By Chor-Ching Fan and David Trout

DHS Introduces New Cybersecurity Readiness Evaluation Factor (CRF Scoring)

In a recent development that could significantly impact small and medium-sized businesses (SMBs) with federal contracts, the Department of Homeland Security (DHS) is shifting gears away from the anticipated adoption of the Cybersecurity Maturity Model Certification (CMMC). Instead, they are introducing an approach called the “Cybersecurity Readiness Evaluation Factor” (CRF) to assess contractors’ cybersecurity posture.

Many in the industry had been expecting DHS to align with the CMMC framework, but the agency has unveiled its distinctive evaluation method. The CRF, based on a questionnaire-driven model, aims to evaluate a vendor’s cybersecurity readiness pre-award for contracts. This shift indicates a departure from the third-party assessment-centric approach of CMMC toward a more streamlined assessment based on National Institute of Standards and Technology (NIST) controls related to safeguarding Controlled Unclassified Information (CUI).

Understanding the CRF Evaluation Process

DHS will utilize a scoring calculus from the responses to a standardized secure assessment questionnaire. The questionnaire will enable DHS to consider how well an offeror is prepared to protect CUI on nonfederal information systems by assessing its implementation of the NIST security requirements in compliance with HSAR 3052.204-72 Safeguarding of Controlled Unclassified Information clause.1 

The assessment includes a distribution of basic, derived, and enhanced security requirements from each of the 14 security requirement families. The assessment items for the basic and derived questions are from NIST SP 800-171r2, and the enhanced questions are drawn from NIST SP 800-172 security functions.2

Contractors will be graded on their cyber readiness, ranging from “high likelihood of cyber readiness” to “likelihood of cyber readiness” to “low likelihood of cyber readiness.” 

Impact on Contract Awards

The cybersecurity rating attained by a company could influence their bid success. The CRF will play a pivotal role in best value tradeoff award decisions for applicable solicitations, emphasizing the importance of meeting cybersecurity expectations. Depending on a contractor’s CRF rating, they may be required to submit a Plan of Action and Milestones (POA&M) post award, if their assessment result does not meet DHS expectations of cybersecurity compliance readiness for the contract.

Departure from CMMC and Emphasis on Agility

Unlike the CMMC’s requirement for third-party assessments, DHS aims to implement the CRF swiftly without extensive rulemaking. This agile approach contrasts with the DoD’s ongoing rulemaking process for CMMC, allowing DHS to proactively evaluate cybersecurity standards ahead of contract awards. DHS Chief Information Security Officer, Kenneth Bible emphasized in the November announcement that CMMC was not workable for the DHS industrial base which includes many SMBs. The cost and time investments for a third-party assessment model were too prohibitive.

Next Steps for Contractors 

In essence, DHS’ decision to move away from CMMC in favor of the CRF signifies a strategic pivot towards a more tailored, questionnaire-driven approach for assessing cybersecurity readiness among federal contractors. This transition underscores the importance of staying updated on evolving cybersecurity standards and aligning business practices accordingly.

As DHS continues to refine and implement the CRF scoring assessment, contractors, especially SMBs, should closely monitor updates and proactively adapt their cybersecurity measures to align with the evolving evaluation criteria.

This shift emphasizes the government’s commitment to raising cybersecurity standards across the industry base while offering a more flexible and potentially less resource-intensive approach for SMBs navigating federal contracts.

Rizkly: Your Partner for DHS CRF Evaluation Success 

As DHS transitions away from CMMC towards a questionnaire-based evaluation approach, leveraging Rizkly’s tailored GCaaS solution empowers SMB contractors to streamline compliance efforts. Rizkly was designed with SMBs in mind. Our commitment to simplifying compliance efforts and costs aligns seamlessly with the government’s objective of elevating cybersecurity standards across industries while offering a flexible and resource-efficient pathway for SMBs navigating federal contracts. Rizkly offers a service that combines a CRF compliance readiness software together with certified NIST cybersecurity experts to answer your questions and help you prepare for CRF scoring and assessment.   Rizkly is focused on helping SMBs effectively and efficiently achieve CRF compliance success so you can focus on what you do best—running your business.  Contact us to learn more. 


1Attachment 1 Cybersecurity Readiness Factor Notice November 2023.pdf