Pratum Blog

New Rules to Protect Critical Infrastructure text overlaid on voltage tower

Executive orders are having a moment as President Biden launched his term with a flurry of signings, many of which reversed orders signed by President Trump. Among the orders caught up in the transition is one affecting the nation’s power grid cybersecurity.

In May 2020, Trump issued Executive Order 13920 with the intent of reducing U.S. reliance on foreign components for critical infrastructure, specifically in the Bulk Power System (BPS). Details on its implementation came out in December 2020, and then Biden suspended Trump’s order in February 2021, pending further review.

Regardless of how it all shakes out, the public utility world and its supply chain should take note. The electrical supply chain will see changes from the executive orders and a recent compliance update that strengthens security requirements throughout the electrical supply chain.

This blog provides an overview of where things stand.

Threats to the Power Grid

The power grid plays an obvious role in national security. In its document summarizing Trump’s executive order, the Department of Energy (DOE) reports that “in 2018 alone, cyberattacks on supply chains increased by 78%, which is the most likely vector for adversaries targeting the grid.”

Multiple government organizations have been sounding the alarm for some time about the threat foreign adversaries pose to the United States through highly advanced cyber programs. (The Office of the Director of National Intelligence and the National Computer Security Center are among those who have voiced their concerns.) In late 2020, revelations that Russia had widely compromised United States government systems provided shocking confirmation of the threat’s reality.

Trump’s executive order addressed the fact that importing foreign components into our BPS could open a backdoor to substations, control rooms, and power generating facilities. Hackers may, for example, insert malware directly into electronic devices. They could get control of that system and potentially find a pathway into the larger grid that goes unnoticed until the damage is done. In a report explaining Trump’s executive order, the DOE points to a 2015 attack in which hackers broke into the control systems for 30 Ukrainian substations.

Implications for Power Industry Organizations

The real-world impact of Trump’s executive order became more clear in December 2020 when the Secretary of Energy (who was given authority to implement EO 13920) issued a “Prohibition Order Securing Critical Defense Facilities,” effective January 16, 2021. Biden’s suspension of the order puts many aspects of the implementation—and the future of Trump’s order as a whole—in doubt.

As of this writing in mid-February 2021, here’s what we know about the implications for anyone working within the BPS:

  • The original executive order cited potential adversaries including China, Russia, North Korea, Venezuela, Cuba and Iran. However, the Secretary of Energy’s prohibition order involved only China. In the short term, this limits the scope of components that BPS companies will have to replace or procure from other sources.
  • Biden’s suspension of EO 13920 for 90 days (that order is tucked into this larger order on climate change) means Trump’s order may never be implemented as written. But during the suspension, the DOE is asking companies to exercise caution via this language, “The Department expects that, during this 90-day review period, Responsible Utilities will refrain from installation of bulk-power system electric equipment or programmable components specified in Attachment 1 of the Prohibition Order that is subject to foreign adversaries’ ownership, control, or influence, and that Responsible Utilities will continue to work with the Department on identifying and mitigating supply chain vulnerabilities.”
  • If the DOE implements Trump’s executive order, it will probably use a phased approach in order to minimize supply chain disruptions and make compliance easier. For now, the prohibition order affects only the nation’s most essential utilities—those that supply critical defense facilities (CDF). This means that those who service CDFs with voltage of 69kV or above are banned from acquiring, importing, transferring, or installing BPS electric equipment made in China. It includes the “point of electrical interconnection with the CDF up to and including the next ‘upstream’ transmission substation.” In the months to come, companies can expect to see additional phases rolled out and a greater impact on the overall BPS.
  • Even with the limited scope described in the prohibition order, there will surely be cost increases and procurement delays this year as companies adjust to the order.
  • The Secretary of Energy will create a “prequalified” list of vendors that are authorized as safe for future transactions.
  • The DOE and other agencies will collaborate to monitor any vendor and/or equipment that has posed risks to U.S. national security and will take the appropriate actions (such as replacement) to eliminate any threats.
  • The Secretary of Energy will establish a task force that coordinates the Federal Government with private entities in the power and energy infrastructure to manage risk and implementation of the order.

As you determine how these actions impact your business, Pratum can help. Contact us to learn about how we can identify the risks in your supply chain and manage the costs of additional security measures.

Man at computer having conversation

With its new Cybersecurity Maturity Model Certification (CMMC) standard, the Department of Defense is getting serious about protecting the supply chain that protects the nation. The CMMC’s enhanced security requirements will require an estimated 300,000 companies to earn third-party certification of their security posture. By 2025, every DoD contract will require vendors to meet some level of CMMC compliance. And true to its governmental nature, CMMC presents a dizzying labyrinth of acronyms, levels and due dates.

To help companies understand how CMMC affects them, we talked with Pratum Senior Information Security Consultant Ben Hall, who recently completed coursework to be a Registered Practitioner with the CMMC Accreditation Body (CMMC-AB). That makes him one of the nation’s first wave of private contractors trained to help companies prepare for their CMMC audits. We asked Ben for some real-world advice on how to implement CMMC efficiently.

