As Cybercrime has escalated, cyber conscious organizations have concentrated efforts to secure against the cybercrime threat. With a primary target presenting a more robust security posture, threat actors have turned more and more to weaker links in the chain – most notably the supply chain.
So, what is the supply chain?
In simple terms, the supply chain is the process of converting raw materials or component parts through to a finished product or service being provided to a consumer. This includes the organizations, people, technology, activities, information, and resources involved in any part of the process.
Today, in large part due to technology innovations, supply chains are quite complex and include interdependence and connections between organizations that manufacture or produce goods or products and their suppliers, distributors, and business partners.
While the interdependencies and connectivity of multiple organizations has many benefits, such as reduced costs, increased revenue, expanded opportunities, etc., the existence of multiple entities within the supply chain comes with an inherent level of risk.
In some cases, connectivity between a supplier and an organization can mean that when one is compromised the other may be compromised as well. In other cases, the supplier may have possession of some of the organization’s sensitive data.
It has been a standard practice for many years to include security commitments in agreements with suppliers and service providers. In recent years, the focus has moved into asking a supplier or service provider to attest through a security questionnaire that they have implemented the security practices that are important to the organization. However, despite that self-attestation, cyber risk continues to be a problem for many organizations and assessing that risk in the supply chain is becoming more and more prominent.
It seems inevitable that the audit and certification world would turn its sights to the supply chain as well. There have long been many options for evaluating and reporting on control environments and security in relationships with service providers. Those options, which include audits/certifications such as ISO/IEC 27001, HITRUST, NIST, and SOC2, can also apply to suppliers. We are going to explore a couple of the newer audit and reporting options available to suppliers – SOC for Supply Chain and the Cybersecurity Maturity Model Certification – being introduced by the Department of Defense.
SOC for Supply Chain
In March 2020, the AICPA launched a new risk reporting framework, SOC for Supply Chain – Reporting on an Examination of Controls Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy in a Production, Manufacturing, or Distribution System. This is the latest offering in the AICPA’s System and Organization Controls (SOC) suite of service offerings. (See more about SOC offerings here: https://www.lbmc.com/services/security-risk/it-assurance/soc/.) The new SOC for Supply Chain framework is designed to identify, assess, and address supply chain risks. Some examples include:
- Products may be provided that do not meet defined product performance specifications.
- Delivery and quality commitment requirements may not be met.
- Production, manufacturing, or distribution commitment requirements may not be met.
Is there value in this report?
Absolutely! Any entity in the supply chain can benefit from the SOC for Supply Chain assessment. Companies that produce, manufacture, or distribute products, as well as their suppliers, can utilize the report to demonstrate how they have addressed risk in their environment. The SOC for Supply Chain report communicates useful information about a company’s systems and the controls within the systems to customers, business partners, and prospective customers and business partners.
Additionally, LBMC recommends an organization address downstream supply chain risk by requiring their suppliers and business partners to obtain a SOC for Supply Chain report they can review to understand controls implemented by that organization.
Cybersecurity Maturity Model Certification (CMMC)
The Cybersecurity Maturity Model Certification or CMMC is an evolving certification initiative that the Department of Defense put into motion in 2019. The DoD recognized that one of its primary drivers – to protect the nation’s interests – was potentially jeopardized by cybersecurity risk in the Defense Supply Chain. While the contractors, both prime and sub, to the DoD had been contractually required to establish and attest to certain minimum security levels, more robust security assessment and reporting had not been established.
According to the Office of the Under Secretary of Defense for Acquisition & Sustainment, the Cybersecurity Maturity Model Certification (CMMC) framework contains five maturity processes and 171 cybersecurity best practices progressing across five maturity levels. The CMMC maturity processes institutionalize cybersecurity activities to ensure they are consistent, repeatable, and of high-quality. The CMMC practices provide a range of mitigation across the levels, starting with basic safeguarding at level 1, moving to the broad protection of Controlled Unclassified Information (CUI) at level 3, and culminating with reducing the risk from Advanced Persistent Threats (APTs) at levels 4 and 5. The CMMC framework is coupled with a certification program to verify the implementation of processes and practices.
The CMMC Accreditation Body (CMMC-AB) is still very early in the process of establishing the certification ecosystem. The current phase of the pilot is considered the Provisional phase and involves a limited number of provisional assessors and their associated certification bodies (or third party assessment organizations). The DoD is piloting no more than 15 contracts this year and will not fully implement the requirement until 2025.
The Cybersecurity Maturity Model Certification (CMMC) accreditation framework impacts the U.S. Department of Defense (DoD) contractors, supply chain, solution providers, and systems integrators.
Learn more here: https://www.acq.osd.mil/cmmc/docs/CMMC_Model_Main_20200203.pdf
LBMC Information Security can help protect your organization against escalating cybercrime threats in supply chains. Contact us to learn more about the SOC for Supply Chain report or CMMC, and get started on a consultation!