DHS considering CMMC supply chain applications

The department has begun working with vendors to ensure they understand required supply chain controls and are using components and equipment they're comfortable with.
DHS Department of Homeland Security
(U.S. Customs and Border Protection / Flickr)

The Department of Homeland Security is considering how the Pentagon’s cybersecurity program for contractors might apply to its own supply chain, said the acting chief information security officer.

DHS procurement and acquisition professionals are working with several vendors on supply chain pilots that would include standards from the Cybersecurity Maturity Model Certification (CMMC) program, said Thresa Lang. CMMC, which is specific to the Department of Defense, is a system of third-party assessments to ensure all contractors’ networks are compliant with cybersecurity requirements.

“DHS is interested in these kinds of innovations because it’s important for us to be promoting our economy and our security,” Lang said, during an AFFIRM event Wednesday.

DHS is not be the only civilian agency thinking about the usefulness of the CMMC. The General Services Administration also says it has started to impose similar standards on some of its governmentwide contracts.


DHS’s law enforcement, intelligence, national security and humanitarian response agencies could all benefit from stronger supply chain guidance and governance, which is why the department is one of the principals on the Federal Acquisition Security Council, she added. The council may recommend that DHS issue removal or exclusion orders for threatening hardware or software within supply chains.

Within DHS, the Cybersecurity and Infrastructure Security Agency already issues binding operational directives to agencies for safeguarding information systems, aggregates threat intelligence across government and industry, and develops mitigations for supply chain vulnerabilities. The CMMC standards, however, are tailored to government contractors.

“We’re starting to work with vendors to make sure that they understand what they can do for their supply chains, that they understand the controls that are required, and that they are using components and equipment that they’re very comfortable with,” Lang said. “So a lot of this is procurement … a lot of it education, and I think a lot of it comes down to just getting the right information and making sure everyone understands it.”

The National Institute of Standards and Technology‘s Risk Management Framework is also “critical” to DHS’s supply chain efforts, she said. While the guidance doesn’t have many supply chain controls yet, more are expected.

DHS doesn’t currently have a timeline for reviewing CMMC, and CISA is following its development with interest. The GSA adopted some of the language from CMMC into one of its governmentwide acquisition contracts to require basic cyber-hygiene expected of Level 1 contractors.


GSA and the Defense Logistics Agency are integral to helping other agencies understand and track all the players in their supply chains, as well as identify weak points where counterfeits and grey market components may be inserted, Lang said.

Latest Podcasts