How to Use CMMC to Improve your Supply Chain Risk Management Strategy
Guest author: Katie Arrington, Former CISO at the US Department of Defense (DOD)
Published on 22nd March 2023
According to Microsoft’s Digital Defense Report 2022, nation-state attacks against critical infrastructure doubled from 20% to 40% between July 2021 and June 2022. In fact, state sponsored cyber attacks are now one of the single biggest threats to organizations and their supply chain network. What’s the reason for this? Microsoft suggests the ongoing conflict between Ukraine and Russia was the turning point, with Iran, North Korea, China and Russia all increasing activity since the war broke out.
As a result, we’re in the middle of a cyber revolution where the main threat is no longer a teenager in their bedroom. It’s organized groups with state backing who are looking to extort sensitive information to support their cause. In 2023, the global cost of cyber espionage and ransomware is estimated to reach more than $8 trillion. Needless to say, it’s big business and if your organization isn’t secure, then you’re a prime target for attackers.
Are organizations doing enough to protect themselves and mitigate risk? In the U.S., Cybersecurity Maturity Model Certification (CMMC) should be the blueprint for strengthening your Supply Chain Risk Management strategy. Let’s examine why.
If your organization isn’t cyber secure, you won’t be in business very long – it’s that simple
What is Cybersecurity Maturity Model Certification?
CMMC is an assessment framework and assessor certification program developed by the U.S. Department of Defense (DOD) that applies to Defense Industrial Base (DIB) contractors. It was devised as a unifying standard and new certification model to ensure all DoD contractors properly protect sensitive information.
The implementation of CMMC was a result of there being no formal way for defense contractors to prove how strong their cybersecurity strategies were. Controlled Unclassified Information (CUI) is the non-public, but not classified, information that flows throughout the DOD’s supply chain, and CMMC was devised to safeguard it. CMMC is carried out by third-party assessors, and contractors must gain certification before they can win or work on government contracts.
What’s the need for CMMC? Well, DIB contractors use, handle and hold sensitive government data on a daily basis. That data helps to develop and deliver goods and services that are central to national security. CMMC ensures contractors have the technology and processes in place to keep the information secure in the same way as military departments and government agencies do.
CMMC immediately improves processes. It enhances the security of sensitive information and maximizes cyber resilience
How does CMMC impact Supply Chain Risk Management?
Supply chain risks have long been a concern for global enterprises. However, the threat of targeted, nation-state attacks means making sure that third-party suppliers have stringent cybersecurity policies in place. Ensuring a SCRM strategy is up to scratch is more important than ever.
For example, the DOD’s supply chain network is vast. More than 300,000 organizations were subject to the new CMMC framework when it was introduced in 2018. Each of them was required to meet a certain level of compliance within the framework in order to be eligible to work on government projects.
You may be thinking, surely only the primary contractor needs to comply with CMMC? But this is not the case. Every organization, or supplier within the network, must comply and meet the requirements.
With such huge resources available to state sponsored hackers, they have the ability to target even the smallest organizations within the supply chain. An attacker would only need access to one entry point before they would have the ability to either disrupt an entire government network or obtain sensitive information that could be used to extort the primary contractor.
In an era where data is at the heart of every organization, and threats exist on a global scale, it’s time we started treating all our information as if it were CUI. If suppliers in every sector were required to reach a certain level of certification before being able to handle critical data, it would significantly strengthen any SCRM strategy.
Enterprises that don’t protect their data are leaving themselves exposed to the threat of nation-state attacks
How to strengthen your organization’s SCRM Strategy
Given the escalation in risk, and the fact that CMMC is specific to DOD suppliers, what can your organization do to strengthen its Supply Chain Risk Management strategy? If you want to ensure potential risks are identified, understood and appropriately managed, follow these simple steps:
Assess current risk – A starting point for any strategy. Look at your current supplier network and identify what are the priority risks.
Suppliers should be viewed as partners – Work with your network to better understand the risks of your working relationship, and how to mitigate them. Transparency is key.
Expand your supplier network – Avoid becoming reliant on a small group of suppliers. Prioritize your core group and identify areas of expansion.
Detailed reporting and analytics – Data is essential to any business, but it’s about quality not quantity. The more in-depth data you have, the easier it is to understand risk.
Review your strategy regularly – Don’t assume your strategy works indefinitely. Revisit processes on a regular basis and update them to reflect your organization’s growth.
Identify risks and implement a plan to resolve them. Don’t stand still, evolve with time and technology
As attackers cast the net wider in finding potential targets, organizations need to prioritize their SCRM strategy. Understand who you’re working with, the risks involved, and how to mitigate them. The threat landscape is vast, and the hackers behind it have resources on a scale we’ve not seen before. Using CMMC as a blueprint for Supply Chain Risk Management could be the answer to establishing our own new world order.
To hear more from Katie on Cybersecurity Maturity Model Certification and Supply Chain Risk Management listen to this episode of our Capability-Centric GRC & Cyber Security Podcast.