Dear Industry Partners,

On behalf of Department of Homeland Security (DHS) Chief Information Officer (CIO) Hysen and Chief Procurement Officer (CPO) Courtney, we are providing an update on the Department’s continued efforts to implement a cyber hygiene management program. As you are aware, in 2015 the Department of Homeland Security (DHS) incorporated a cyber hygiene clause known as Homeland Security Acquisition Regulation (HSAR) Class Deviation 15-01, Safeguarding Sensitive Information into its applicable contracts. This cyber hygiene clause mandates contractor compliance with DHS sensitive systems information protection standards and security requirements. The Department’s end goal is to develop a means of ensuring each contractor has appropriate cybersecurity and cyber hygiene practices in place.

Leveraging the results of the Department’s FY 2022 Cyber Hygiene Pathfinder Assessment, DHS has established an evolved FY 2023 Cyber Hygiene Assessment (CHA) instrument to gauge the cybersecurity posture of existing DHS contractors, where the HSAR Class Deviation 15-01, Safeguarding Sensitive Information clause is applicable. The Department will utilize the information collected from this assessment as a critical first input to its larger cyber hygiene management program.  

In the coming weeks, DHS will proceed with the next phase of the cyber hygiene management program by requiring completion of the CHA Instrument by its applicable contractor population with one or more contracts or orders incorporating the HSAR Class Deviation 15-01, Safeguarding Sensitive Information clause. Contractors meeting these criteria will be contacted directly by our team with further information and next steps.

We look forward to continuing to collaborate with you on this matter. Thank you for all you do to support our missions and protect the Homeland.

Sincerely,

Kenneth Bible

Chief Information Security Officer

Sarah Todd

Executive Director of Acquisition Policy & Legislation