The U.S. Department of Homeland Security (DHS) on Nov. 1, 2023, announced that cybersecurity readiness would be used as an evaluation factor for contracts involving the use of Controlled Unclassified Information (CUI). This follows a significant DHS rulemaking from earlier this year requiring certain DHS contractors with CUI or operating DHS information systems to be compliant with extensive cybersecurity controls and reporting requirements. DHS did not state when the policy would be effective but is inviting comments until Nov. 17, 2023, via an email address identified in the notice on sam.gov.
DHS plans to include the policy, known as the Cybersecurity Readiness Factor, in procurements evaluated on a best-value basis and divide contractors into three buckets:
- High Likelihood of Cybersecurity Readiness (for contractors above the mean of the DHS contractor population handling CUI data (above the 53rd percentile))
- Likelihood of Cybersecurity Readiness (for contractors between the 15th and 53rd percentile compared to other DHS contractors handling CUI data)
- Low Likelihood of Cybersecurity Readiness (for contractors below the 15th percentile of DHS contractors handling CUI data)
Read the rest of the story from JD Supra here.