Have questions about the Cyber Hygiene Assessment? Check the Frequently Asked Questions below and see if your questions have already been answered.
As the world continues to evolve, and in the wake of increasing cyberattacks, the DHS is taking critical measures to ensure our data and systems are protected. These measures include ensuring the vendors that access, manage, and oversee our data and systems are held accountable to meeting the Cyber Hygiene standards that are resident within DHS contracts. The Cyber Hygiene Assessment is intended to collect cyber maturity and readiness data from DHS contractors across the Department and its components whose contracts or orders include the Homeland Security Acquisition Regulation (HSAR) Class Deviation 15-01, Safeguarding Sensitive Information clause, to gauge their overall cyber security maturity. The Cyber Hygiene Assessment Program’s goal is to ensure the DHS vendor community implements a comprehensive cybersecurity framework to protect DHS sensitive information from increasingly frequent and complex cyberattacks.
The Cyber Hygiene Assessment Program’s goal is to ensure that DHS vendors have implemented the required cybersecurity framework, in alignment with NIST guidance, to protect DHS sensitive information and critical services from increasingly frequent and complex cyberattacks.
Assessment responses via the Cyber Hygiene Assessment portal are due by the date indicated in the official communications provided by the Cyber Hygiene Assessment team.
DHS will leverage the results of the FY 23 Cyber Hygiene Assessment to determine the future cadence of the effort.
Please submit your responses to the Cyber Hygiene Assessment via the portal provided to Certifying Senior Official via email.
A copy of the Cyber Hygiene Instrument Questions.pdf was provided via email for convenience only. No responses outside of the Cyber Hygiene Assessment portal will be accepted.
No, submissions via the Cyber Hygiene Assessment portal must be submitted at one time. There is no function to save your progress and return later.
DHS has provided a Cyber Hygiene Assessment Questions.pdf file to help your organization consolidate your answers in preparation of your official submission via the Cyber Hygiene Assessment portal.
The Cyber Hygiene Assessment Verification Code will be provided to your organization’s Certifying Senior Official via email.
Submissions made without a valid Cyber Hygiene Assessment Verification Code will not be accepted.
Please ensure the Cyber Hygiene Assessment Verification Code is entered correctly when submitting your Cyber Hygiene Assessment response via the portal.
The individual responses and results for this assessment will be for internal DHS use and will not be made available to vendors or the public.
Organizations will not have access to their responses after submission.
To keep track of your Cyber Hygiene Assessment response, DHS has provided a Cyber Hygiene Assessment Questions.pdf file to help your organization consolidate your answers in preparation of your official submission via the Cyber Hygiene Assessment portal.
Yes, DHS will execute its established methodology for validation and verification of all Cyber Hygiene Assessment responses.
If your organization submits multiple responses via the Cyber Hygiene Assessment portal, the last received response with a valid Cyber Hygiene Assessment Verification Code will be accepted as your organization’s official response to the Cyber Hygiene Assessment and will be used during the analysis of your response.
All assessment response information will be captured within the Cyber Hygiene Assessment portal. Individual vendor responses will not be made publicly available.
Vendors identified to complete the Cyber Hygiene Assessment have existing DHS contracts, including orders, where the HSAR Class Deviation 15-01, Safeguarding Sensitive Information clause is applicable.
Yes, the assessment is mandatory to complete for all identified vendors, per the DHS HSAR Class Deviation 15-01, Safeguarding Sensitive Information contract clause.
Only organizations with an active contract(s)/order(s) that include the HSAR Class Deviation 15-01, Safeguarding Sensitive Information clause are required to complete the Cyber Hygiene Assessment. If you believe your contract/order ended, this information should be provided to the Cyber Hygiene Assessment Team via: dhs-industry-cha@hq.dhs.gov identifying a contract/order number and a responsible Contracting Officer’s contact information.
If your organization has received multiple requests, your organization may have several DHS contracts or orders identified with different Unique Entity Identifiers (UEI). You must provide a separate response based on each UEI. The expectation is to receive one response per UEI.
No, subcontractors do not need to provide a response to the Cyber Hygiene Assessment. The Cyber Hygiene Assessment is directed to the DHS prime contractors. All Cyber Hygiene Assessment responses are required to be provided by the prime contractor based on their Unique Entity Identifier (UEI).
If you received an email directly from the DHS officials (DHS Industry Cyber Hygiene Assessment mailbox) informing that your organization was identified to complete the Cyber Hygiene Assessment and inquiring about the Certifying Senior Official Name, that means, your organization was identified as a prime contractor with an active DHS or DHS component’s contract(s)/order(s).
