CMMC Takes Aim at Supply Chain Security
Effective security in contracting involves more than just battening down the hatches.
Ensuring the sanctity of defense information goes beyond keeping secrets from the enemy: it also brings to light vulnerabilities in the supply chain. One of the key tenets of the Cybersecurity Maturity Model Certification (CMMC) is to guarantee the sanctity of the supply chain in a time when data is particularly in peril.
A keynote fireside discussion group at AFCEA’s Virtual CMMC Symposium looked at the threats posed to the supply chain in light of the COVID-19 coronavirus pandemic. Bob Kolasky, director, National Risk Management Center, Cybersecurity and Infrastructure Security Agency, Department of Homeland Security, provided a powerful presentation in which he pulled no punches about the threat.
“We live in a world of a lot of supply chain threats,” he declared. “The question is, what are we going to do about it? The answer is partnerships, frameworks and analysis.”
One action Kolasky suggested is that the United States must tell Russia and China they are not going to be able to use the supply chain against this country. Katie Arrington, chief information security officer for defense acquisition, said that the United States is watching how its adversaries are asserting themselves. “COVID is a new way of knowing how really interconnected we are,” she said.
Rear Adm. Michael Johnston, USCG, assistant commandant for acquisition and chief acquisition officer, U.S. Coast Guard, emphasized the importance of CMMC. “Information sharing is the strong link in the chain,” he stated. “Hardening up those links is vital to our national security.”
Kolasky continued that thread. “We can benefit from each other’s information that will help us make better risk decisions,” he averred. “We’re all in this together, and we have to build upon the good work that is being done and push it into different places. We must absorb the questions being asked of the defense industrial base and apply them to other areas.”
Dwight Deneal, director, Office of Small Business Programs, Defense Logistics Agency, was blunt about the need for supply chain security. “If you don’t have a good cybersecurity posture in your company, I don’t want you in our national defense industrial base,” he told symposium attendees.
Arrington was very pointed about the number-one way companies can practice good cyber hygiene. “Tell everyone in your company to change their passwords! Do it as a daily scrub!” she declared.