The Department of Homeland Security is working on a rule that would allow contractors to evaluate their compliance with cybersecurity requirements through self-assessments instead of implementing a program that relies on third-party assessors, Federal News Network reported Wednesday.
During the fall of 2021, a subset of DHS contractors received a self-assessment questionnaire designed to evaluate their compliance with a 2015 Homeland Security Acquisition Regulation for protecting sensitive data.
Ken Bible, chief information security officer at DHS, said the exercise has made the department to consider implementing the approach on a wider scale.
“We were able to actually take a statistically relevant subset of the contracts using not self-attestation, but a self-survey, and actually use statistical means to say, ‘Did that give us a valid assessment of the maturity of our vendor base?’” Bible said Wednesday at an event. “And we’re gaining more and more confidence that, yeah, it could.”
He said the approach also enabled DHS to identify “outliers,” including some vendors facing difficulty in documenting their compliance with cyber practices.
“And so now we’re looking at what do we do with that with respect to prior to award?” Bible said. “That’s really kind of the real question is, can we take that technique and extend it so that we’re able to not use a self-attestation, but use a self-assessment to gauge the cyber maturity of a vendor and make that a criteria by which we would select for an award.”