DHS Invites Contractors to ‘Hack’ Their Systems as the Agency Moves Toward Zero Trust Architecture

Published: March 29, 2022

CybersecurityCISAHomeland SecurityDHSInformation Technology

The Department of Homeland Security (DHS) plans to award a single IDIQ and pay contractors to hack into its network and information systems, also known as a Bug Bounty program.

The agency has not yet announced an RFP release date, but interested vendors can monitor its progress under GovWin’s Opportunity ID 216443.

The “Hack DHS: Crowdsourced Vulnerability Assessment Services (CVAS)” contract is part of the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure Technology Act' or the SECURE Technology Act established in 2018. The financial payments, or bounties, are tightly controlled and monitored events organized between the contractor and the DHS Chief Information Security Officer (CISO).

So, what does all this have to do with Zero Trust? Glad you asked.

As the name implies, Zero Trust assumes that no user, node, service, asset actor, or account can be trusted until verified regardless of the physical or network location or based on who owns the account or asset. This approach changes the standard perimeter-based security model to one of continuous verification throughout all levels of access from initial entry through endpoint detection and response systems. Implementing the model requires systems modernization and stronger cybersecurity standards such as a Multifactor Authentication and encryption processes. Each federal agency will be responsible for the development and implementation of its own program.

The bug bounty program’s objective is to discover network and infrastructure vulnerabilities, or bugs, as DHS moves toward implementation of the federal Zero Trust Maturity Model Architecture outlined in President Biden’s January 2022 memo, “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.”

The memo outlined specific cybersecurity goals for all federal agencies that must be met by the end of FY 2024. The goals are based on the five cybersecurity pillars of DHS’s Cybersecurity Infrastructure Agency’s (CISA) Draft Zero Trust Maturity Model. Those pillars include:

  • Identity
  • Device
  • Network/Environment
  • Application and Workload
  • Data.

These pillars work together within the three themes of Visibility and Analytics, Automation and Orchestration, and Governance toward creating a more secure network.

Additionally, the President’s FY 2023 Budget request includes $2.5 Billion for CISA to facilitate the transition to Zero Trust.

Other agencies have similar bug bounty programs, such as GSA’s Technology Transformation Services (TTS) Bug Bounty Program (Opportunity ID 194268), which works in the same manner as the “Hack DHS,” but also provides an option for the researchers to validate the agency’s resolution. The Department of Defense, Defense Digital Services uses the System for Insider Threat Hindrance (SITH) that includes a bug bounty program that addresses all vulnerabilities based on a Common Vulnerability Scoring System developed by the National Institute of Standards and Technology. The U. S. Army Cyber Command’s “Hack the Army” also enlists civilian hackers to identify system vulnerabilities. All of these were spinoffs of the Department of Defense’s Defense legacy “Hack the Pentagon” that paved the way for other agencies to initiate their own bug bounty programs.

Search Deltek’s GovWin Opportunity database for more opportunities in support of Bug Bounty and Zero Trust programs.

For additional information on Zero Trust, see John Slye’s recent article, “CISA Seeks Industry Input on Applying Zero Trust Principles to Enterprise Mobility” and other Federal Market Research reports on cybersecurity.