Supplier Risk Management for DoD Subcontractors — What is Required

This may not be what you want to hear but sometimes the truth hurts.

In his appearance on The Virtual CISO Podcast, special guest John Ellis, who leads cybersecurity policy efforts at the Defense Contract Management Agency (DCMA), addressed a widespread concern regarding supplier risk management requirements in the DoD’s new Cybersecurity Maturity Model Certification framework.

Host John Verry, Pivot Point Security’s CISO and Managing Partner, asks: “People look at CMMC, and if you look at the supply chain requirement, it doesn’t happen until CMMC Level 4. So I’ve had clients actually say to me, ‘I don’t need to worry about vendor risk management.’ And to me, that’s illogical, right? It would make no sense that [the DoD] would hold you to CMMC Level 3, but then you’d have unfettered ability to hand that Controlled Unclassified Information (CUI) to somebody else and not have any attestation that they’re doing the right thing with it.”

“There’s some ambiguity and I understand where it’s coming from,” acknowledges John Ellis. “Under the current construct, the Defense Industrial Base Cybersecurity Assessment Center (DIBCAC) does not look at that particular flowdown of requirements that you’re referring to. There is guidance, however, for those companies that are subject to purchasing system reviews. Purchasing system reviews do require that [DFARS] 7012 be flowed down to the first tier of suppliers, and that the primes gather information — some sort of self-attestation document. It could even be the results of a self-assessment if they haven’t undergone a DIBCAC assessment.”

John Ellis continues: “But part of the flowdown process is to look for evidence that the first-tier supplier meets NIST 800–171 requirements. … That should not change as DFARS 7012 goes forward. Any revisions that may or may not happen I would assume will account for that.”

“But there will be a flowdown requirement. And, quite honestly, companies should want to know about the other companies they do business with, to ensure that not only is the government’s information protected, but also any of that proprietary information from the prime to the sub would be protected as well,” John Ellis points out.

John Verry adds: “Just to be clear, because a lot of the people listening to this are not going to be primes… that subcontractors should logically have that same level of obligation, that their first level of people that they’re contracting with need to treat this CUI to the same level that they’re treating it to, correct?”

“Absolutely,” asserts John Ellis.

But John Ellis concedes that “… this supply chain issue is a rather sensitive subject. A lot of primes, they have supply chain insight sometimes only four, five or six levels deep. When we all know that the chain runs much deeper than that.”

“Where do all the components for computers and circuit boards and integrated circuits come from?” posit John Ellis. “They typically don’t come from the US. And those parts are buried so far deep in a supply chain as individual components get added to devices. And it rolls all the way up to eventually show up on the deck of a ship or the back of an armored command post… So there’s a lot of interesting stuff that comes from a lot of interesting places. And companies do not always have full insight into where all of that stuff came from.”

Any business or technical leader concerned with DoD contract compliance will benefit tremendously from this podcast with John Ellis.

To hear the full episode anytime, along with all our other podcast episodes, click here.

If you don’t use Apple Podcasts, click here.

We are a trusted source of simple, practical, and actionable information security guidance.