The Department of Homeland Security is working to evaluate how the Pentagon’s Cybersecurity Maturity Model Certification standard could be adopted under DHS’ acquisition regulations while balancing the needs of its small business contracting base, according to DHS CISO Ken Bible.
“The Department of Defense took a path down a certification path with their Cybersecurity Maturity Model Certification so they were really looking to implement some sort of third party assessment as a condition for getting a contract award,” Bible said at a conference Tuesday hosted by SC Media.
Bible said, “We looked at that and said it may be too heavy handed for the industrial base that supports the Department of Homeland Security. We really didn’t want to disadvantage small businesses which have been the heart of being able to innovate within [DHS], so we started a pathfinder effort back in the July-July timeframe to do an assessment of an existing vendor using our Homeland Security Acquisition Regulation clauses.”
DHS added “cyber hygiene” clauses to its acquisition regulations in 2015, according to Bible. However, he said, “We have never exercised what it means to hold a vendor accountable for meeting those standards.”
DHS announced in the pathfinder assessment in a notice on SAM.gov in August.
Under the pathfinder, Bible said DHS looked at how a vendor in the workforce sector was handling controlled unclassified information and assessed them against the DHS standards for cyber hygiene. DHS is now starting to expand their pathfinder effort, Bible said, to get more information.
The Pentagon’s CMMC program is focused on how to safeguard the handling of sensitive unclassified information held by the defense contractors and is largely based on NIST Special Publication 800-171.
DOD announced major changes on Nov. 4 to the program, now CMMC 2.0, to allow companies to self attest that they meet level one requirements and set up a bifurcated assessment process for contractors handling CUI at level two. The Pentagon also removed 20 extra maturity practices and three processes formerly in level two to make their maturity levels consistent with the current federal standard for handling CUI in NIST 800-171.
Bible said CMMC 2.0 is “looking a whole lot more” similar to DHS’ acquisition rules, but he is waiting to see how the DOD program evolves. Bible was deputy CIO at the Marine Corps prior to his move over to DHS in January, and was involved in early efforts to start CMMC in coordination with the DOD CIO’s office and the Office of the Under Secretary for Acquisition and Sustainment.
Bible said he is concerned about introduction of self attestation under CMMC 2.0, especially how to ensure “trust” and make sure contractors are “still meeting the standard.”
Industry needs to be “focused on cybersecurity, building the reps and sets of a good cybersecurity culture in advance of an award and being able to show the mechanisms are in place to drive cybersecurity within a company,” he said, acknowledging this is “something we have paid lip service to in the past.”
DHS will also emphasize “risk management” when it comes to handling sensitive information, Bible said. “You are never going to eliminate the risk,” Bible said, but there should be an effort to determine “where are we carrying the greatest risk and where are those contractors that are struggling or who have not been able to achieve some of the cybersecurity standards that we require of our industry partners.”
Bible said there needs to be a “balance” for small contractors who may not be able to take on the cost of a third party assessment, and the “whole point of the pathfinder” is to start to address those problems. Bible emphasized that there needs to be a “systemic approach” to managing risk “because I don’t think that we will be able to eliminate it completely.”
Bible described his relationship with the Cybersecurity and Infrastructure Security Agency as a partnership where DHS can test out ideas to boost the department’s cyber posture based on practicality and scale. -- Sara Friedman (sfriedman@iwpnews.com)