The US Department of Defense (DoD) is ratcheting up its cybersecurity compliance requirements on multiple fronts, and companies in the US defense industrial base (DIB) are surely taking notice. Complex, comprehensive guidelines like NIST SP 800-171 and the Cybersecurity Maturity Model Certification (CMMC) are baffling and intimidating many SMBs. What we’re not hearing a lot of is complaints that the new requirements aren’t stringent enough!
Yet the question looms…
Why aren’t controls to manage so-called supply chain risk or third-party risk built into the DoD’s cyber standards? Is this a sneaky trick, or an inexplicable oversight? Or… could there actually be a logical explanation?
This was one of many questions put to esteemed guest Dr. Ron Ross, who directs development of NIST’s cybersecurity and privacy publications, on a recent episode of The Virtual CISO Podcast. Dr. Ross has encyclopedic knowledge of cyber frameworks, including how they relate to the “bigger picture” of US laws, DoD contracts and other cyber mandates.
Host John Verry, Pivot Point’s CISO and Managing Partner, asks Dr. Ross: “One thing that’s puzzled me personally and confused a lot of the people we work with is that NIST 800-171 specifically doesn’t bring into play what I’ll refer to as third-party or supply chain risk management, right? It doesn’t encumber you with that responsibility. Now, I know if we look at the DFARS Clause 252.204-7012, that points to it in subclause M or something, right? It actually encumbers you to make sure that flows down to those people below. But why does NIST 800-171—and now even CMMC at Level 3… I mean, supply chain risk management comes in at CMMC Level 4. To me it’s illogical that I would go to this effort to ensure that you’ve got 110 controls. I’m willing to give you my information. But I’m not going to require you, because that information is going to be shared or put in some else’s data center along the line, to encumber them with that same responsibility.”
Dr. Ross replies: “The NIST 800-171 requirements are actually used by the federal agencies when they’re entering into contracts or agreements with non-federal organizations. Now, it’s true that after you have that first-level instantiation of those requirements in the contract, it’s really up to the contract to specify, or the agreement to make sure, that all of the subcontractors or downstream organizations that may touch that CUI… that those requirements are enforceable downstream.”
“Now, we didn’t talk anything in NIST 800-171 about assessment,” points out Dr. Ross. “When we’re dealing with cybersecurity, we always have two sides of the coin. On one side, we have our security requirements or controls. On the other side is, how do you know the organization met those controls or those requirements?”
Dr. Ross continues: “We were completely silent in 171 about the assessment side. In fact, we developed a publication later, NIST SP 800-171 Alpha [Assessing Security Requirements for Controlled Unclassified Information]. The Alpha being the assessment side, which looks a lot like 800-53 Alpha, which is our security control assessment guideline.
“But those supply chain issues are really critical. In fact, you’re seeing coming out of the White House and the Congress, there’s a lot of emphasis on supply chain security and supply chain risk management. … You can imagine that in our country, we’re at the forefront of new technology. We’re building our systems with stuff coming in from everywhere. And the adversaries, if they can affect that component at the lowest level of production—in other words, they can get into the hardware production, then it’s pretty much game over. So, as you get up in the stack, moving from hardware to the firmware to the software… The whole stack can be breached at any level, but the lower you get in, it gets more difficult [to root the malware out].
“You’re going to see in 2021 and beyond a tremendous new emphasis on supply chain security. And, of course, NIST 800-171 and the CMMC is going to be at the heart of that discussion,” emphasizes Dr. Ross.
For those interested in previewing the latest supply chain risk management controls, NIST 800-53 Rev. 5 has recently been published, which contains “a whole new family” of supply chain controls.
If your company does business with the DoD, you most likely have a DFARS clause in your contract that mandates flowdown of cyber requirements to protect CUI you share with subs, vendors, etc.
To listen to this outstanding podcast episode with Dr. Ron Ross at NIST, and to check out any of our other information security podcasts, you can subscribe to The Virtual CISO Podcast here.
If you don’t use Apple Podcasts, you can access all our episodes here.