DHS PLANNING ON SELF-CERTS FOR CYBER COMPLIANCE
While the Department of Defense is ramping up a program that would require most companies handling Controlled Unclassified Information (CUI) to obtain third-party verification of their cyber security procedures, the Department of Homeland Security is taking a different path. DHS is poised to issue a final rule in September that would allow contractors to conduct self-assessments of their cybersecurity procedures and protocols to ensure that they meet NIST 800-171security standards. A self-assessment is not the same as self-certifying. DHS will expect companies to show proof that they have conducted reviews and recorded their findings. The agency examined this approach for over a year and is confident that most contractors will be able to accurately assess and attest to their ability to meet the applicable standards. The exercise identified “outliers,” with some companies struggling to document their compliance with security practices. DHS CIO Ken Bible, the leader of the program, stated, “And so now we’re looking at what do we do with that with respect to prior to award?” Presumably this means that contracting officers may be empowered to exclude companies covered by the CUI rule that either have not conducted a self-assessment, or that did but were not able to show adequate cyber safeguards. Bible added, “What I like about what we’re doing is that I’m not only going to get that snapshot in advance of an award, but I’ll be looking at it throughout the contract, which is pretty powerful.” To be clear, contractors that handle CUI in the course of doing business with DHS will have to show NIST 800-171 compliance, just as they will when selling to DOD. The difference is that DHS will not require a third-party certification, while DOD may for most companies.