Do you have adequate control of your Cyber Security supply chain and data classification?

A couple of weeks ago, one could read in the US press * that one report had identified dozens of Chinese subcontractors in the US DoD cyber security supply chain and action was requested immediately. Supply chain analysis, risk and reviews are finally on the agenda for many industries and companies. Cyber security requires both resources, routines and a continuous focus to reduce the risk of unwanted effects. New regulations as CMMC from US DoD will ensure that CyberSecurity hygiene is no longer a self assessment practise, it is rather an obligation with a third party auditor, if you even wish to deliver a bid.

As Tara Murphy Dougherty, a former DOD official and CEO of Govini (data analytics firm conducting the report) said in a press release: “With technology, there is a risk of malicious code or cyber loopholes being placed in DOD products that can slip through the authority to operate the process. It is a similar concern to Huawei’s presence in the U.S. commercial market, but with a greater impact since it directly involves national security.”

Are you excluding when you should be including?
Some might consider their supply chain or products as not affected by cyber security regulations, “We are not involved with IT, so it doesn’t apply for us” – a fearful mindset.
Considering how much data is needed to produce, for instance a printed circuit, focusing on data protection, access and storage is a pure necessity in our times. Having control over who can access your data, and what they can access is a basic step towards better data control. Too many files are sent back and forth in production or procurement processes, increasing the likelihood of a cyber security breach. Most companies do not have encrypted communication and how are your subcontractors protecting your data?

Incorrect data classification a potential hazard
The last export compliance meetings in Denmark and Sweden specifically focused on two aspects namely dual-use items and cloud based services.

“Companies are often not aware of the consequence of classifying a product as a dual-use item and this affects both their export approval process and their ability to deliver to other countries. Cloud based services for storage in respect to country, access control, documentation and compliance, is currently debated in all nordic countries on a legislative and export control level and NATO is working on its own standard. This standard is critical to ensure and allow NATO countries to share data and to develop a common defense capability, says Didrik Bech, CEO Elmatica.

Elmatica was the only foreign company represented, with our CEO Didrik Bech, at the launch of CMMC at Arlington Cemetery in US, 2019.
“As a trusted supplier in the Defence Industry, it’s a given for us to understand and take an active part in the implementation of this new regulation”, says Bech.
*https://www.fedscoop.com/dod-it-supply-chain-chinese-ownership/

Article