Executive orders are having a moment as President Biden launched his term with a flurry of signings, many of which reversed orders signed by President Trump. Among the orders caught up in the transition is one affecting the nation’s power grid cybersecurity.
In May 2020, Trump issued Executive Order 13920 with the intent of reducing U.S. reliance on foreign components for critical infrastructure, specifically in the Bulk Power System (BPS). Details on its implementation came out in December 2020, and then Biden suspended Trump’s order in February 2021, pending further review.
Regardless of how it all shakes out, the public utility world and its supply chain should take note. The electrical supply chain will see changes from the executive orders and a recent compliance update that strengthens security requirements throughout the electrical supply chain.
This blog provides an overview of where things stand.
The power grid plays an obvious role in national security. In its document summarizing Trump’s executive order, the Department of Energy (DOE) reports that “in 2018 alone, cyberattacks on supply chains increased by 78%, which is the most likely vector for adversaries targeting the grid.”
Multiple government organizations have been sounding the alarm for some time about the threat foreign adversaries pose to the United States through highly advanced cyber programs. (The Office of the Director of National Intelligence and the National Computer Security Center are among those who have voiced their concerns.) In late 2020, revelations that Russia had widely compromised United States government systems provided shocking confirmation of the threat’s reality.
Trump’s executive order addressed the fact that importing foreign components into our BPS could open a backdoor to substations, control rooms, and power generating facilities. Hackers may, for example, insert malware directly into electronic devices. They could get control of that system and potentially find a pathway into the larger grid that goes unnoticed until the damage is done. In a report explaining Trump’s executive order, the DOE points to a 2015 attack in which hackers broke into the control systems for 30 Ukrainian substations.
The real-world impact of Trump’s executive order became more clear in December 2020 when the Secretary of Energy (who was given authority to implement EO 13920) issued a “Prohibition Order Securing Critical Defense Facilities,” effective January 16, 2021. Biden’s suspension of the order puts many aspects of the implementation—and the future of Trump’s order as a whole—in doubt.
As of this writing in mid-February 2021, here’s what we know about the implications for anyone working within the BPS:
As you determine how these actions impact your business, Pratum can help. Contact us to learn about how we can identify the risks in your supply chain and manage the costs of additional security measures.
With its new Cybersecurity Maturity Model Certification (CMMC) standard, the Department of Defense is getting serious about protecting the supply chain that protects the nation. The CMMC’s enhanced security requirements will require an estimated 300,000 companies to earn third-party certification of their security posture. By 2025, every DoD contract will require vendors to meet some level of CMMC compliance. And true to its governmental nature, CMMC presents a dizzying labyrinth of acronyms, levels and due dates.
To help companies understand how CMMC affects them, we talked with Pratum Senior Information Security Consultant Ben Hall, who recently completed coursework to be a Registered Practitioner with the CMMC Accreditation Body (CMMC-AB). That makes him one of the nation’s first wave of private contractors trained to help companies prepare for their CMMC audits. We asked Ben for some real-world advice on how to implement CMMC efficiently.
This is a test you definitely want to pass on the first try for your desired or required maturity level. You’re going to invest significant time and money preparing for your assessment, and failing your assessment means you won’t get the contract.Ben Hall Pratum CMMC Registered Pratitioner
If you produce something in a supply chain that ends with a product delivered to the DoD, you’ll probably need to get CMMC-certified at some point in the next four years. And you can’t just declare yourself secure. It’s a significant process that ends in assessment by a certified third party. If you don’t do this, any company that ultimately serves the DoD will have to stop using you as a vendor. For more details, I recommend taking a couple of minutes to read the FAQs Pratum recently posted. This roadmap provided by the CMMC-AB also offers a great, quick summary.
Probably. Prime contractors must ensure their subcontractors are certified at the required CMMC level prior to awarding subcontracts. The only exceptions are companies that solely provide commercial off-the-shelf products (COTS, as the government calls it). Items meet the COTS criteria if they are mass-produced, rather than customized for government use. But to be honest, if you’re unwilling to take the security steps required to meet even Level 1 of CMMC, many larger companies won’t feel safe doing business with you anyway.
I’m trained to help organizations prepare for the CMMC certification process, which is a test you definitely want to pass on the first try for your desired or required maturity level. You’re going to invest significant time and money preparing for your assessment, and failing your assessment means you won’t get the contract. During my coursework administrated by the CMMC-AB, I learned all the details of how CMMC works. So I can help companies understand exactly which level they’ll need to reach, identify where they’re currently falling short of the requirements and make a plan to get everything ready in time.
