As Cybercrime has escalated, cyber conscious organizations have concentrated efforts to secure against the cybercrime threat. With a primary target presenting a more robust security posture, threat actors have turned more and more to weaker links in the chain – most notably the supply chain.
What is the supply chain and why does cyber risk management matter?
In simple terms, the supply chain is the process of converting raw materials or component parts through to a finished product or service being provided to a consumer. This includes the organizations, people, technology, activities, information, and resources involved in any part of the process.
Today, in large part due to technology innovations, supply chains are quite complex and include interdependence and connections between organizations that manufacture or produce goods or products and their suppliers, distributors, and business partners.
While the interdependencies and connectivity of multiple organizations has many benefits, such as reduced costs, increased revenue, expanded opportunities, etc., the existence of multiple entities within the supply chain comes with an inherent level of risk.
In some cases, connectivity between a supplier and an organization can mean that when one is compromised the other may be compromised as well. In other cases, the supplier may have possession of some of the organization’s sensitive data.
It has been a standard practice for many years to include security commitments in agreements with suppliers and service providers. In recent years, the focus has moved into asking a supplier or service provider to attest through a security questionnaire that they have implemented the security practices that are important to the organization. However, despite that self-attestation, cyber risk continues to be a problem for many organizations and assessing that risk in the supply chain is becoming more and more prominent.
It seems inevitable that the audit and certification world would turn its sights to the supply chain as well. There have long been many options for evaluating and reporting on control environments and security in relationships with service providers. Those options, which include audits/certifications such as ISO/IEC 27001, HITRUST, NIST, and SOC2, can also apply to suppliers. We are going to explore a couple of the newer audit and reporting options available to suppliers – SOC for Supply Chain and the Cybersecurity Maturity Model Certification – being introduced by the Department of Defense.
SOC for Supply Chain
In March 2020, the AICPA launched a new risk reporting framework, SOC for Supply Chain – Reporting on an Examination of Controls Relevant to Security, Availability, Processing Integrity, Confidentiality, or Privacy in a Production, Manufacturing, or Distribution System. This is the latest offering in the AICPA’s System and Organization Controls (SOC) suite of service offerings. (See more about SOC offerings here: https://www.lbmc.com/services/security-risk/it-assurance/soc/.) The new SOC for Supply Chain framework is designed to identify, assess, and address supply chain risks. Some examples include:
- Products may be provided that do not meet defined product performance specifications.
- Delivery and quality commitment requirements may not be met.
- Production, manufacturing, or distribution commitment requirements may not be met.
Is there value in this report?
Absolutely! Any entity in the supply chain can benefit from the SOC for Supply Chain assessment. Companies that produce, manufacture, or distribute products, as well as their suppliers, can utilize the report to demonstrate how they have addressed risk in their environment. The SOC for Supply Chain report communicates useful information about a company’s systems and the controls within the systems to customers, business partners, and prospective customers and business partners.
Additionally, LBMC recommends an organization address downstream supply chain risk by requiring their suppliers and business partners to obtain a SOC for Supply Chain report they can review to understand controls implemented by that organization.
Cybersecurity Maturity Model Certification (CMMC)
How the DoD is tackling cyber risk in its Supply Chain
The Cybersecurity Maturity Model Certification or CMMC is an evolving certification initiative that the Department of Defense put into motion in 2019. The DoD recognized that one of its primary drivers – to protect the nation’s interests – was potentially jeopardized by cybersecurity risk in the Defense Supply Chain. While the contractors, both prime and sub, to the DoD had been contractually required to establish and attest to certain minimum security levels, more robust security assessment and reporting had not been established.
According to the Office of the Under Secretary of Defense for Acquisition & Sustainment, the Cybersecurity Maturity Model Certification (CMMC) framework lays out a certification path based on the 110 security practices outlined in NIST SP 800-171.
The CMMC requirements institutionalize cybersecurity activities to ensure they are consistent, repeatable, and of high-quality. The CMMC security practices provide a range of mitigation across the levels, starting with foundational safeguarding at level 1, moving to the advanced protection of Controlled Unclassified Information (CUI) at level 2, and culminating with expert level safeguarding at level 3, with the introduction of a subset of NIST SP 800-172 requirements. The CMMC framework is coupled with a certification program to verify the implementation of processes and practices.
The Cyber Accreditation Body (Cyber-AB) is responsible for establishing the certification ecosystem, including implementing and overseeing how assessors evaluate conformance to the CMMC framework. The Cyber-AB has worked diligently over the past couple of years to accredit third party assessor firms, establish assessment procedures, and train and certify assessors.
The questions on everyone’s mind – does my company have to get the certification and when can I get it? The DoD published a new version of CMMC, labeled 2.0 late in 2021. The new version scaled back some of the requirements and simplified the definition of levels. Introduction of these changes doesn’t become final until all federal level rule making activities are complete. In the meantime, assessor companies may be able to perform assessment activities to support certification but will not yet be able to formally certify clients.
The Cybersecurity Maturity Model Certification (CMMC) accreditation framework impacts the U.S. Department of Defense (DoD) contractors, supply chain, solution providers, and systems integrators.
LBMC Information Security can help protect your organization against escalating cybercrime threats in supply chains. Contact us to learn more about the SOC for Supply Chain report or CMMC, and get started on a consultation!