DFARS 7012 and Supply Chain Cyber Risk Management

Day-in and day-out, U.S. companies are under cyber-attack by criminals, hacktivists, bored kids and nation-states. Nation-state sponsored actors, including China and Russia, are known as Advanced Persistent Threat (APT) actors, and have been extremely successful in compromising the networks of commercial organizations, particularly those companies conducting work for the Department of Defense.

In fact, these attacks have been so pervasive and damaging, that the DoD has mandated, via DFARS 252.204-7012, that all suppliers implement minimum security standards described in NIST SP 800-171, Protecting Controlled Unclassified Information in Nonfederal Information Systems and Organizations. Implementing these controls greatly reduces the risk of a successful cyber-attack targeting a company’s data. These controls describe a valuable baseline to protect company networks no matter what type of work is being done. What these controls do not do is protect against vulnerabilities in your supply chain. According to research published by the SANS Institute, up to 80% of breaches are a result of supply chain issues. In response, DFARS 7012 requires that cyber security controls be flowed down the supply chain which would conceptually result in all members of the Defense Industrial Base (DIB) having a secure network.
The unfortunate truth is that a significant number of DoD contractors have yet to realize they are subject to DFARS 7012. Even more significantly, many companies do not have the experience and believe they do not have the resources to implement the controls correctly. Without appropriate management, many companies in the supply chain will quite simply flounder when it comes to cyber security.

The larger defense contractors, including Lockheed Martin, Northrup Grumman, and Raytheon, have been very proactive in informing their supply chain. These companies are also aggressive in assessing the risk originating from the supply chain, through questionnaires, requests to see System Security Plans (SSPs), and other surveys.

Many of our clients have been directed to by their prime to complete surveys in Exostar, a supply chain management tool, which “helps organizations assign, collect, score, and aggregate NIST SP 800-171 self-assessment questionnaires.” This tool may be useful for managing the supply chain if analysts and resources are available to interpret and understand the risks posed by suppliers.

Once risk is understood, the obvious next step is to mitigate it. Unfortunately, the questionnaires and surveys only identify risky suppliers, and often there is no obvious course of action to mitigate. If a company in your supply chain poses a significant risk, do you stop doing business with them? What if they are essential to your overall business? Are you willing to disrupt your supply chain?

Some large primes have dedicated resources to assisting companies in their supply chain with remediating vulnerabilities. The primes actively work with their sub-contractors to shore up their defenses based on their assessment and/or Exostar responses. However, many companies are uncomfortable with providing such detailed, sensitive information to their primary customer.
At the end of the day, all businesses should be concerned with the cyber risk posed by their supply chain whether the business has DoD as a customer. There are many options for assessing the risk, but less options for thoughtfully mitigating the risk. As a FedRAMP authorized assessor, Sera-Brynn conducts objective audits and assessments, and provides management of cyber risk through direct engagement with the supply chain. With each company, we develop tailored strategies and plans to holistically secure a network, resulting in improved security up the chain.

Talk to us today about how we assess, manage, and mitigate through cyber risk management.

1 Combatting Cyber Risks in the Supply Chain, https://www.sans.org/reading-room/whitepapers/analyst/combatting-cyber-risks-supply-chain-36252
2 https://www.exostar.com/contract/nist800171/