Supply Chain Risk Management and CMMC
At Verify, our perspective into the challenges of the A&D supply chain is multifaceted. From new product introduction (NPI) to delivery assurance, Verify’s solutions reach thousands of suppliers each year, from Tier 1 down through the chain. A significant challenge that is rapidly emerging as outlined in our 2018 White Paper…is Cyber Security and Compliance.
Everyday there are new stories of hacking, hijacking, and ransomware. Situations from lower tier suppliers infiltrated unknowingly, to full data theft from some of the world’s largest and most advanced tech companies, the threat is real from the grass roots of small businesses to multinational enterprise across all market sectors.
Required cybersecurity is called out in U.S. Department of Defense (DoD) contractual flow down, through the OEMs and into the Tier-1, and beyond. What we have seen is a landscape with no clear linear direction. Self-attestation and limited visibility leave many suppliers in the DoD industrial base left wondering…where do we (and our supply chain) really stand and will we have the resources to be compliant? What is my liability? What happens if we do not become compliant?
Controlled Unclassified Information (CUI) is the non-public, yet not classified, information that flows throughout the DoD supply chain. In order to provide greater protection of this data, the DoD instituted Defense Federal Acquisition Regulation Supplement (DFARS) clause 252.204-7012. This requires any recipient or creator of CUI to meet certain requirements to protect it. Among the requirements are 110 security controls called out in NIST Special Publication 800-171.
Currently, prime contractors assume responsibility for flowing these same requirements down to all levels of the supply chain who have access to CUI. However, there is contention on whether primes can or should be monitoring the actual status of their supply chain with many arguing that if they know the truth that they would be liable for correcting it. As recent news has shown, failure to meet these requirements (but saying that you do) is essentially defrauding the government – not a position anyone wants to find themselves in.
So if it starts with DoD and governmental flow down, is there clarity at the government level? There’s DFARS and there’s NIST etc. and now is the recently released CMMC or the Cybersecurity Maturity Model Certification.
What is CMMC?
The DoD along with several other organizations have been working to develop a unified cybersecurity standard for all DoD acquisitions. The result is CMMC.
The CMMC program will be used as a verification process to assess the maturity of cybersecurity practices and processes for an organization. Once implemented, offerors, and their supply chain, will be required to hold a CMMC certification at a specified level or higher to be eligible for award on DoD solicitations. Controls must be adequate and in place to protect controlled unclassified information (CUI) that resides on the DoD’s industry partners networks. The first revision was released in January 2020 and is to be followed by RFI’s in early summer 2020 and RFP’s starting in the fall of 2020.
A consolidation for cybersecurity flow down is a good thing; however, does the Defense Industrial Base (DIB) and its partners consistently understand what they are signing up for?
OEM’s faced with that potent declaration are now taking on a nearly insurmountable task… to eliminate risk.
I recently interviewed our VP of Technology & Compliance, Kris Carter, for more insight on this:
Hank: Hi Kris, I know you have been working closely with various stakeholders across the A&D supply chain to understand the magnitude of CMMC and what it will mean to Verify and the supply chain. Could you give me a snapshot of that scope?
Kris: Sure, the working estimate for the number of organizations requiring CMMC certifications is somewhere around 300,000. Of these, a very high percentage of those are companies in the micro-, small-, and mid-size range and likely requiring the lower levels of the certification.
Hank: 300K?
Kris: Yes and these organizations will need to be assessed by a credentialed independent assessor under the oversight of the CMMC accreditation body.
Hank: What was the impetus for the DoD to implement CMMC?
Kris: At the heart of this is that we continue to bleed out our nation’s secrets and our industry’s intellectual property at an alarming rate – current measures just aren’t working. Our adversaries and foreign commercial enterprises are taking these and undermining our own industrial progress, or worse, using them for nefarious purposes up to and including directly against our war-fighters.
Their hypothesis is that they can address the “broken” pieces in existing cybersecurity requirements that did not include an enforcement element. Where an organization was previously able to conduct a gap analysis and create a remediation plan over an undetermined time period, now we will be required to complete the remediation plan prior to being awarded DoD-related business.
