A top network security official with the Department of Homeland Security (DHS) – which is developing its own plans to evaluate contractor cybersecurity – aired some concerns this week with recent changes that the Defense Department (DoD) announced with its own Cybersecurity Maturity Model Certification (CMMC) program.
During the SC GOV eConference event on November 16, DHS Chief Information Security Officer Ken Bible explained that DHS wants to look at where it might be carrying cybersecurity risk with its contracts and with industry partners that may not be able to achieve required cybersecurity standards.
Bible said his agency could “go down the path of how CMMC did,” which features a third-party assessment tool that industry pays for. But the DHS CISO said he thinks that option might end up limiting the field because “small businesses with 10 employees probably can’t afford to go out here and do a third-party assessment on the off chance that they can get a contract.”
Additionally, Bible said that once a small business gets a contract, it may not have the operating margins to conduct a third-party assessment.
“It is a balance – it is a systematic approach – but this is about managing risk, not necessarily trying to eliminate it because I don’t think we will be able to eliminate it completely,” Bible said.
DHS is continuing to monitor DoD’s CMMC program, even after major changes were announced earlier this month to create a revamped CMMC 2.0. Under the recent changes, most defense contractors only need to submit a self-attestation of their cybersecurity practices, and Bible said he has some concerns with that approach.
“I do have concerns where even in CMMC 2.0, there’s this element of self-attestation that someone is meeting the standards,” Bible said.
“I would like to be able to trust that when I came in, and I did some sort of validation inspection after a contract award, that everything would be on the up-and-up, and that it would still be meeting the standard,” he said. “I’m less comfortable with that based on the experiences that I think that I and others have had when they actually peel back the covers.”