Officers Club provides you with Daily Updates and News Briefings about Cybersecurity

Join Us Now