The Department of Homeland Security (DHS) unveiled new cybersecurity evaluation metrics it will use to evaluate the cyber defenses of contractors before awarding contracts, the department announced in a notice published to Sam.gov on November 1.
The development of DHS’ Cybersecurity Readiness Factor is part of the department’s continued efforts to implement a holistic approach to its cyber hygiene management program and to engage with and validate industry compliance at an attainable and sustainable level between DHS and industry.
“It is the Department’s intention to ensure that effective and appropriate cybersecurity measures are in place by vendors supporting work where such measures are necessary,” the notice states. “This new evaluation factor will enable DHS to evaluate vendors’ cybersecurity posture pre-award for applicable contracts to inform a best value tradeoff award decision.”
DHS will assign ratings to contractors based on their cyber readiness results from their responses to the department’s “standardized secure assessment instrument questionnaire.” The ratings range from a “high likelihood” of cyber readiness to a “likelihood” of readiness to a “low likelihood.”
In addition, the evaluation factors will be tailored and used for individual solicitations. According to the notice, a company’s rating could either help or hurt its bid.
“[The] Cybersecurity Readiness Factor will only be used for best value tradeoff award decisions for applicable solicitations,” the notice states. “However, solicitation language may require a Plan of Action and Milestones as a post-award deliverable if an awardee’s assessment result does not meet DHS’ expectations of compliance with the applicable clauses upon award.”
The notice does not specify when the new cyber evaluation factors will go into effect. But DHS will accept feedback on the new metrics by November 17.
