As Cybercrime has escalated, 具有网络意识的组织已经集中力量防范网络犯罪威胁. With a primary target presenting a more robust security posture, 威胁行为者越来越多地转向链条中较弱的环节——最明显的是供应链.

What is the supply chain and why does cyber risk management matter?

简单来说, 供应链是将原材料或零部件转化为提供给消费者的成品或服务的过程. This includes the organizations, 人, 技术, 活动, 信息, resources involved in any part of the process.

今天, in large part due to 技术 innovations, 供应链是相当复杂的,包括制造或生产商品或产品的组织及其供应商之间的相互依赖和联系, 分销商, 业务合作伙伴.

While the interdependencies and connectivity of multiple organizations has many benefits, such as reduced costs, 增加收入, expanded opportunities, 等., 供应链中多个实体的存在带来了固有的风险水平.

在某些情况下, 供应商和组织之间的连接性可能意味着,当一方受到威胁时,另一方也可能受到威胁. 在其他情况下,供应商可能拥有组织的一些敏感数据.

多年来,在与供应商和服务提供商的协议中包括安全承诺一直是一种标准做法. 近年来, 焦点已经转移到要求供应商或服务提供商通过安全调查问卷来证明他们已经实现了对组织很重要的安全实践. 然而, despite that self-attestation, 网络风险对许多组织来说仍然是一个问题,对供应链风险的评估变得越来越突出.

似乎不可避免的是,审计和认证界也将目光转向供应链. 长期以来,对于与服务提供者的关系中的控制环境和安全性,有许多评估和报告的选择. Those options, which include audits/certifications such as ISO / IEC 27001, HITRUST, NIST, SOC2, can also apply to suppliers. 我们将探索几个可供供应商使用的较新的审计和报告选项——供应链SOC和国防部引入的网络安全成熟度模型认证.

SOC for Supply Chain

2020年3月, the AICPA launched a new risk reporting framework, SOC for Supply Chain – Reporting on an Examination of Controls Relevant to Security, 可用性, Processing Integrity, 保密, or 隐私 in a Production, 制造业, or Distribution System.  这是AICPA系统和组织控制(SOC)服务套件中的最新产品.  (See more about SOC offerings here:新的 SOC for Supply Chain framework is designed to identify, assess, address supply chain risks. Some examples include:

  • Products may be provided that do not meet defined product performance specifications.
  • Delivery and quality commitment requirements may not be met.
  • Production, manufacturing, or distribution commitment requirements may not be met.

Is there value in this report?

绝对! Any entity in the supply chain can benefit from the SOC for Supply Chain assessment. Companies that produce, 制造, or distribute products, as well as their suppliers, can utilize the report to demonstrate how they have addressed risk in their environment. 供应链SOC报告向客户传达有关公司系统和系统内控制的有用信息, 业务合作伙伴, prospective customers and 业务合作伙伴.

另外, LBMC建议组织通过要求其供应商和业务合作伙伴获得a SOC for Supply Chain report they can review to understand controls implemented by that organization.

网络安全 Maturity Model Certification (CMMC)

How the DoD is tackling cyber risk in its Supply Chain

的 网络安全 Maturity Model Certification CMMC是国防部于2019年启动的一项不断发展的认证计划. 国防部认识到,其主要驱动因素之一——保护国家利益——可能受到国防供应链网络安全风险的威胁. While the contractors, 质数和下标, 根据合同要求国防部建立和证明某些最低安全级别, more robust security assessment and reporting had not been established.

根据 Office of the Under Secretary of Defense for Acquisition & 维护, 网络安全成熟度模型认证(CMMC)框架基于NIST SP 800-171中概述的110个安全实践制定了认证路径.

CMMC要求将网络安全活动制度化,以确保它们是一致的, 可重复的, 高质量的. 的 CMMC security practices provide a range of mitigation across the levels, starting with foundational safeguarding at level 1, moving to the advanced protection of Controlled Unclassified Information (CUI) at level 2, culminating with expert level safeguarding at level 3, with the introduction of a subset of NIST SP 800-172 requirements. CMMC框架与认证程序相结合,以验证流程和实践的实施.

网络认证机构(Cyber- ab)负责建立认证生态系统, 包括实施和监督评估人员如何评估CMMC框架的一致性. Cyber-AB在过去几年中一直在努力认证第三方评估公司, establish assessment procedures, train and certify assessors.

每个人心中的问题是——我的公司必须获得认证吗?我什么时候能获得认证? 的 DoD published a new version of CMMC, labeled 2.2021年末. 新版本缩减了一些要求并简化了级别的定义. 在所有联邦一级的规则制定活动完成之前,这些变化的引入不会成为最终的. 与此同时, 评估公司可能能够执行评估活动来支持认证,但还不能正式认证客户.

网络安全成熟度模型认证(CMMC)认证框架对美国网络安全的影响.S. 国防部(DoD)承包商、供应链、解决方案提供商和系统集成商.

在这里了解更多信息: OUSD一&S – 网络安全 Maturity Model Certification (CMMC) (osd.密耳)

LBMC可以帮助您的组织抵御供应链中不断升级的网络犯罪威胁. 联系 了解更多关于供应链SOC报告或CMMC的信息,并开始咨询!