Editor’s note: Ali Pabrai is presenting “Beyond NIST, CMMC Certification: Resilient Cyber Supply Chain,” at the ISACA 2024 North America Conference, to take place 8-10 May in Phoenix, Arizona, USA. The following is a preview of his conference session.
Mirai is a Japanese word that translates in English to “the future.” The future of cyber defense is to ensure the cyber supply chain is resilient.
The Cybersecurity Maturity Model Certification (CMMC) standard from the US Pentagon is about ensuring the cyber supply chain is resilient to Advanced Persistent Threats (APT) to sensitive and confidential information. Businesses can learn from this US Department of Defense (DoD) standard for the Defense Industrial Base (DIB) of over 200,000 organizations. CMMC is a standard that every organization, as well as cyber and compliance professionals, should assess to enhance their supply chain posture.
The DIB represents the supply chain of the DoD. This supply chain, like those of all businesses, is and will continue to be under attack. CMMC is a standard to establish a resilient cyber supply chain.
The CMMC standard provides an opportunity for businesses, globally, to examine their computing ecosystem, and enhance capabilities for supply chain resilience. Supply chain considerations for business include:
- Has the organization prioritized risks to the supply chain?
- Does the organization have viable service-level agreements that describe and enable responses to supply chain incidents?
CMMC, Built on NIST
The supply chain aspects of the ISACA mantra of digital trust, which is so very applicable for businesses globally, can be addressed with the implementation of the CMMC standard. CMMC is based on the NIST body of work, specifically NIST SP 800-171 and NIST SP 800-172. Further, CMMC has established certification requirements. CMMC certification is based on implemented evidence across the computing ecosystem and the organization’s supply chain.
Cyber Supply Chain Specifications
Consider the following two supply chain specifications in the NIST SP 800-172, which are defined and required for CMMC:
- Supply Chain Risk Response requires entities to assess, respond to, and monitor supply chain risks associated with organizational systems and system components (NIST SP 800-172 3.11.6e). This is a CMMC requirement for Risk Assessment (CMMC RA.L3.11.6e)
- Supply Chain Risk Plan requires the development of a plan for managing supply chain risks associated with organizational systems and system components. The supply chain plan should be updated at least annually, and upon receipt of cyber threat information or in response to a relevant cyber incident (NIST SP 800-172 3.11.7e). This is a CMMC requirement for Risk Assessment (CMMC RA.L3-3.11.7e).
Business Data at Risk
Third party business associates may be sharing your organization’s confidential information, such as Personally Identifiable Information (PII), Personal Data (PD) or Protected Health Information (PHI) with other sub-contractors. We know that security is only as strong, only as resilient, as your weak links. The application of the CMMC standard, which is based on NIST, establishes the foundation for a resilient network of third parties that process your business information.
Organizations must determine if:
- Supply chain risks associated with organizational assets and data are identified
- Supply chain risks associated with organizational assets and data are assessed
- Supply chain risks associated with organizational assets and data are responded to, and
- Supply chain risks associated with organizational assets and data are monitored
Analyze Supply Chain Risk
Supply chain events include disruption, use of defective components, insertion of counterfeits, theft, malicious development practices, improper delivery practices and insertion of malicious code. These events can have a significant impact on an organization and its valued information and, therefore, can also adversely impact organizational operations (i.e., mission, functions, image, and/or reputation), organizational assets, individuals, and other organizations.
The supply chain-related events may be unintentional or malicious and can occur at any point during the system lifecycle. An analysis of supply chain risk can help an organization identify critical requirements for third parties for which additional risk mitigations will need to be implemented.
The application of the CMMC standard, aligned with the objective of digital trust, provides an opportunity for businesses globally to implement a cyber resilient supply chain.
About the author: Mr. Ali Pabrai, a global AI cyber defense and compliance expert, is the chairman and chief executive of ecfirst. A highly sought after professional, he has successfully delivered solutions to U.S. government agencies, IT firms, healthcare systems, legal and other organizations worldwide. His career was launched with the U.S. Department of Energy’s nuclear research facility, Fermi National Accelerator Laboratory. He has served as vice chairman and in several senior officer positions with NASDAQ-based firms.
Mr. Pabrai has presented passionate briefs to tens of thousands globally, including the USA, United Kingdom, France, Taiwan, Singapore, Canada, India, UAE, Saudi Arabia, Philippines, Japan, Ireland, Bahrain, Jordan, South Africa, Egypt, Ghana and other countries.
He is a globally renowned speaker who has been featured as a keynote as well as moderated cybersecurity conferences. Mr. Pabrai is the author of several published works.
Mr. Pabrai is a proud member of the InfraGard (FBI).