Cybersecurity assessment

DHS to Release New Rule Allowing Cybersecurity Self-Assessments

The Department of Homeland Security is creating a new rule that will allow contractors to undergo cybersecurity assessments by themselves. DHS unveiled the plan after it launched pathfinders to evaluate if vendors comply with cyber hygiene clauses in their contracts and released a self-assessment questionnaire aimed at determining if contractors meet the requirements under a 2015 regulation for safeguarding controlled unclassified information. According to Ken Bible, the chief information security officer at DHS, the agency found that a self-survey has the potential to provide a valid assessment of the DHS vendor base’s cyber maturity, Federal News Network reported.

Speaking at an FCW event, the official said the department is exploring how the same approach can be applied to the contract awarding process since the Pentagon’s third-party certification program could disadvantage small businesses supporting the agency.

The Department of Defense’s Cybersecurity Maturity Model Certification program was originally set for implementation in 2021 but was suspended over concerns that it could force small businesses to move out of the defense industrial base. A new version of CMMC was released late last year but it will not be rolled out until the summer of 2023 because it is still in the early phase of rulemaking.

DHS, meanwhile, is expected to release its final rule for safeguarding controlled unclassified information in September. Bible did not disclose specific details but noted that the department will continue implementing standard contract processes to measure the cyber maturity of bidders.