Cybersecurity is like a game of “telephone” where you whisper a phrase to the next person in line. One mistake in the chain passes to others, changing the outcome. While the slip-ups are fun for a party game, no one is amused by a breach or hack in their extended network. With serious consequences on the line and serious money in government contracts hanging in the balance, U.S. companies are being asked to reconsider the risks in their supply chain.
Is cybersecurity a factor in your partnerships and vendor selections? With new focus from NIST and the Department of Defense (DoD), security may vault to the top of your priority list—even if you don’t hold a government contract. Here’s what you need to know about screening the connections you have and vetting new ones.
The Flow of Risk
While information may flow out from your company to vendors and subcontractors, cybersecurity risk can float up, leaving everyone in the supply chain vulnerable.
Assessing and managing the cybersecurity risk of all partners with whom you share data connections is now recognized as an important part of each company’s own security posture, protecting data and reputation. Bad actors prey on the weakest link, often with the goal of gaining access to a bigger, more lucrative company’s system.
Industry Attention
After years of cyber-attacks, breaches, and viruses, programs across the Federal government are helping secure the country’s critical infrastructure by establishing baseline cybersecurity standards for contractors, but with wide-ranging implications.
When the DoD’s Cybersecurity Maturity Model Certification (CMMC) is finalized this year, all contractors will need proof of their security compliance in order to be awarded contracts. For background: CMMC is based on a set of requirements by the National Institute of Standards and Technology (NIST). NIST continually updates standards, including NIST SP 800-171r3 with new controls for supply chain risk management. DoD contractors, will not be immediately required to comply with the new controls, per a class deviation memo released in early May, yet supply chain security remains an important part of protecting company systems, data and CUI.
Of the more than 33 million U.S. businesses, over 200,000 are under contract with the DoD, providing supplies, parts, manufacturing, and services. As mandates trickle down, thousands of subcontractors, vendors, and suppliers to these companies will need proof of their security compliance, too. And those companies will need to attest to the security of their supply chains, resulting in millions of U.S. businesses needing to provide proof of their cybersecurity—or risk being labeled as unsafe.
The Burden of Proof: Ask, Investigate, Verify
Securing a supply chain requires some form of proof that the company in question is actually secure. Every connection must be verified before it can be given access. Here’s how companies are handling that.
- Legal responsibility: Some companies have adopted a paperwork approach where companies contractually agree to comply with cybersecurity standards and other regulations. This is an easy way to shift responsibility to the vendor should a breach result in financial losses.
- Third-party validation: When finalized, CMMC will be the gold standard for supply chain risk management as the easiest and most thorough way to validate a partner. By requiring companies to go through an audit of their systems and processes, the DoD has proof that minimum standards are being met—and others can trust them, too.
- System Security Plans and other certifications: For those companies not required to be CMMC compliant, requesting and assessing their Systems Security Plan (SSP) or asking to see their certification with ISO, SOC, or other audit-based standards requires more leg work, and often a non-disclosure agreement, to establish trust.
Tough Love: Ruthlessly Vet Your Supply Chain
Companies with long-standing or niche supply chains may be reluctant to cut ties over security. Word on the street says some big companies are helping with technical implementation or covering the costs of remediation and certification for their small business suppliers. Others are using the push for supply chain security to re-compete relationships.
The vetting process, no matter how it’s handled, demands some pointed questions to determine if others align with your mindset and standards. Lots of organizations have published vetting questions that are some variation of:
- How do you protect the data you collect, process, and store?
- What access control measures do you have in place to ensure that only authorized individuals have access to sensitive information?
- Can you show me your incident response plan?
- How do you assess and manage the security of third-party vendors?
- Do you provide regular security training for your employees and background checks on new hires?
- How do you ensure your systems have the latest security patches?
- What physical security measures are in place at your offices and/or data centers?
- Have you experienced any data breaches or security incidents in the past 12 months?
- Do you conduct regular security testing to identify and remediate potential security weaknesses?
- Are you compliant with relevant regulations and standards?
Five years ago, cybersecurity wasn’t a major topic with partners and vendors. Today, the regulatory environment and the need to secure the country’s critical infrastructure have made it an imperative.
Requirements for federal contractors will spread to other U.S. businesses traveling along supply chains. As you consider how far your connections reach, your approach will matter. Will you whisper your cybersecurity standards or shout them out for all to hear?
