There are over 5.7 million companies involved in the supply chain of America that are under constant cyber-attack by foreign countries attempting to steal our intellectual property. According to the Department of Defense (DoD), there are about 350,000 prime government contractors within those 5.7 million that are part of the U.S. Department of Defense’s Defense Industrial Base (DIB). In reality, the number of government contractor should be stated as closer to 1 million or more because the supply chain of these primes goes much deeper.
The DoD may see their prime contractors as the end of the line for their products, but those primes have subcontractors in THEIR supply chain, and even those subcontractors have another supply chain with THEIR suppliers. There are some DIB prime contractors that have hundreds of subcontractors and many more under those. This is why a major cybersecurity pain in the U.S. (and in many countries) boils down to securing their supply chain.
So how can you help secure your supply chain? The answer comes in the form of three compliance standards: CMMC, ISO 27001 and NIST 800-161.
The Cybersecurity Maturity Model Certification (CMMC) is a certification developed by the DoD to “enhance the protection of controlled unclassified information (CUI) within the supply chain.” (1) The DoD will require primes in the DIB to become certified to CMMC to bid on DoD contracts. CMMC has five maturity levels and “will review and combine various cybersecurity standards and best practices and map these controls and processes across several maturity levels that range from basic cyber hygiene to advanced.”(1)
The official name is ISO/IEC 27001:2013 Information Security Management System and it “enables organizations of any kind to manage the security of assets such as financial information, intellectual property, employee details or information entrusted by third parties.”(2) This standard is a good start to securing your supply chain because it mitigates information security risk and helps protect your intellectual property. When it’s in place, ISO 27001 will also enable your company to effectively review and continually improve the security of your management systems.
**Note: The latest 2022 version of ISO 27001 has been released. Click here to learn more about it and the key dates for transitioning from the old 2013 version.
If all of the 5.7 million companies followed the NIST 800-161 guidelines, we’d have a lot less security problems. It was created specifically for supply chains and the official name “Supply Chain Risk Management Practices for Federal Information Systems and Organizations” sums it up. The standard “provides guidance to federal agencies on identifying, assessing, and mitigating Information and Communications Technology (ICT) supply chain risks at all levels of their organizations. This publication integrates ICT supply chain risk management (SCRM) into federal agency risk management activities by applying a multitiered, SCRM-specific approach, including guidance on supply chain risk assessment and mitigation activities.”(3) You can download the publication for free here: https://csrc.nist.gov/publications/detail/sp/800-161/final
CMMC, ISO 27001 and NIST 800-161 are all standards that when implemented will help protect your supply chain and the intellectual property within it. If you’re a supplier within the DoD’s DIB, you already know of these or will become very familiar with them. Navigating these three standards can be complex, and it pays to have a partner like ISOP to help you through the process from start to finish and beyond.
Contact us if you need help with any of these standards.
(1) - https://www.acq.osd.mil/cmmc/ (2) - https://www.iso.org/isoiec-27001-information-security.html (3) - https://csrc.nist.gov/publications/detail/sp/800-161/final