The Department of Homeland Security plans to release a self-assessment questionnaire to a subset of vendors as it evaluates its overall cyber-hygiene risk, according to Chief Information Officer Eric Hysen.
A representative sample of vendors with Homeland Security Acquisition Regulation (HSAR) Class Deviation 15-01 in one or more of their contracts will receive the questionnaire “in the coming days,” Hysen writes, in a notice posted to SAM.gov Wednesday. HSAR Class Deviation 15-01 increases contractor IT system security requirements and responsibilities responding to sensitive information incidents, in contracts and solicitations with a high risk of unauthorized access or disclosure of that information.
DHS began incorporating cyber-hygiene clauses, requiring contractor compliance with standards and protections, into contracts and agreements in 2015, and it wants to determine if they’re adversely affecting its small industry base — as part of its effort to assess overall compliance.
“By releasing this questionnaire to our vendors, we expect to establish a statistically viable assessment of overall cyber hygiene risk across DHS that will guide continued work towards an improved cyber posture and will aid in establishing the focus of future program development, including government-led assessments,” reads the notice.
The results will also help DHS mature its Cyber-Supply Chain Risk Management (C-SCRM) program, the posting adds.
Hysen issued the notice along with DHS Chief Procurement Officer Paul Courtney.
“Our end goal remains to have a means of ensuring a contractor has key cybersecurity and cyber hygiene practices in place as a condition for contract award,” reads the posting.