Cyber Security in Your Supply Chain

Starting in January 2020, the Department of Defense will roll out a new process for assessing the cyber hygiene of prime contractors. The assessment will be conducted using a new Cybersecurity Maturity Model Certification (CMMC) framework.

It is anticipated that this requirement will also be flowed down to all sub-tier contractors to make sure the same protocol is applied to the entire supply chain and there are no cybersecurity gaps.

All prime contractors have detailed knowledge of their first-tier suppliers, but most have little familiarity with their sub-tiers. In order to eliminate gaps in cybersecurity, the entire supply chain must be identified down to the detail level. This is a daunting task for programs like the Joint Strike Fighter (F-35), which has three variants, parts manufactured in nine different countries, and thousands of suppliers at all tiers of the supply chain.

Additionally, it is challenging for prime contractors to monitor their sub-tiers, particularly when sub-contractors are replaced and parts start being manufactured at a new location without any notification to the prime contractor.

As the CMMC is flowed down to all levels of the supply chain, an up-to-date and accurate supply chain map becomes necessary to ensure cybersecurity compliance. Such a map can be built using the well-established First Article Inspection (FAI) process as defined by AS9100 requirements (AS/EN 9102). This standard requires all part and assembly specifications to be documented down to a detail level. For assemblies, an "Index of part numbers or sub-assembly numbers required to make the assembly" must be provided on Form 1 of the FAI report.

Net-Inspect has perfected this process with its paperless system, which is capable of linking details together into progressively complex assemblies. Using Net-Inspect's proprietary technology, this system creates a complete map of every part and assembly, along with the name and geographic location of their manufacturer.

This allows a simple assessment form to be sent electronically to every company in the supply chain, providing real-time status on their cyber hygiene. This assessment can be conducted on a regular basis to ensure that suppliers at every tier continue to maintain, and even improve their cybersecurity stature as measured by the CMMC.