Headed to RSA in San Francisco? May 6-9 | Join us!

Understanding Federal Supply Chain Risk Management

Federal supply chain risk management has garnered considerable attention in recent years following the 2020 SolarWinds cyberattack. Similar threats still loom large — cyber-enabled supply chain attacks are increasingly being used as a hybrid warfare tactic against the United States. While the concepts of supply chain risk management (SCRM), cyber SCRM (C-SCRM), and federal SCRM are closely related, it’s important to note that federal SCRM is a matter of national security. As a result, it has more serious implications when compared to commercial SCRM.

To understand current efforts being made to improve federal supply chain risk management, you first need to learn how supply chain risk management is defined in the context of cybersecurity. 

What Is Cyber Supply Chain Risk Management?

Cyber supply chain risk management is the ongoing process of maintaining the integrity of an organization’s cyber supply chain by identifying, evaluating, and mitigating the risks associated with IT and software service supply chains. However, much like cybersecurity, C-SCRM is not entirely dependent on the IT department — it must be an organization-wide effort to protect critical systems that fits into the overarching risk management framework.

The National Institute of Standards and Technology (NIST) has been at the forefront of researching C-SCRM and presenting their findings to benefit both the public and private sectors. They note that many of the factors that enable rapid, cost-effective technological innovation are also increasing supply chain risk. Last year, NIST released a comprehensive guide of C-SCRM best practices that includes eight recommendations organizations (across industries) should prioritize:

  1. Integrate C-SCRM across your organization.
  2. Establish a formal C-SCRM program that is evaluated and updated in real-time.
  3. Know your critical suppliers and how to manage them.
  4. Understand your organization’s supply chain.
  5. Collaborate with your key suppliers and incorporate them in your supplier risk management program.
  6. Include key suppliers in your resilience and improvement activities; for instance, include as part of your vendor risk assessment process.
  7. Constantly and vigorously provide continuous monitoring of your C-SCRM.
  8. Have a plan for all business operations, not just for what appears to be the most critical parts of your organization’s various functions.

C-SCRM is similar to other categories of risk management in that there is a significant focus on increasing information visibility and awareness. After all, you can’t manage what you don’t know. As you can see in several of the NIST best practices outlined above, maintaining trustful and transparent relationships with your suppliers and vendors is essential — your C-SCRM program is only as strong as its weakest link. 

According to research from Ponemon Institute, breaches caused by third parties increase the cost of a data breach by over $370,000. This also includes “fourth parties,” or the third parties of third parties.

To navigate these frequently overlooked challenges, here are a few additional tips for effective C-SCRM:

  • Adopt an “assume breach” mentality (see: zero trust) in which you expect all of your networks, systems, and applications are already, or will soon be, compromised.
  • Make a thorough inventory of all assets (hardware, software, personnel, contracts, etc.) and where they interact with third parties.
  • Clearly define security requirements in contracts and RFPs, and ask suppliers/vendors for evidence (e.g., their security policy, pen test reports, compliance certifications).
  • Beyond initial verification, practice continuous monitoring of your vendors’ security controls to ensure that they remain effective over time.

What is Federal Supply Chain Risk Management?

Federal supply chain risk management focuses on mitigating supply chain risks in the context of national security. The Cybersecurity and Infrastructure Security Agency (CISA) sometimes refers to federal SCRM as “National Industrial Base Security” because it has historically fallen under the purview of the Department of Defense (DoD).

However, the U.S. government is now making a major effort to relate the importance of cybersecurity and SCRM to all businesses and industries, not just those that are part of the Defense Industrial Base (DIB). In fact, in the cybersecurity Executive Order that was released last year, there is an entire section dedicated to enhancing the software supply chain security of the federal government, which includes thousands of technology companies. The Department of Homeland Security (DHS) also recently launched the Cyber Safety Review Board (CSRB) which will investigate national cyber incidents.

