It’s about finding and eliminating gaps together – else you can’t get DoD CMMC certified for a contract
If you are wondering what in the world CMMC certification is, it is the U.S. Department of Defense’s method of assuring that contract holders, subcontractors, and suppliers will protect government information.
CMMC stands for Cybersecurity Maturity Model Certification
While the certification has been under development for some time, with the recent cyber attacks into government databases, you can imagine the increased focus on making sure all supply chain IT gaps are closed.
Should I worry about supply chain gaps to get a contract? Isn’t CMMC a cybersecurity certification?
Yes to both questions.
The truth is, supply chains have IT gaps that allow hackers access to your supply chain and company data even if you don’t consider your supply chains to be digitized or digitally transformed.
How is this so?
Many older systems use technology called SCADA (Supervisory Control and Data Acquisition). Every SCADA node is a potential gap in your security, especially if it has been around for a while and not upgraded. SCADA used to be called a bump in the line. It was the data collection area somewhere out in the field without a lot of hardening against infiltration. If your SCADA nodes are judged easy to infiltrate, modern hackers can tunnel back into your more interesting data.
Even if your supply chain data collection nodes are secure (and I’m including all those sensors that travel with inventory, or just sit in your plant and track inventory), you can still open your supply chain data up to hostile access.
Do you run diagnostics, or some other test, on 3rd party maintenance or system personnel hardware/software coming to upgrade/fix/adjust any electronics, computers, or systems in your business? Unwary 3rd parties could accidentally open your company data up to attack. They could unwittingly allow access into sensitive data about your company, your customers’ companies, and your suppliers’ companies.
And by the way, the threat can come to you from your customers’ and suppliers’ supply chain maintenance access as well.
Cybercriminals are sharp, innovative, and smart. They know how to hack your systems.
Still, you need to protect against them. That requirement is coming soon.
Luckily, the CMMC certification focuses on the same aspects of advanced supply chain gap analysis and filling, mapping, and alignment that you are already working on, whether for the first time due to changing economic conditions or as improvement on your bellweather supply chains.
Supply chain security and the CMMC meet in the underlying SCOR (Supply Chain Operations Reference model). The Dept. of Defense has long integrated SCOR into its supply chain work (DODM4140.01) and material handling.
The CMMC requirement includes:
- mapping that now captures acknowledged supply chain elements and the IT aspects that could compromise you, your customers, and your suppliers
- process capture –documenting what actually is going on, which is going to help calm internal chaos caused by just getting product/services out the door while requirements continue to change
- gap elimination – you have a mandate (if you pursue the certification – and you do have to pursue it if you are a DoD contractor/sub/supplier) to implement the upgrades and innovation that you know you need but have been too busy to attend to (gap filling)
- Cyber agility – without mapping, processes, and monitoring, how can your IT be agile enough to help you, the supply chain professional, protect your supply chain data? IT can’t do this alone.
Here’s the thing, your IT needs a structured supply chain approach that won’t get in the way of your supply chain performance results.
And, your supply chain performance needs to be able to assure executives in your company that all supply chain data is safe. Integration points are secure. Hackers can be thwarted before they get into your or the government’s sensitive data.
How can you do all this?
First, create a cross-functional team of IT, supply chain, and IS/MIS professionals.
Second, learn SCOR. It is buried in the requirements, will allow your supply chains and IT, IS/MIS to move forward together in an agile, responsive, and reliable manner.
Even better, you get improved supply chain performance from the cybersecurity work you are doing because:
- SCOR’s metric hierarchy makes it easier for IT to monitor and pinpoint quickly where any breach may occur
- SCOR’s process hierarchy/metric integration allows for rapid action, including segmentation of affected supply chain segments to isolate problem areas
- your supply chain personnel and practice integration, enabled by SCOR, allow your talent to be trained in what to watch for and what to do if an attack is suspected
If you’re not familiar with SCOR, you can learn more about it here.
While SCOR is not required for obtaining your CMMC certification, it will certainly make the integration of IT, IS/MIS, and supply chains easier. With over 25 years of adoption and adaption, SCOR will help immensely as you work up to and through whichever of the 5 levels of certification and hierarchy you will need to embed, and is standard in the SCOR model.
You’ll also be taking the same structural language as your Dept. of Defense counterparts.
Is there a better way to build trust than by improving communication and reducing misunderstanding around matters of cybersecurity and supply chain performance with your customers?
Keywords and Concepts: CMMC, Cybersecurity Maturity Model Certification, supply chain, performance, SCOR, security, alignment, agility, risk
Cynthia Kalina-Kaminsky helps innovate and protect supply chains and operations, including their digital transformation. She spent 4 ½ years in DoD developing supply chain surveillance processes and education. Click to learn more
Photo credit: jaydeep