This information is being collected consistent with the terms of one or more contracts or orders each vendor has with DHS per the HSAR Class Deviation 15-01, Safeguarding Sensitive Information contract clause. Providing the information is a requirement; contractual remedies are available to contracting officers for vendors that do not comply with the requirement.
Where a response is not provided, DHS may take necessary action in accordance with applicable award terms and/or conditions. Failure to respond to this requirement in a timely manner will, at a minimum, be recorded in applicable Contractor Performance Assessment Reporting System (CPARS), however further steps will be considered.
DHS will track Cyber Hygiene Assessment responses submitted via the Cyber Hygiene Assessment portal against the organization’s Unique Entity Identifier (UEI) number and the provided Cyber Hygiene Assessment Verification Code.
No responses outside of the Cyber Hygiene Assessment portal will be accepted.
The collected data will be used to evaluate cybersecurity maturity levels of the DHS vendors. This data, received from the vendor community, will feed into the development of future procurement cybersecurity guidance and requirements.
The Cyber Hygiene Assessment questions were developed based on NIST SP 800-171 Rev.2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations and NIST SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171.
NIST SP 800-171 Rev.2: Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations. SP 800-171 Rev. 2, Protecting CUI in Nonfederal Systems and Organizations | CSRC (nist.gov)
NIST SP 800-171A: Assessing Security Requirements for Controlled Unclassified Information. SP 800-171A, Assessing Security Requirements for CUI | CSRC (nist.gov)
NIST SP 800-172: Enhanced Security Requirements for Protecting Controlled Unclassified Information: A Supplement to NIST Special Publication 800-171. SP 800-172, Enhanced Security Requirements for Protecting CUI | CSRC (nist.gov)
NIST SP 800-172A: Assessing Enhanced Security Requirements for Controlled Unclassified Information. SP 800-172A, Assessing Enhanced Security Requirements for CUI | CSRC (nist.gov)
Yes, responses to all Cyber Hygiene Assessment Questions are mandatory. Please provide answers to the best of your ability.
Yes, your organization is still required to provide a response to the Cyber Hygiene Assessment. Your organization may utilize information and results from previous cyber maturity assessments to assist in completing the Cyber Hygiene Assessment
Yes, your organization is still required to provide a response to the Cyber Hygiene Assessment since your contract or order with DHS or DHS components contains the HSAR Class Deviation 15-01, Safeguarding Sensitive Information contract clause.
Where assessment response information provided represents a potential significant gap of existing security requirements and/or terms and conditions, DHS will communicate with that particular contractor and share its findings. If the contractor is unable to address existing concerns, DHS may take necessary action in accordance with such award terms and/or conditions. However, lack of DHS communication post-assessment does not change requirements of your contract or order.
The assessment will provide information that allows DHS to assess our vendors’ corporate cybersecurity posture, based on reported responses and DHS analysis. DHS will use this information to set a baseline to track cyber maturity growth of our vendors over time, through future assessments consistent with HSAR Class Deviation 15-01, Safeguarding Sensitive Information.
DHS will not disclose under the Freedom of Information Act (FOIA) any information provided by the contractor under this request that is exempt from disclosure, including: Exemption (b)(3) as matters specifically exempt from disclosure by statute, including performance information that is source selection information for future award decisions pursuant to the Procurement Integrity Act, 41 U.S.C. § 2101 - 2107; Exemption (b)(4) as trade secrets and commercial or financial information that is privileged or confidential; and Exemption (b)(7)(A) (F) as records or information compiled for law enforcement purposes.
Collected data and assessment results will be anonymized if used to support DHS trending analysis. Any data or assessment results used in trending status reports will be non-attributable to the contractor.
If DHS receives a FOIA request for information provided by the contractor under this request, DHS will provide the contractor with prompt written notice, unless it is readily determined by DHS that the information should not be disclosed or, on the other hand, that the information lawfully has been published or otherwise made available to the public. DHS will afford the contractor a period of at least 10 days in which to object to the disclosure of any specified portion of the information and to state fully all grounds upon which disclosure is opposed. DHS will consider all such specified grounds for nondisclosure prior to making an administrative determination of the issue and, in all instances in which the determination is to disclose, provide the contractor with a detailed statement of the reasons for which its disclosure objections are not sustained. DHS will provide the contractor with written notice of any final administrative disclosure determination not less than 10 days prior to a specified disclosure, in order that the matter may be considered for possible judicial intervention. DHS will notify the contractor promptly of all instances in which requesters have brought suit seeking to compel disclosure of information provided by the contractor under this request.