DHS looks to CMMC for contractor security model
- By Lauren Williams
- Aug 17, 2021
The Department of Homeland Security is taking a page from the Pentagon’s Cybersecurity Maturity Model Certification program as it looks to create a verifiable standard to ensure contractors are in compliance with its cyber hygiene clauses released in 2015.
"In light of recent events, DHS seeks to advance our process in assessing industry compliance with Cyber Hygiene clause requirements," DHS CIO Eric Hysen and Acting Chief Procurement Officer Paul Courtney wrote in the Aug. 10 special notice posted on SAM.gov.
"DHS has been closely monitoring the Department of Defense's implementation of the Cybersecurity Maturity Model Certification (CMMC) program to identify lessons learned and best practices for consideration by DHS as we advance our process."
The notice indicates that DHS is conducting a pathfinder assessment to determine its strategy with an ultimate goal of having "a means of ensuring a contractor has key cybersecurity and cyber hygiene practices in place as a condition for contract award."
DHS' interest in the model also comes as the Defense Department undergoes reviews pertaining to its compliance with the CMMC standard, implementation and the overall program, which has come under scrutiny, particularly regarding cost and ease of adoption by the more than 300,000 defense industry contractors, most of which are small businesses.
During the first year of implementation, Katie Arrington, the Pentagon's chief information and security officer for acquisition, said the move would largely require contractors to do basic cyber hygiene "controls you should be doing everyday anyway."
In June, small business companies told lawmakers that prime contractors should bear the brunt of CMMC requirements, with Jonathan Williams, a partner at the law firm PilieroMazza in Washington, D.C., saying that "many small businesses will be unable to compete if more than a Level 1 is required."
However, amid recent high-profile cybersecurity attacks on critical infrastructure, such as with the Colonial Pipeline ransomware hack, questions about whether a fully implemented CMMC could have prevented them will become even more pertinent as DHS looks for assurances in its own contracting process.
Expansion of the CMMC program to civilian agencies has long been suggested. The General Services Administration began preparing guidance for civilian agencies looking to insert CMMC requirements earlier this year after announcing that such provisions would be a part of the Polaris small business contracting vehicle.
This article was first posted to FCW, a sibling site to GCN.
Lauren C. Williams is senior editor for FCW and Defense Systems, covering defense and cybersecurity.
Prior to joining FCW, Williams was the tech reporter for ThinkProgress, where she covered everything from internet culture to national security issues. In past positions, Williams covered health care, politics and crime for various publications, including The Seattle Times.
Williams graduated with a master's in journalism from the University of Maryland, College Park and a bachelor's in dietetics from the University of Delaware. She can be contacted at [email protected], or follow her on Twitter @lalaurenista.