Department of Homeland Security May Follow in CMMC Footsteps

The Department of Defense (DoD) recently implemented a new cybersecurity framework that contractors must follow: the Cybersecurity Maturity Model Certification (CMMC) program. It’s a program that demands all contractors working with cybersecurity have to adhere to specific regulations to ensure they are in compliance with the DoD’s cyber hygiene clauses. 

Interestingly, the Department of Homeland Security (DHS) is looking to take a leaf out of the DoD’s book and follow in its footsteps in terms of cybersecurity. The DHS released its own cyber hygiene clauses in 2015, which basically outlined what it expects from contractors. The clauses explained best practices that all contractors must follow when working with the department.

Unfortunately, it has been discovered that many contractors haven’t been complying with the cyber hygiene clauses of the DHS—which is the same problem that led the DoD to take action to update their security policies. Largely, this lack of compliance is down to a lack of knowledge on how the contractors go about their work. So, the DHS is looking to introduce a NIST-based security framework similar to CMMC as a way of vetting contractors and making them go through audits. 

The idea is a simple one: contractors that pass the audit will be seen to be in compliance with the DHS’s cyber hygiene clauses. This gives the department full confidence in the contractor’s abilities as a supplier. 

Making Cybersecurity a Condition for Awarding Contracts

The Department of Homeland Security wants to implement a program similar to CMMC as a condition for awarding contracts. Their end goal is to have a means of ensuring a contractor has key cybersecurity and cyber hygiene practices in place at all times. 

It is believed that this can further improve cybersecurity and is seen as a critical step towards protecting the department and the important information it handles. Things haven’t been confirmed as of yet, but it is believed the DHS is conducting a pathfinder assessment right now. Feedback is expected at the end of September, where the plan of action will become clear. 

The CMMC Comes Under Scrutiny

Interest in the CMMC comes at an intriguing time given that it has come under a lot of scrutiny lately. The implementation of the CMMC by the DoD has not been smooth at all, with only 100 assessors available, meaning hundreds of thousands of contractors will be waiting beyond the expected 2023 deadline for approval. 

The DHS is monitoring the situation at all times and will be particularly interested in the outcome of an ongoing review of the CMMC. By learning the key issues with the current system, it’s hoped that the DHS can implement it with fewer setbacks. At the very least, the department will be aware of just how many assessors are required to handle the upcoming workload. Therefore, contractors are hoping that any news of the CMMC program for the DHS will only come when they have assessors lined up and ready. 

In recent times, the DHS has come under high-profile cybersecurity attacks that many believe could’ve been prevented if it had the CMMC to begin with. It’s unknown if this is the case, but there’s certainly a lot of talk about it coming to the DHS soon. Hopefully, the rollout is a lot smoother than it has proven to be for the DoD.