Department of Homeland Security Using Cybersecurity Readiness as an Evaluation Factor
The U.S. Department of Homeland Security (DHS) on Nov. 1, 2023, announced that cybersecurity readiness would be used as an evaluation factor for contracts involving the use of Controlled Unclassified Information (CUI). This follows a significant DHS rulemaking from earlier this year requiring certain DHS contractors with CUI or operating DHS information systems to be compliant with extensive cybersecurity controls and reporting requirements. DHS did not state when the policy would be effective but is inviting comments until Nov. 17, 2023, via an email address identified in the notice on sam.gov.
DHS plans to include the policy, known as the Cybersecurity Readiness Factor, in procurements evaluated on a best-value basis and divide contractors into three buckets:
- High Likelihood of Cybersecurity Readiness (for contractors above the mean of the DHS contractor population handling CUI data (above the 53rd percentile))
- Likelihood of Cybersecurity Readiness (for contractors between the 15th and 53rd percentile compared to other DHS contractors handling CUI data)
- Low Likelihood of Cybersecurity Readiness (for contractors below the 15th percentile of DHS contractors handling CUI data)
Readiness will be graded against cybersecurity standards developed by the National Institute of Standards and Technology (NIST), specifically NIST Special Publication (SP) 800-171 revision 2 and NIST SP 800-172. Note that NIST is currently developing the third revision for NIST 800-171. Contractors submitting offers will be required to submit responses to DHS via a secure assessment instrument questionnaire against a model developed by DHS, and the rating assigned will be based on how many and the type of cybersecurity requirements a contractor has fully or partially fulfilled. Though there is no third-party verification, contractors should be wary of providing incorrect information because DHS may argue that compliance with these controls is material to trigger False Claims Act implications. Also, the latest draft of the forthcoming NIST SP 800-171 standard includes a third-party verification requirement (as of now).
Notably, even contractors that have a low likelihood of cybersecurity readiness will not necessarily be eliminated from the competition but will, presumably, have a more difficult time being successful after a best-value evaluation. How the evaluation factor is drafted will be specific to each contract, and different weights may be placed on it depending on the nature of the contract and the information involved. Further, contractors that do not meet DHS' cybersecurity compliance expectations may be required to fulfill plans of action and milestones as a post-award deliverable.
When this rolls out, contractors should study the solicitations with a cybersecurity readiness evaluation factor carefully to ensure the evaluation factor and weights assigned are clear. If not, contractors should consider interfacing with DHS, as permitted, or filing a pre-award bid protest. This is also more incentive for contractors to ensure compliance with various (and, in some cases, divergent) cybersecurity standards. For its part, DHS also requires contractors with CUI to comply with additional security controls outlines on its website. Finally, contractors evaluated under this factor should seek a debriefing, if possible, to ensure the cybersecurity evaluation was consistent with the contractor's understanding of its own readiness.
Holland & Knight's Government Contracts Group will continue to monitor this for further updates. This will also be the subject of a future episode of Holland & Knight's government contracting cybersecurity podcast, Regulatory Phishing, available on Apple Podcasts, Spotify and Amazon Podcasts.