As cyberthreats grow more sophisticated and supply chains more interconnected, the U.S. Department of Defense (DoD) has intensified its focus on securing the U.S. Defense Industrial Base (DIB), a network built to provide the DoD with defense-related products, services, and materials. Defense contractors are now expected to not only protect Controlled Unclassified Information (CUI) but also manage risks across their supply chains, utilizing the relevant National Institute of Standards and Technology (NIST SP 800-171) Special Publications (SP).
This dual responsibility is reflected in the alignment of the following:
- Cybersecurity Maturity Model Certification (CMMC) 2.0
- NIST SP 800-171, “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”
- NIST SP 800-161, “Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations”
Relationship Between NIST SP 800-171 & NIST SP 800-161
The Cybersecurity Maturity Model Certification (CMMC) framework mandates that contractors handling CUI (Level 2) must implement the security controls outlined in NIST SP 800-171. This clause effectively operationalizes NIST SP 800-171 across the defense supply chain, making flow-down a legal obligation.
NIST SP 800-171 has identified 14 control families and 110 security controls. Included in the 14 control families is the Supply Chain Risk Management (SCRM) control family, which indicates that the contractor handling CUI should have an SCRM plan, among other things, and references NIST SP 800-161 as guidance.
With the strong linkage between NIST SP 800-171 and NIST SP 800-161 through this referential guidance, we have seen that NIST SP 800-161 has been increasingly recommended by various cyber leaders as a best practice for defense contractors aiming to strengthen their cybersecurity posture by utilizing a strategic framework for Cybersecurity SCRM (C-SCRM).
What Is NIST SP 800-161?
NIST SP 800-161 extends the security perimeter to third-party vendors, suppliers, and service providers. By focusing on security, reliability, safety, quality, integrity, and resilience, NIST SP 800-161 can help organizations build a strong defense against supply chain attacks so they can prevent supply chain disruptions from occurring and recover more quickly if they do occur:
- Security: Protecting systems and data from unauthorized access or manipulation
- Reliability: Keeping consistent performance of components and services
- Safety: Preventing harm caused by faulty or compromised supply chain elements
- Quality: Maintaining standards in the products and services acquired
- Integrity: Confirming authenticity and trustworthiness of supply chain inputs
- Resilience: Building systems that can withstand and recover from supply chain attacks
We are finding that NIST SP 800-161 is being referenced in DoD contracts more often, especially in contracts involving critical technologies, mission assurance, or compliance with Executive Order 14028, “Improving the Nation’s Cybersecurity.”
Five Key Steps in Building a C-SCRM Strategy
Whether required by NIST SP 800-171 control requirements, contract requirements, or adopted voluntarily, implementing a C-SCRM strategy in line with NIST SP 800-161 can help contractors manage third-party risks and demonstrate an advanced proficiency in supply chain security. Key components in creating a solid C-SCRM road map include:
- Policy Development
- Create formal C-SCRM policies that reflect an organization’s risk tolerance.
- Define roles and responsibilities across procurement, IT, and compliance teams.
- Supplier Assessments
- Conduct risk-based evaluations of suppliers based on criticality and exposure.
- Use questionnaires, audits, and certifications to gauge cybersecurity readiness.
- Information & Communications Technology (ICT) Component Transparency Requirements
- Require software bill of materials (SBOMs) from vendors to track software origins, dependencies, and known vulnerabilities.
- Request hardware component inventories to document physical parts, manufacturers, and sourcing details.
- Collect firmware transparency reports to monitor versioning, update history, and security posture.
- Map service supply chains in order to identify third-party providers, e.g., cloud, logistics, maintenance, and assess their cybersecurity practices.
These elements can collectively support visibility, traceability, and risk management across the full scope of ICT resources and extend beyond software.
- Acquisition Strategies
- Embed cybersecurity criteria into requests for proposal (RFPs) and contracts.
- Prioritize vendors with robust security practices and certifications.
- Continuous Monitoring & Threat Intelligence
- Monitor supplier performance and threat indicators.
- Utilize threat intelligence feeds to help detect emerging risks in the supply chain.
How Forvis Mazars Can Help
As the DoD sharpens its focus on supply chain security, defense contractors must evolve beyond internal compliance to embrace enterprise-wide risk management. If you need assistance in crafting your C-SCRM plan, looking into your suppliers in more depth, and operationalizing compliance across your ecosystem, we’re here to help.
As one of the first Authorized CMMC Third-Party Assessor Organizations (C3PAOs) with the CMMC Accreditation Body, Forvis Mazars has the experience you need and can provide NIST SP 800-171, NIST SP 800-161, and cybersecurity program readiness consulting to help you prepare for what’s next. If you have any questions or need assistance, please reach out to a professional at Forvis Mazars.