Your Supply Chain and the DOD’S “deliver Uncompromised”

The supply chain of the DoD needs to be secure. “Deliver Uncompromised” is about cybersecurity within YOUR supply chain. What does that mean?
This article is written based on CMMC version 1.0, and may not reflect the updated requirements of CMMC 2.0.

For the latest information on CMMC 2.0, please click here.

The supply chain of the DoD needs to be secure. “Deliver Uncompromised” is about cybersecurity within YOUR supply chain. What does that mean?

Prior to reading on, I suggest you watch this short video (2:53) from CAPS Research, in regards to Cyber Security in Supply Chains.

Business owners of every stature need to be mindful that the supply chain extends in both directions, every business has its own supply chain, and every business is but one link the supply chain of many other businesses.

That means cyber risk is a multi-vectored challenge. Each business must protect in both directions simultaneously.

And nowhere is this more urgent than in defense contracting.

Even the most casual observer of the political maelstrom in the USA, is aware that certain foreign nation states are using every type and form of subterfuge to access national security secrets, and since many nations around the globe are bound by various multi-lateral defense pacts to the US, it is not an exaggeration to state that far more than merely “adequate cybersecurity” is needed to protect the national security of many countries who are democracy-centric.

Deliver Uncompromised

Christopher Burgess writing on 26 June 2018 eloquently underscores the risk to the US (and its allies):

The threat to the U.S. defense sector by foreign actors is well documented, and it just got a shot in the arm in recent Department of Defense Joint Testimony on “Military Technology Transfer: Threats, Impacts, and Solutions for the Department of Defense” before the House Armed Services Committee.

The testimony minced no words, “The Department of Defense is facing an unprecedented threat to its technological and industrial base.”
The Department of Defense is now preparing to put its money where its mouth is, creating a fourth pillar in the acquisition framework. The pilot program “Deliver Uncompromised” would place security on par with cost, schedule and performance as a driver for defense acquisitions.

Both Congress and the DoD are urging government contractors to move from a checklist-based approach to security to a holistic view, with special emphasis on ‘crown jewel’ technologies – the kind that pose the most risk if compromised.

The truth Mr. Burgess speaks, is that real, proactive cybersecurity must become as important as cost, delivery and reliability metrics for every defense sub-contractor; {of which, one can be assured, there are many thousands scattered across America and in many other countries as well.}

Deliver Uncompromised is a very important step in the right direction.

It’s More Than Defense, It’s Offense Too.

Elevating cybersecurity as a fourth pillar is essential for the defense industry and our nation’s security, but it must also be seen as an essential fourth pillar in any purchase regimen from any supplier – including your company.

We should expect that similar cybersecurity mandates will soon apply to all forms of government purchasing, not just defense contractors. From there, we may expect that not merely government purchasing protocols will place a preferential value on cybersecurity. And we should welcome these developments as they occur, because we know that so many data security events begin with a socially engineered incursion into XYZ company’s network for the purpose of eventually gaining access into the main target network (reference Target Corp, circa 2014)

Agents of foreign nations can seek many forms of information which can be damaging to businesses of any size: intellectual property assets, technology secrets, monetizable health records, and many other variants of economic espionage can and do inflict great harm on US based firms, and many other international firms also. For example:

Chinese American scientist admits plot to steal GlaxoSmithKline’s secrets for firm in China
by Jeremy Roebuck, Updated: August 31, 2018

“Nonetheless, prosecutors allege that between 2012 and 2015 Xue and a GSK colleague — Lucy Xi, 38, of Westlake Village, Calif. – continued to sneak dozens of confidential documents out of the company over email or by downloading them onto thumb drives. They shipped them to colleagues preparing to launch the rival firm, Renopharma, which they had established to exploit the research in China.”

Research presented in this important and highly commended 10 July 2018 article in the Harvard Business Review underlines why hardening cyber defenses, improving internal and external cyber hygiene, and embracing a more collaborative form of data breach information sharing and reporting all build towards the common good that is central to the democratic instinct.

“There is a crying need for companies to enlist their supply chain management departments in the fight against cyberattackers. According to our research, over 60% of reported attacks on publicly traded U.S. firms in 2017 were launched through the IT systems of suppliers or other third parties such as contractors, up from less than one-quarter of attacks in 2010. A number of the high-profile attacks on large companies — including Equifax, Netflix, Best Buy, and Target — occurred this way.”
“Embed cybersecurity measures in contracts with third parties. Our research suggests that many procurement professionals do not consider vendors’ cybersecurity capabilities to be an important factor in selecting or developing top-tier suppliers. This must change, and purchasing and IT departments should work together closely to make it happen. Key suppliers should have to meet performance and training standards and then should be regularly assessed to ensure that they are meeting them. Firms can design their own standards or use common existing ones such as GDPR or NIST standards.”

Every business of every size is both a buyer and a vendor, and thus to infuse cybersecurity as a necessary fourth pillar in every commercial transaction is simply good business – locally and globally.

The sooner every business owner appreciates the truth that managing cyber-risk is now an everyday business task, the sooner every business can appreciate that real cybersecurity is not just just a cost, it’s a revenue driver too.

To learn more about Beryllium InfoSec Collaborative and their place in the DoD/DFARS solution market place, click here.

Speak With a NIST Security Expert at Beryllium InfoSec Today

To reach us please fill out the form below.