Homeland Security Considering CMMC-like Compliance Effort

hh5800/iStock.com

The agency is inviting interested parties to weigh in on plans to ensure contractors follow best cyber hygiene practices.

The Department of Homeland Security will conduct a “pathfinder assessment” to determine a path forward regarding a new cybersecurity compliance program that shares similarities to the Defense Department’s Cybersecurity Maturity Model Certification, or CMMC.

In a special notice published Aug. 10, the agency seeks input on its nascent effort to improve industry compliance with existing and future cyber-hygiene requirements. The notice is authored by DHS Chief Information Officer Eric Hysen and acting Chief Procurement Officer Paul Courtney, and follows several high-profile cyber events, including the SolarWinds hack and Colonial Pipeline attack.

“In light of recent events, DHS seeks to advance our process in assessing industry compliance with cyber hygiene clause requirements,” the notice states. “DHS has been closely monitoring the Department of Defense’s implementation of the Cybersecurity Maturity Model Certification (CMMC) program to identify lessons learned and best practices for consideration by DHS as we advance our process.  Our end goal is to have a means of ensuring a contractor has key cybersecurity and cyber hygiene practices in place as a condition for contract award.”

The notice called industry compliance with cyber requirements a “critical step in our progress towards protecting the Homeland.” Through the pathfinder assessment, DHS will solicit feedback through Sept. 30.

The Defense Department’s CMMC program mandates third-party reviews for its contractors and is designed to end the practice of simply taking companies at their word on the cybersecurity controls they implement. The Pentagon intends to reduce the loss of what it assesses to be hundreds of billions of dollars in intellectual property to cyber adversaries each year. The program is rolling out now, and all defense contractors are required to be compliant by 2026.