CMMC requirements taking effect soon
“CMMC is trying to enable a supplier to provide a demonstration that they’ve got the right security controls in place for the level of risk they’re taking,” Kolasky said. “As a buyer, I want to know that I can count on the security practices of whom I’m buying from, that they’ve got a good risk management program in place.”
CMMC standards will be required in selected requests for information (RFI) beginning in June 2020, followed by corresponding requests for proposals (RFP) in September 2020. Industry associations have weighed in on the CMMC, expressing concerns about its scope and implementation timeline, for example, and the desire to have reciprocity with other certifications, such as FedRAMP. Despite the concerns, industry executives say CMMC will help to mature supply chain security practices within the DoD, and those practices will ripple across its vendor base.
“Overall, I think CMMC will help identify responsible companies for the DoD and evaluate on key metrics other than price alone,” Moore said. “If nothing else, it has raised awareness and codified the requirement for suppliers to practice good cyber and supply chain hygiene. Any factor that raises awareness and helps organizations implement risk mitigation strategies is a good thing.”
On the other hand, “the cost associated with CMMC compliance is not trivial,” Moore said. “If working with the DoD becomes expensive and difficult, fewer will want to participate. Innovation and competition are good things – so it’s a fine line to walk.”
Industry groups are also watching for developments regarding the DoC’s proposed rule for securing the ICT supply chain. Pursuant to a May 2019 executive order, the rulemaking would permit the department to identify, assess, and address ICT technology transactions on a case-by-case basis to determine if they “pose an undue risk to critical infrastructure or the digital economy in the United States, or an unacceptable risk to U.S. national security or the safety of United States persons.” The comment period closed on Jan. 10.
NTIA: Understanding what’s in software, for better risk management
Also at DoC, the National Telecommunications and Information Administration (NTIA) is coordinating an international, multi-sector, public-private initiative to improve transparency around third-party software components so that when vulnerabilities are detected, they can be quickly remedied. A model software bill of materials (SBOM) is at the heart of the project. It’s essentially a list of components that comprise software, information about those components, and supply chain relationships between them.
An SBOM helps software developers understand the risks they are shipping with products; it helps buyers make risk-based purchasing decisions; and for users, it raises awareness of risks when new vulnerabilities are identified. The reasoning is that if these groups first understand what they have, they are empowered to take appropriate action.
“We learn about new risks every day. Sometimes they come from private researchers; sometimes they come from the government or intelligence services. That’s the hard part,” said Allan Friedman, director of cybersecurity initiatives at NTIA. “What shouldn’t be hard is everyone in the software ecosystem knowing ‘Am I affected?’ There’s such clear value in enabling every organization to quickly and easily understand whether they are potentially affected, and that’s the value of SBOM.”
Late last year, the Software Component Transparency initiative published guidance on SBOMs, as well as a case study from the healthcare sector. Working groups continue to advance the SBOM effort, most recently issuing a draft FAQ document in April. The Food and Drug Administration this spring signaled publicly that it would incorporate SBOMs into its guidance for submissions of medical devices containing software, drawing on NTIA’s published guidance, Friedman said.
“Looking ahead, we anticipate SBOMs will be a common part of all software, from open source through middleware and commercial off-the-shelf software to contract-driven software and down into the embedded devices in the infrastructure all around us,” he said.
Recommendations for agency leaders
The Federal government’s myriad efforts to raise awareness about supply chain vulnerabilities and establish requirements and processes to improve security are gaining momentum. Here are recommended actions for agency leaders:
- Increase communication with potential and existing suppliers. When considering potential suppliers, assess the importance of the products or services they provide, as well as the risks they could bring to the agency’s supply chain. Broadly, suppliers should be able to answer, “What is your process for building new software or implementing new hardware? Is it a documented, repeatable, measurable process?” “How do you stay current on existing vulnerabilities, and how do you mitigate vulnerabilities in new and existing systems?” and “What physical security measures are in place?” With existing suppliers, take steps to continually identify third-party risk and measure performance.
- Review CISA’s supply chain essentials, and become familiar with the SBOM initiative. Confirm that staff are actively promoting best practices to improve the agency’s security posture and obtain greater transparency from suppliers. Continue to promote ICT resilience amid current and potential strains on ICT due to the current pandemic.
- Prepare for CMMC requirements in select DoD RFIs and RFPs in June and September 2020, respectively.
- Evaluate the reseller ecosystem. At a minimum, confirm that the reseller is an authorized seller of the OEM’s product and verify the company’s ownership structure and sourcing methodologies. Also, ask if the reseller has International Organization for Standardization (ISO) certifications and has met the Open Trusted Technology Partner Standard.
- Look for ways to automate the risk assessment process. Thanks to artificial intelligence and machine learning advancements, automated tools can provide agencies with deeper and faster insight into their supply chains, so they can better understand and quickly respond to potential risks. Automation generates significant time and cost savings, allowing staff to focus on decision-making.
Because awareness and concern about supply chain security are rising, “Federal and state and local agencies are reaching out more often now about third-party risk and supply chain security,” Potter said. “They’re asking great questions and really looking to become more educated about where supply chain risk comes from and what they can do to mitigate it. They’re allocating resources and budget, and the needle seems to be moving.”