CMMC rules require that you have two different people handle the prep process and the actual assessment. The CMMC-AB’s official assessors are known as Certified Assessors (CA) that work for Certified Third-Party Assessing Organizations (C3PAOs). One person can be both a Registered Practitioner (who handles the prep process) and a Certified Assessor (who does the assessment). But I’ll be focusing on preparing clients for review by a Certified Assessor.
Correct. That’s actually one of the driving forces behind CMMC. Under the DoD’s Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, companies could do a self-attestation of their security posture and submit their score. CMMC requires you to get a third-party evaluation.
Probably. Most industry watchers expect CMMC or something very similar to it to become the standard for all federal procurement.
Unfortunately, you don’t get a grace period. This is a pass/fail situation. If the DoD puts a required CMMC level in a contract, it will only award the contract to a vendor who has that certification done at the time the contract is awarded. While many previous government standards allowed you to fix shortcomings through a Plan of Actions and Milestones (POAM), CMMC doesn’t allow for POAMs.
A handful of prime contracts have already been issued with CMMC requirements. The DoD will continue to gradually require CMMC compliance in a rollout stretching from 2021 to 2026. Right now, it looks like about 15 new prime contracts will include CMMC in 2021.
Based on the kind of information you use in the course of doing business, you should be able to determine which of the five CMMC levels you’ll need to achieve. Then you can review the requirements for your level and start figuring out what you’ll need to do to achieve certification.
The DoD has laid the groundwork for grants that will help small and medium-size businesses pay some of the CMMC costs. The National Defense Authorization Act for 2021 includes a section authorizing the secretary of defense to allocate funds to the MEP Centers mentioned below so they can help business get their certifications. Talk with the MEP Center in your state to get the details on what’s available and how you can apply.
Advisors at your local PTAC (see below) can also help you determine how much of your CMMC process you might be able to build into contracts as an allowed expense.
That's what I'm here to do! A cybersecurity consultant like Pratum will help with a gap analysis and a plan to get you ready in time for the contracts that apply to you. Check out our CMMC consulting page or get in touch with us.
You also can get advice from governmental bodies tasked with helping manufacturers and other companies navigate the government procurement process. Each state has a Manufacturing Extension Partnership Center that can help you with CMMC. You can look up yours at https://www.nist.gov/mep/centers. You can also work with one of about 300 Procurement Technical Assistance Centers nationwide. You can find a nearby PTAC at https://www.aptac-us.org/.
The traditional term “supply chain” hardly captures how modern companies—even small ones—interact with customers and suppliers. “Supply ecosystem” more accurately describes how sensitive information flows in all directions among companies that depend heavily on each other in daily operations. And just like an oil spill at sea, a data breach anywhere in a business’ ecosystem can quickly cascade through other organizations, shutting down operations and creating significant costs.
That means businesses must take an active interest not only in their own information security posture but in the security of companies they rely on. Most companies now face outside data security concerns from three directions:
Because of all this interdependency, companies increasingly demand that suppliers and partners provide actual proof that they maintain an acceptable security posture. The days of simply declaring that you have things under control are quickly fading. Today, responsible companies require at least completion of a very detailed questionnaire specific to their concerns. And frequently, proving your security position means earning an independent, standardized certification such as SOC 2®.
Pushing back against the verification requirements of major companies and government entities may cost you the contract. “You may be providing toilet paper, and someone’s asking you to fill out a cybersecurity questionnaire,” says Pratum Founder and CEO Dave Nelson. “If you don’t, I guarantee there’s someone out there who will do it and take that contract.”
Rather than fighting it, we recommend leaning into the requirements and turning them into a business advantage. Many Pratum clients have leaped ahead of their competitors by staking a position as early adopters of key security standards. In this case study, one marketing company attributes 33% of their current customer portfolio to an advanced security mindset that helps them get more RFPs and win more deals.
Attention in this area currently focuses heavily on the new CMMC standard that the Department of Defense is applying to every vendor in its supply chain. More than 300,000 companies will need to get certified at one of CMMC’s five levels, depending on the information they access in the course of executing their contract.
Evolving breach notification laws also drive much of the urgency around securing supply chains. Under these laws (which vary greatly by state), companies face potentially costly legal requirements to notify customers if hackers access sensitive information held by the company. Some organizations are pushing their suppliers to shore up their security as protection against inadvertent leaks of sensitive information when it travels to other companies.
As you consider how to secure your supply chain, consider these potential risks:
A first step in securing your supply chain is identifying your critical vendors (and recognizing when you ARE one for your customers). A critical vendor typically:
As you begin planning your vendor management approach, consider the following steps:
– Require vendors to fill out a cybersecurity questionnaire and management attestation of their security posture. .
– Require third-party attestation audits such as ISO 27001, SOC2 or CMMC.
– Require external audits by your team or a selected third-party auditor.