The U.S. Department of Homeland Security (DHS) has recently announced a new policy that will use cybersecurity readiness as a metric in evaluating contracts that involve the use of Controlled Unclassified Information (CUI). This policy was announced on November 1, 2023, signaling a significant shift in the way that DHS evaluates the potential contractors it engages with.
Earlier in the year, the DHS had already put into effect a significant rule requiring certain contractors dealing with CUI or operating DHS specific information systems to be fully compliant with comprehensive cybersecurity controls and reporting mandates. This rule illustrates the DHS’s emphatic stance on ensuring the highest level of data protection possible.
However, the Department has not yet stated the exact date when the aforementioned policy will come into effect. This absence of a specific timeline for implementation leaves some level of uncertainty for current and future contractors, who now must prioritize ensuring their cybersecurity measures are up to the standards expected by the DHS.
Given that data breaches pose serious financial and reputational risks for both the involved organizations and the compromised individuals, this policy reinforces the pivotal importance of cybersecurity. It also places the responsibility directly on the contractors, who must now demonstrate their capabilities to protect sensitive data efficiently.
For more detailed information on this new policy, please refer to the original article published by Holland & Knight LLP on JD Supra here.