Looking ahead, there are two things emerging as it relates to requirements that will have implications for supply chain risk management (SCRM) in the defense industrial base (DIB). To understand how to proceed with SCRM, it’s important to first gain insight into what this practice is and what typical challenges you might encounter as you work to implement practices in support of it.
Unfolding SCRM requirements
In the near term, the introduction of the Cybersecurity Maturity Model Certification (CMMC) and updates to NIST 800-171 will bring more rigorous supply chain risk management requirements. CMMC now has three levels of maturity that possess varying levels of cybersecurity requirements that need to be applied. CMMC Level 2 is the equivalent to what’s required today.
Note that CMMC will require third-party certification, ensuring that all suppliers in the DIB meet specific cybersecurity practices and processes. If you have the DFARS 252.204-7012 clause in your contract, at some point you can expect to need the certificate of CMMC Level 2 that has been verified by a third party. NIST 800-171 Rev. 3 will (when it becomes impacting) also introduce enhanced supply chain risk management requirements. The emphasis will be on continuous improvement and proactive risk management, rather than just compliance.
Supply chain processes
Here’s what SCRM looks like in practice from your perspective as a defense industrial base contractor.
Step 1: Supplier Identification and Categorization
Your objective here is to identify and categorize suppliers based on criticality and compliance requirements. In a lot of cases, this is going to be tied to the full scope of your organization if you’re trying to measure operational, regulatory, and security impacts.
You will examine exchange of regulated data, incident reporting requirements, key single-source supplier status, operational impact, financial stability, compliance security practices, and contractual obligations.
To accomplish this, it will be important to collaborate with project teams and leverage a categorization matrix. You will need to engage with teams that are more tactical to understand how they engage with their third parties, suppliers, subcontractors, et cetera. SCRM is not just an IT problem. When it comes to understanding how the supply chain is engaged, it is at the project, program, and operational levels.
Step 2: Risk Assessment
Next, after you’ve enumerated the suppliers and the third parties as it relates to your organization, it’s time to establish risk thresholds. Those risk thresholds could include:
- Low risk categorization where no action is required.
- Moderate risk where a questionnaire is needed to understand some capabilities as it relates to the supplier.
- High or critical risk which would require supplier verification by way of documentation to show that their capabilities are well-governed with policy and procedure.
Once you’ve selected the parties that are critical and can have impact to your organization, assessing those entities is typically accomplished by requesting completion of risk assessment questionnaires, evaluating the responses, and developing risk management plans. When you’re performing the assessments, you will determine whether each vendor is exceeding or falling below your risk thresholds. In some cases you may want to engage directly and validate the assertions outlined in the responses.
Step 3: Continuous Monitoring and Assessment
This is where you are persistently adapting to the situations of your engagements with your suppliers and third parties and recategorizing on a defined cadences. If changes occur in the nature of the work or the interface between the supplier and your organization, you need to capture and modify your approach based on those changes.
This monitoring is consistent engagement with your program and project people to make sure they report when tangible changes are occurring in the nature of the engagement between your organization and any third party. Regularly review supplier performance and compliance, conduct periodic audits, and update risk management plans.
Step 4: Compliance Reporting and Communication
This step is about informing the decision makers as to the state of your suppliers and the risks that they present to your organization. The folks who are making the decision to engage with particular vendors also need to understand whether there are supply chain risks that can impact the decision making.
Maintain transparent and effective communication. Take the necessary steps to compile and deliver comprehensive reports on supplier compliance and risk status, including executive briefings and outbound communications, and provide training to client staff on SCRM and engagement protocols. If you have a supplier that has massive operational impact combined with poor security practices, those are things that should inform the engagement with that vendor and perhaps influence reselection of vendors to support your organization or your project work.
If you have any questions about how you can structure and implement a comprehensive supply chain risk management program at your organization, contact the experts at CyberSheath. We’re here to help.