Cybersecurity Maturity Model Certification (CMMC)
Supply Chain Readiness Assessment
The United States Department of Defense (DoD) has recently finalized a new cybersecurity requirement that will impact all participants in their supply chain. This effort comes on the heels of the updates to existing requirements (DFARS 252.204-7012 and NIST Special Publication 800-171) which have been described as a static solution to a dynamic problem.
A primary challenge identified with previous requirements has been that they permitted a plan of actions and milestones (POAM) as compliance without actually requiring closure of identified open items. Without ensuring that the plan was being actioned or independently reviewed, the concern has been that the security posture was not actually improving. This has been evident in several high-profile breaches where substantial defense-related information was lost and is assumed in many other unreported breaches. Overall, losses of $600 billion a year to our adversaries are being cited by government representatives.
Continuing its role in Supplier Performance Management, Verify has been approached by multiple organizations looking for guidance on how to update their supply chain compliance programs to include the CMMC. The assessment that follows is intended to gather information from multiple levels of the supply chain to aid in the preparation and implementation of these new requirements.
Verify, in collaboration with industry advocates at the Aerospace Industries Association (AIA) and the National Defense Industrial Association (NDIA), will be issuing an anonymized report on the supply chain’s responses which will incorporate our experience and observations. The completed report will include guidance to the government, the CMMC’s accreditation body, prime contractors looking to flowdown the new requirements, and to the suppliers which will need to achieve a level of certification within the cybersecurity maturity model.
Your participation is greatly appreciated!
in partnership with