The Department of Homeland Security (DHS) has recently introduced a new Cybersecurity Readiness Factor to ensure that vendors are fortified with effective and apt cybersecurity measures. This initiative marks a noteworthy step towards scrutinizing the cyber hygiene practices upheld by contractors before engaging in contract awards. Unlike the Department of Defense’s (DOD) Cybersecurity Maturity Model Certification (CMMC) approach, which mandates independent assessments, DHS has steered towards a self-attestation model. As the tide of cybersecurity readiness surges across the federal domain, comprehending the nuances and repercussions of these divergent assessment models is pivotal for contractors, especially those eyeing to clinch contracts with either DHS or DOD. This article endeavors to unravel the disparate approaches of DHS’s Cybersecurity Readiness Factor and DOD’s CMMC, illuminating what each portends for federal contractors and the assurance they furnish in safeguarding sensitive data.
Understanding DHS's Self-Attestation Approach
The DHS developed the Cybersecurity Readiness Factor methodology based on a statistical analysis of responses from 400 small and other DHS contractors. This self-attestation model is designed to gauge the readiness of contractors in safeguarding Controlled Unclassified Information (CUI) on non-federal information systems, aligning with the security requirements stipulated by NIST SP 800-171r2 and NIST SP 800-172.
Under this approach, DHS contractors are required to self-assess and represent their level of fulfillment of security requirements through a secure assessment instrument questionnaire. The ratings derived from this self-assessment—High Likelihood, Likelihood, and Low Likelihood of Cybersecurity Readiness—provide a measure of the government's confidence in a contractor's understanding and implementation of essential technical controls.
Kenneth Bible, DHS's Chief Information Security Officer, emphasized the importance of this proactive step, stating, “It’ll start helping us to go look at this in advance of a contract award... We’re trying to take steps that we can do now. Let’s just start. And in my mind, that’s what starts to build the public’s confidence if they can just see the government moving out to do the things that we’re asking them to do. And we’re starting to hold ourselves to the same standards."
Weighing Against CMMC's Independent Assessment
Conversely, the Department of Defense (DoD) has adopted the CMMC model, necessitating an independent assessment by a certified CMMC Third-Party Assessment Organization (C3PAO). This model is engineered to evaluate contractors' compliance with specified cybersecurity practices and processes as delineated in the DFARS 252.204-7012 clause on Safeguarding Covered Defense Information and Cyber Incident Reporting, which has been a requisite for DoD contractors since December 2017 to protect the confidentiality of Controlled Unclassified Information (CUI) in nonfederal systems. The updated CMMC 2.0 framework offers a tiered certification spectrum with three levels:
Level 1 (Foundation) with 17 practices- self-assessment
Level 2 (Advanced) encompassing 110 practices- C3PAO assessment
Level 3 (Expert) extending beyond 110 practices- Government led assessment
It's crucial to highlight that the CMMC 2.0 is currently in the rule-making stage, with its official publication eagerly anticipated later this month. This structured assessment model under CMMC is designed to provide a clear certification pathway for contractors, showcasing their cybersecurity maturity to the DoD, thereby directly influencing contract award decisions.
Pros and Cons
Pros of DHS's Self-Attestation:
Cost-Effectiveness: Self-assessment reduces the financial burden on small contractors as it does not necessitate the same level of expenditure as an external assessment.
Flexibility: The DHS's approach provides flexibility as contractors can assess their cybersecurity posture internally, making necessary adjustments before submission.
Cons of DHS's Self-Attestation:
Potential for Bias: The self-attestation approach might harbor a level of bias as contractors evaluate their own cybersecurity measures.
Possibly Lower Assurance: Without an independent assessment, there could be a lower level of assurance regarding the accuracy and comprehensiveness of the cybersecurity readiness evaluation.
Pros of CMMC's Independent Assessment:
Higher Assurance: The independent assessment by certified third-party assessors can provide a higher level of assurance and objectivity.
Standardized Evaluation: The tiered certification offers a standardized evaluation matrix, enabling a more uniform benchmarking of cybersecurity readiness.
Cons of CMMC's Independent Assessment:
Cost Intensive: The independent assessment could be cost-prohibitive for small contractors.
Potentially Time-Consuming: The process of scheduling and undergoing an independent assessment could be time-consuming, possibly impacting project timelines.
Level of Assurance
The level of assurance in the DHS's Cybersecurity Readiness Factor approach largely hinges on the integrity and thoroughness of the self-assessment process undertaken by contractors. On the flip side, the CMMC's independent assessment can provide a higher level of assurance due to the objectivity and expertise brought in by C3PAOs.
NIST SP 800-171r3
In the draft of NIST SP 800-171r3, control 3.12.5 requires an independent assessment, which could significantly influence the DHS Cybersecurity Readiness Factor if adopted in the final version. This control stipulates that organizations should conduct "impartial security assessments." Dr. Ron Ross, one of the NIST SP 800-171r3 authors, clarified that while organizations can demonstrate impartiality in internal assessments, it's notably harder for small organizations due to potential reporting lines and conflicts of interest among internal staff. In contrast, larger organizations often have an advantage with established internal audit departments having separate lines of reporting and more independence.
Both frameworks present a structured pathway toward bolstering cybersecurity measures among DHS and DOD contractors. The choice between self-attestation and independent assessment boils down to a trade-off between cost-effectiveness and the level of assurance. Small contractors within the DHS fold should weigh these factors carefully, aligning their cybersecurity strategies with the overarching goal of safeguarding sensitive information while adhering to federal cybersecurity standards.
At Aspire Cyber, we’re here to guide you through these cybersecurity frameworks, ensuring your readiness and compliance with evolving federal cybersecurity requirements. Connect with us today to fortify your cybersecurity posture amidst the changing regulatory landscape.