Defense

DHS conducting initial assessment for CMMC-like cyber compliance regime

CIO Eric Hysen says the agency has been watching the implementation of CMMC closely and is looking to learn from it.

August 13, 2021

Eric Hysen spoke at FedScoop's Lowering the Cost of Government with IT Summit about the genesis of USDS. (FedScoop)

The Department of Homeland Security has launched a “pathfinder assessment” to examine whether it should implement a new contractor cyber compliance program similar to the Department of Defense’s Cybersecurity Maturity Model Certification (CMMC).

DHS officials have previously expressed their interest in possibly implementing a similar program to improve the protection of sensitive information stored on contractor networks. CMMC mandates DOD contractors verify their compliance with one of five tiers of a compliance regime, instead of simply self-reporting their adherence to requirements. Private sector contractors have often been vulnerable to attackers seeking access to sensitive information, a weakness programs like CMMC are trying to address.

“Our end goal is to have a means of ensuring a contractor has key cybersecurity and cyber hygiene practices in place as a condition for contract award,” DHS CIO Eric Hysen said in a notice posted to SAM.gov Aug. 10. “As an immediate first step, DHS is conducting a pathfinder assessment to establish a path forward.”

It is unclear what exactly the “pathfinder assessment” is looking at, but the notice from the CIO states that DHS has been watching CMMC very closely and is looking to learn from its implementation. It is not the first time the DHS CIO has signaled interest in monitoring CMMC.

“We’re looking very closely at [the Department of Defense]’s Cybersecurity Maturity Model Certification, or CMMC, and looking to pilot that approach within our vendor base as well,” Hysen said during the April IT Modernization Summit presented by FedScoop.

While DHS might be looking closely at CMMC, it has not communicated with the third-party organization conducting much of its implementation. The CMMC Accreditation Body oversees the accreditation of the cyber assessors and the ecosystem of consultants and trainers that will work in the space. Its CEO, Matthew Travis is barred from communicating with DHS as he recently left the department as the No. 2 at the Cybersecurity and Infrastructure Security Agency (CISA).

“[T]he AB has not been in touch with DHS as Matthew Travis is currently restricted from doing so due to ethics restrictions,” a CMMC AB spokesperson told FedScoop.

CMMC has been praised for its ambition to verify cyber practices in contractors, but has faced implementation roadblocks. Small businesses working with DOD also worry it could raise costs to both meet the cyber standards and pay for the consultants and assessors needed to pass the test.

Katie Arrington, who at the time led the CMMC effort in DOD, said in April 2020 that she had met with DHS leaders about implementing CMMC.

The General Services Administration (GSA) has also taken notice of CMMC and implementing some of its requirements in government-wide contracting vehicles since DOD is a large consumer of the services GSA procures.

DHS did not respond to a request for comment.