Compliance and cybersecurity are constantly evolving. Recently a shift has occurred with the concept of supply chain risk management (SCRM) as a set of requirements across many cybersecurity frameworks—in particular, NIST 800-171 as it applies to the defense industrial base—gaining prominence. While these requirements are on the horizon, including NIST 800-171, Revision 3, some level of SCRM exists in the DFARS clause that applies today.
What is supply chain risk management?
The definition of supply chain risk management is the process of identifying, assessing, and mitigating risks within your supply chain to ensure security and compliance. This practice involves ensuring that all suppliers and third-party partners adhere to security standards and regulations, minimizing vulnerabilities that could be exploited by cyber threats. Supply chain risk can be derived from partners, technical vendors, suppliers, subcontractors, and even clients or the prime contractors themselves.
Current state of SCRM in the Defense Industrial Base (DIB)
Currently what’s required of the DIB in terms of SCRM is fairly minimal. Many organizations are still in the early stages of implementing comprehensive supply chain risk management practices. DFARS 252.204-7012 requires the flow down of the clause to subcontractors, mandating them to protect Controlled Unclassified Information (CUI). A defense contractor is expected to have assessed themselves, generated a score using the Department of Defense (DOD) assessment methodology, commonly referred to as an SPRS score, and then attest to a system security plan (SSP) as well as a plan of actions and milestones (POAM) with a targeted date to reach compliance.
Prime contractors issue questionnaires to subcontractors to assess their compliance with DFARS 252.204-7012, NIST 800-171 implementation, and SPRS status. The goal is to verify that subcontractors do not introduce compliance risks that could prevent them from performing the subcontracted work.
Why Supply Chain Risk Management Is Critical: A Real-World Example
The importance of supply chain risk management extends beyond just the regulatory requirements. Let’s review the cautionary tale of the attack on CDK Global to see how disruptive supply chain issues can be to a whole ecosystem. Although not within the defense industrial base, this example demonstrates how one supplier can massively impact an entire industry segment.
In June 2024, CDK Global, a software provider for automotive dealerships, was hit with a ransomware attack that caused the company to shut down its IT systems, disrupting services for 15,000 dealerships. CDK was a critical supplier for these car dealerships. This attack compromised sensitive customer data, damaged CDK’s reputation, and lessened its trust among clients.
There were important lessons learned from this ransomware attack. First of all, supplier accountability should ensure that vendors adhere to robust security standards. The auto industry probably isn’t as stringent as the defense industrial base, but through the lens of a car dealership, they should have understood that this application was critical. Those dealerships that were more prepared were probably able to temper the impact compared to those that were less aware of the potential impact when it came to their dependence on this application.
Proactive risk management could also have helped avert disaster by identifying and mitigating risks. The size and complexity of a car dealership is different from the standard use case you’d expect in the DIB, but processes to ease supply chain risk would have highlighted a critical application that was tied heavily to operations of a car dealership. This attack illustrates the cascading effect of a critical supplier and the potential impact across thousands of organizations dependent on the software.
Challenges of supply chain risk management
Given the importance of SCRM, you may ask, why aren’t all companies actively implementing these requirements? It’s not that easy. Here are some of the issues you might face as you work to define and roll out your own SCRM program.
- Complexity of supply chains: Modern supply chains often involve multiple tiers of suppliers and subcontractors, each introducing potential vulnerabilities. When it comes to the engagement of work at the prime level, the visibility of the supply chain becomes challenging because you’re fully dependent on the flow down of the clause to your subcontractors and then the further flow down of the clause to subsequent subcontractors in performance of the work.
- Lack of visibility: Organizations frequently struggle to maintain visibility over all suppliers, making it difficult to monitor compliance and security practices. As you get further away from the prime contractor and the first tier of subcontractors, that lack of visibility causes challenges in fully understanding supply chain risk.
- Regulatory requirements: Keeping up with evolving regulatory standards such as CMMC and DFARS can be challenging, particularly for organizations with extensive supply chains and the challenges to identify regulated datasets like CUI. Like most things NIST, the expectation is that there is a programmatic approach to implement your capabilities. As regulatory requirements unfold, it is likely that you will need to govern your SCRM program with policy and procedural elements and the execution of processes that enumerate and evaluate your supply chain with a tangible output.
As you move forward, be sure to assess and categorize your supply chain according to expected risks. Then through the enumeration, identification, and categorization, evaluate your third parties to understand the actual risks related to these entities in the performance of your CUI related work or the performance of your business operationally.
In our next blog in this series on SCRM we’ll discuss the future of supply chain risk management. Be sure to reach out if you have any questions on how to proceed with your own programs. We are the CMMC experts and we’re here to help you build a CMMC-compliant supply chain.