If you are a defense contractor you are familiar with the Cybersecurity Maturity Model Certification (CMMC.) Introduced in 2020, it was updated to v2.0 this year and seems to be moving in a positive direction. The problem with certification programs is that everyone wants to have their own. The existing one(s) are pretty close to what is needed, but we can’t seem to accept an existing framework when it is possible to create a new one so here is one more.

Although directly targeted at defense contractors, the CMMC is a nice template for your own supply chain certification program. It considers relative risks and assigns an increasingly stringent set of controls and evidence requirements accordingly (down to only three levels in the latest version.) Surprisingly practical and understandable for a government program!

Does your cyber security certification program offer similar flexibility or do you have one monolithic questionnaire for all potential vendors? How do you assess the risks? And most importantly, how often do you reassess the risks? The point of supply chain risk management is not to exclude risky potential vendors, but to match risks to organization risk appetites. The latest AI vendor probably doesn’t have a strong track record of success or enough certifications to satisfy your auditors, but they may have a solution that gives you a valuable competitive advantage. Your supply chain processes need to identify the risks, ensure they are raised to the appropriate risk owners who are in a position to make risk / reward decisions. Small risks deserve a straightforward process so they aren’t punitive and don’t burden the security and vendor management teams unnecessarily. Large risks should get all the attention you can afford. Make sure your processes can accommodate the differences — like the CMMC is attempting to do.

https://www.infosecurity-magazine.com/news/dod-cybersecurity-standards