“CMMC Light” – How DHS Will Evaluate Contractor Cybersecurity Posture for Contract Award Decisions

The Department of Homeland Security (DHS) recently announced that it is developing plans to implement a new assessment mechanism to evaluate contractor cybersecurity postures for relevant contracts as part of the department’s contract award decision process.

DHS’s Contractor Cybersecurity Readiness Factor

DHS’s new Cybersecurity Readiness Factor (CRF) will be applied in upcoming contract solicitations “to ensure that effective and appropriate cybersecurity measures are in place by vendors… to inform a best value tradeoff award decision,” according to the announcement. DHS also provided details of their CRF methodology and sample solicitation language and is seeking industry feedback as it finalizes its implementation.

Key details of the DHS CRF plan include:

• Relevant Contracts – The CRF contract language will be tailored to individual solicitations, primarily where contractors will handle DHS Controlled Unclassified Information (CUI).
• Evaluation Criteria – Contractors will be assessed against National Institute of Standards and Technology (NIST) cybersecurity standards for protecting CUI on non-federal systems, based on standards from NIST SP 800-171r2, Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations and NIST SP 800-172, Enhanced Security Requirements for Protecting Controlled Unclassified Information.
• Evaluation Mechanism – Bidding contractors will answer a questionnaire presenting their level of fulfillment of security requirements from the NIST standards noted above.
• Contractor Readiness Ratings – Offerors will be assigned ratings by DHS based on their readiness result per their questionnaires.
• Best Value Awards (for now) – At the present time, DHS says that the CRF will only be used for best value tradeoff award decisions. “However, solicitation language may require a Plan of Action and Milestones [(POA&M)] as a post-award deliverable if an awardee’s assessment result does not meet DHS’s expectations of compliance with the applicable clauses upon award.”
• Implementation TBD – DHS has not yet announced when the CRF will begin being included in solicitations.
• Industry Feedback Sought – Industry feedback on the CRF is due by November 17, 2023. Feedback should be sent to: dhs-industry-cha@hq.dhs.gov, with the e-mail subject line Feedback on the DHS Cybersecurity Readiness Factor.

DHS Pursues “CMMC Light”

The DHS announcement confirms that they will pursue their own approach for measuring contractor cybersecurity, rather than adopting wholesale the Cybersecurity Maturity Model Certification (CMMC) program being developed by the Department of Defense (DoD).

However, while DHS diverges from the path that the DoD is following for CMMC, they are doing so primarily in one main area – no third-party assessments for contractors handling CUI – and with good reason, their contractor base. According to media coverage, DHS Chief Information Security Officer (CISO) Kenneth Bible says that the third-party cybersecurity assessments under CMMC is not the right fit for DHS’s industrial base, of which a significant portion consists of small businesses. The cost of preparing for and undergoing these third-party cybersecurity assessments has been a major sticking point for the DoD CMMC program and defense industrial base (DIB) companies – especially small businesses – leading the Pentagon to revise the CMMC program while under development to adjust to these and other concerns.

According to Bible, the DHS CRF approach can also move forward without the need for any additional acquisition rulemaking, since these NIST security requirements are already in compliance with the Homeland Security Acquisition Regulation (HSAR) 3052.204-72, Safeguarding of Controlled Unclassified Information clause. This is another distinction from CMMC. In late July, the DoD sent its highly anticipated CMMC proposed rule to the Office of Information and Regulatory Affairs (OIRA) at the Office of Management and Budget (OMB) for review, setting the clock ticking for a rule release that is anticipated by the end of November.

Besides using the same NIST standards, one commonality between CRF and CMMC will also probably exist. It is likely that DHS and/or the Department of Justice will hold DHS contractors and grant recipients accountable for the veracity of their CRF responses with the specter of fraud charges under the DOJ’s Civil Cyber-Fraud Initiative (CCFI). Given that both CRF and CMMC require vetting before a respective contract is awarded, one would hope that the threat of such charges would be enough to weed out dubious bidders. Time will tell.

The key take-away in both the DHS CRF and the DoD CMMC efforts – and other agency efforts that these will continue to spawn – is the expectation and requirement that federal contractors are keeping their cybersecurity postures and processes strong and up-to-date with federal standards, as a condition to being awarded many, if not all, federal contracts (and grants). This is especially true for contracts that involve processing government information.

This continues to be a multi-year evolution, but we are getting ever closer to the implementation phase. All contracting firms would do well to stay ahead of the implementation curve, or risk losing access to this market.

---

For more of Deltek’s perspective on the federal cybersecurity market see our report, Federal Cybersecurity Market, 2023-2027.