Third-party Risk Management: Assessing Your Supply Chain

No organization is an island. These days, even the biggest DoD contractors rely on third-party organizations such as subcontractors and external service providers. There are definite advantages to using third parties. It can be more efficient and cost-effective to have a third party perform functions that are critical to your business but are not your core focus. Each third party brings its own expertise to the table, keeping your supply chain running smoothly and allowing your business to focus on its own areas of expertise. 

But using third parties also brings risks, especially when those third parties handle CUI, FCI, or other sensitive data. You’ve heard the saying that a chain is only as strong as its weakest link. Your supply chain is no different, and the more links it contains, the greater the potential for attacks and breaches—thus the need for third-party risk management (TPRM). 

TPRM Imperatives 

TPRM is vital for many reasons. Working with a third-party effectively extends the reach of your organization, giving cybercriminals a greater scope for attack. And the consequences of an attack can be devastating, including heavy damage to your finances, reputation, and regulatory standing as well as endangerment of our national security. By reducing your risk of cyberattack, you reduce the cost of remediation efforts and inspire confidence in your clients and business partners. Your enhanced security posture also enhances your regulatory compliance posture. Finally, a critical reason for engaging in TPRM is that CMMC requires it. 

TPRM isn’t exclusive to CMMC, but—as with many other regulatory frameworks—managing third-party risk is essential to CMMC compliance. CMMC requirements flow down through the supply chain from prime contractors to subcontractors at every level. Third-party service providers that are not engaged under a specific federal contract but handle government data are also part of the supply chain and thus subject to CMMC regulation. Therefore, if you have a subcontractor or other third-party provider who handles CUI or FCI for you, that organization must be CMMC-certified at the level appropriate to the data they handle. Excepted from this requirement are cloud service providers (CSPs), which instead must meet FedRAMP moderate standards or higher but are not required to obtain CMMC certification. In any case, it is your responsibility as the overseeing contractor to ensure that all contracted third-party providers meet the necessary regulatory requirements—not just once, but on an ongoing basis. 

TPRM Strategies 

With that imperative in mind, there are proven strategies you can use to evaluate and manage the cybersecurity risks associated with third-party vendors and subcontractors. 

• Due diligence and vendor risk assessment: Before engaging any subcontractor or third-party provider, it is vital to thoroughly assess their cybersecurity posture and compliance status. One useful tool for this purpose is a cybersecurity questionnaire. A certified cybersecurity organization, such as CyberNINES, which is a C3PAO, can help you develop a questionnaire to meet your needs. C3PAOs can also audit vendors to identify and mitigate gaps in security requirements. If the vendor is required to be CMMC-certified or FedRAMP-authorized, you must carefully review the pertinent documentation to verify that all is in order. 

• Contract requirements: Third-party contracts should spell out all security requirements and expectations, including flowdowns of CMMC certification requirements, access controls ensuring the vendor only has access to the systems and data needed for their work, and clearly defined procedures for incident notification and response. 

• Continuous monitoring: Establish a monitoring program to track each vendor’s security practices and access to your systems. You can leverage automation, such as security information and event management (SEIM) tools, for this purpose. You should also periodically reassess each vendor’s risks, especially if they have made changes to their systems or services. For high-risk vendors—those who handle the most sensitive data—you might consider periodic third-party audits. 

• Communication, training, and awareness: Make sure your vendors understand CMMC best practices and their responsibility to protect sensitive government data. Establish clear processes for sharing information with their vendors regarding security best practices and emerging threats, as well as procedures for communicating and mitigating incidents. Include vendors in your cybersecurity awareness communications and training programs. For example, you might invite representatives from your third-party providers to participate in threat simulation exercises. 

• Documentation: Maintain a comprehensive inventory of all third-party relationships, including the services they provide, the types of data they access, and their risk assessments and mitigation strategies. This documentation should be available for use in CMMC audits. 

CyberNINES can help you build your TPRM program! Contact us at this link and for more information on how you can manage your third-party risk. 

Resources 

• https://dodcio.defense.gov/CMMC/About/ 

• https://dodcio.defense.gov/Portals/0/Documents/CMMC/ModelOverview.pdf 

• https://dodcio.defense.gov/Portals/0/Documents/CMMC/AssessmentGuideL2.pdf 

• https://dodcio.defense.gov/Portals/0/Documents/CMMC/TechImplementationCMMC-Rqrmnts.pdf 

• https://cybernines.com/cmmc-overview 

• https://info.cybernines.com/demystifying-cmmc-compliance-your-guide-to-cmmc-compliance 

• https://blog.cybernines.com/assessing-cloud-service-provider-compliance 

• https://blog.cybernines.com/compliance-in-the-cloud-csp-selections-and-best-practices