However, this government initiative is only highlighting a portion of the larger picture, which I believe is the real concern.
Hank: How so?
Kris: Well, a lot of what the CMMC initiative is addressing has largely been a part of “Contract Terms & Conditions” for years. We’re actually talking about one element of contract compliance. When organizations win business and then receive purchase orders, those incumbents are asked to do what? Sign the purchase order, which directly or indirectly requires that they accept the Ts & Cs embedded or referenced therein. Cyber controls have been a part of those T’s & C’s for some time now, and yes, they are continuously evolving.
Prior to CMMC, what we witnessed was essentially organizations pushing the liability for cybersecurity down the supply chain, head in the sand so to speak and frequently trying to keep responsibility at arm’s length. The government is no longer willing to accept “compliance” as that transfer of liability from the Primes and upper tiers – so CMMC has become the line in the aforementioned sand. To give credit to others in the DoD, there have been some measures put in place to help address the same challenge, but CMMC is meant to squash it entirely.
Hank: Sounds to me like compliance could be an underlying driver.
Kris: Absolutely, and acknowledging that not all tiers of the supply chain will have the same risk related to what they have access to, there will be varying degrees of cyber maturity included in CMMC. But whichever tier or maturity level that we’re talking about, it’s how we manage the continuing compliance of those suppliers.
One concern that we’re talking to our customers about is how cybersecurity compliance can be a complex and intimidating, but it doesn’t mean that supply chain leadership should just roll over and hand it over to the technical folks. Instead, address it in the way we do with any element of a contract or new flow down element, through Program Management. Instead of being fearful of the cybersecurity element, treat it like a new quality standard or update to existing clauses.
What we really find interesting is that this all relates to an overarching problem that has been a struggle for supply chains for years… Supply Chain Illumination.
Hank: What is Supply Chain Illumination?
Kris: “Illumination” seems to be a bit of a buzzword right now and can be stated other ways like the “digital thread” or just simply, visibility into what is going on in the supply chain down through the tiers. It has always been there, below the surface, we are just looking to bring it forward and illuminate it. Once you have visibility, you can start attaching other types of information for robust analysis.
The analysis of the now illuminated supply chain then allows you to expose and manage the varying types of risk that can occur in real-time. This was really the promise of Supply Chain Risk Management (SCRM) that has been hampered due to lack of visibility.
Hank: Speaking of visibility… earlier you mentioned that CMMC was only a portion of the larger picture, is the supply chain illumination just that?
Kris: No actually, illumination is just a necessary element to start enabling our truly assessing and managing the respective supply chain (or as we often say, the “supply web” because of the interconnectivity). What we see as the larger picture is the government and other customers looking into all elements of contract performance. Cybersecurity is the current hot topic, but there are some other quite important and tricky elements found in flow down requirements.
What I’d want you to take away in this regard is what I touched on earlier, that this remains a supply chain and program management challenge and not one that we get caught up in only being a cyber or technology challenge. If we limit our efforts to cybersecurity flow down via CMMC or other requirement, we miss out on a great opportunity to address the bigger topic while developing better performing and more resilient supply chains.
Hank: Yeah, good point on the greater supply chain opportunity. Where does this leave us with CMMC?
Kris: Based on the progress to date, CMMC is going to happen at a pace like we’ve never seen. The timelines involved are aggressive and you’ve got participation by a whole host of industry players. This doesn’t say that there won’t be bumps in the road and doesn’t reduce the many implementation challenges. Many would say that we have more questions than answers at this point.
But if nothing else, what will be required to implement CMMC will provide industry with an opportunity to for so much more… to re-imagine how supplier performance management might work and redraw some of the long-standing assumptions and working models. We think this will start with compliance assurance but ultimately lead to the reduction of total risk in the supply chain.
Hank: Kris, thanks for that terrific insight and explanation. It appears that we have a lot of work to do.
Verify, Inc. is a Supplier Performance Management company.
Hank Hagedoorn is Director, Business Development & Marketing for Verify, Inc.
Kris Carter is VP, Technology & Compliance for Verify, Inc.