Federal SCRM is vital to U.S. security because our nation’s adversaries have become extremely sophisticated in their ability to exploit supply chain vulnerabilities to infiltrate systems, steal intellectual property, corrupt software, surveil critical infrastructure, and more.

NIST 800-171 and Supply Chain Risk Management

In 2015, NIST published special publication 800-171 to help shore up federal supply chain security. NIST 800-171 sets standards that federal contractors and subcontractors that handle, transmit, or store federal contract information (FCI) and/or controlled unclassified information (CUI) must follow to ensure that data is protected.

In September 2020, the DoD issued the Defense Federal Acquisition Regulation Supplement (DFARS) Interim Rule which states that all federal contractors and subcontractors must upload their NIST 800-171 self-assessment results to the Supplier Performance Risk System (SPRS) as a requirement to do business with the government.

CMMC and Supply Chain Risk Management

The self-attestation approach that is currently in place has proven to be unreliable for SCRM — many organizations involved in the federal supply chain still do not fully adhere to NIST 800-171. That’s why the DoD is in the process of creating the Cybersecurity Maturity Model Certification (CMMC) program to protect Controlled Unclassified Information (CUI).

When the program is officially launched, certification will require an independent assessment conducted by a CMMC Third-Party Assessment Organization (C3PAO).

CMMC 2.0: The Future of Federal Supply Chain Risk Management

CMMC 1.0 vs. CMMC 2.0

In November 2021, the DoD announced several updates and changes to the initially proposed CMMC framework, resulting in an enhanced “CMMC 2.0.” You can read my CMMC 2.0 recap here, but the most significant changes from CMMC 1.0 include:

  • Two levels of the original five-level framework have been removed for a total of three levels (Level 1: Foundational, Level 2: Advanced, and Level 3: Expert).
  • Certain third-party assessment requirements have been reduced. For Level 1, annual self-assessments will be accepted without third-party validation. For Level 2, for some organizations, depending on the CUI sensitivity, may only require an annual self-assessment without independent validation.
  • Level 2 (formerly CMMC 1.0 Level 3) now includes only the 110 practices from NIST SP 800-171 Rev. 2; the additional 20 practices from other frameworks have been removed for now.
  • Level 3 (CMMC 1.0 Level 5) is currently under development but will include a subset of NIST SP 800-172 requirements to be assessed by DoD directly.

How to Prepare for CMMC 2.0

If your organization is one of the 300,000+ companies that are part of the DIB supply chain and will be required to obtain CMMC, now is the time to lay the foundation for future success. Here are a few tips to prepare for CMMC 2.0:

  • Implement NIST 800-171 in its entirety (this is perhaps the most important thing you can do right now).
  • Identify where critical data is stored — CMMC only considers the parts of your organization that touch FCI and CUI and relate to the protection of FCI and CUI to be in-scope.
  • Determine what level of the CMMC model you will have to achieve depending on the critical data being handled. If you fall under one of the first two levels (as most organizations will), review the DoD self-assessment scope for Level 1 or Level 2.
  • Begin to educate your subcontractors about the CMMC requirements they will have to fulfill so they can begin laying the groundwork, as well.

CMMC 2.0 will not become a contractual requirement until the DoD completes the rulemaking process, which is estimated to take 9 to 24 months from the start of 2022. Given this time frame, it is expected that there will be one to two new interim rules published before the program is officially launched.

Work with a Top FedRAMP Assessor

Federal SCRM will be vital in the coming years as the global cyberattack volume continues to increase. Companies that previously didn’t consider C-SCRM a high priority are now tasked with enhancing their defenses and increasing visibility into their entire supply chain to identify weak points. Third-party risk is a significant threat because many organizations don’t realize they are working with suppliers or vendors that have poor cybersecurity hygiene.

If you’re looking for guidance through the NIST 800-171 self-assessment process, or would like assistance preparing for CMMC so you can take the most efficient path to certification once the program launches, A-LIGN can help. We have completed hundreds of successful federal assessments and our firm is a candidate C3PAO that will be authorized to complete CMMC certification.