CMMC Registered Practitioner Logo

This is a test you definitely want to pass on the first try for your desired or required maturity level. You’re going to invest significant time and money preparing for your assessment, and failing your assessment means you won’t get the contract.

Ben Hall Pratum CMMC Registered Pratitioner

Answers to CMMC Certification Questions


Q:

Tell me in 30 seconds what I need to know about CMMC.

A:

If you produce something in a supply chain that ends with a product delivered to the DoD, you’ll probably need to get CMMC-certified at some point in the next four years. And you can’t just declare yourself secure. It’s a significant process that ends in assessment by a certified third party. If you don’t do this, any company that ultimately serves the DoD will have to stop using you as a vendor. For more details, I recommend taking a couple of minutes to read the FAQs Pratum recently posted. This roadmap provided by the CMMC-AB also offers a great, quick summary.


Q:

If I’m not a prime contractor to the DoD, do I still need to worry about this?

A:

Probably. Prime contractors must ensure their subcontractors are certified at the required CMMC level prior to awarding subcontracts. The only exceptions are companies that solely provide commercial off-the-shelf products (COTS, as the government calls it). Items meet the COTS criteria if they are mass-produced, rather than customized for government use. But to be honest, if you’re unwilling to take the security steps required to meet even Level 1 of CMMC, many larger companies won’t feel safe doing business with you anyway.


Q:

What does it mean that you just became a Registered Practitioner for CMMC?

A:

I’m trained to help organizations prepare for the CMMC certification process, which is a test you definitely want to pass on the first try for your desired or required maturity level. You’re going to invest significant time and money preparing for your assessment, and failing your assessment means you won’t get the contract. During my coursework administrated by the CMMC-AB, I learned all the details of how CMMC works. So I can help companies understand exactly which level they’ll need to reach, identify where they’re currently falling short of the requirements and make a plan to get everything ready in time.


Q:

Can you personally certify a company as CMMC-compliant?

A:

CMMC rules require that you have two different people handle the prep process and the actual assessment. The CMMC-AB’s official assessors are known as Certified Assessors (CA) that work for Certified Third-Party Assessing Organizations (C3PAOs). One person can be both a Registered Practitioner (who handles the prep process) and a Certified Assessor (who does the assessment). But I’ll be focusing on preparing clients for review by a Certified Assessor.


Q:

So just to be clear: I can’t do a self-assessment anymore?

A:

Correct. That’s actually one of the driving forces behind CMMC. Under the DoD’s Defense Federal Acquisition Regulation Supplement (DFARS) 252.204-7012, companies could do a self-attestation of their security posture and submit their score. CMMC requires you to get a third-party evaluation.


Q:

Is something like this going to be applied to government contracts beyond the DoD?

A:

Probably. Most industry watchers expect CMMC or something very similar to it to become the standard for all federal procurement.


Q:

How long will I have to make changes if I barely miss the grade on my assessment?

A:

Unfortunately, you don’t get a grace period. This is a pass/fail situation. If the DoD puts a required CMMC level in a contract, it will only award the contract to a vendor who has that certification done at the time the contract is awarded. While many previous government standards allowed you to fix shortcomings through a Plan of Actions and Milestones (POAM), CMMC doesn’t allow for POAMs.


Q:

Got it: I need to plan ahead. How soon do I need to worry about this showing up in RFPs and contracts?

A:

A handful of prime contracts have already been issued with CMMC requirements. The DoD will continue to gradually require CMMC compliance in a rollout stretching from 2021 to 2026. Right now, it looks like about 15 new prime contracts will include CMMC in 2021.


Q:

Where should I start my preparation?

A:

Based on the kind of information you use in the course of doing business, you should be able to determine which of the five CMMC levels you’ll need to achieve. Then you can review the requirements for your level and start figuring out what you’ll need to do to achieve certification.

CMMC Levels

Q:

Can I get the government to help pay for any of this new process?

A:

The DoD has laid the groundwork for grants that will help small and medium-size businesses pay some of the CMMC costs. The National Defense Authorization Act for 2021 includes a section authorizing the secretary of defense to allocate funds to the MEP Centers mentioned below so they can help business get their certifications. Talk with the MEP Center in your state to get the details on what’s available and how you can apply.

Advisors at your local PTAC (see below) can also help you determine how much of your CMMC process you might be able to build into contracts as an allowed expense.


Q:

Where can I get help with all this?

A:

That's what I'm here to do! A cybersecurity consultant like Pratum will help with a gap analysis and a plan to get you ready in time for the contracts that apply to you. Check out our CMMC consulting page or get in touch with us.

You also can get advice from governmental bodies tasked with helping manufacturers and other companies navigate the government procurement process. Each state has a Manufacturing Extension Partnership Center that can help you with CMMC. You can look up yours at https://www.nist.gov/mep/centers. You can also work with one of about 300 Procurement Technical Assistance Centers nationwide. You can find a nearby PTAC at https://www.aptac-us.org/.

Supply ecosystem networks map

The traditional term “supply chain” hardly captures how modern companies—even small ones—interact with customers and suppliers. “Supply ecosystem” more accurately describes how sensitive information flows in all directions among companies that depend heavily on each other in daily operations. And just like an oil spill at sea, a data breach anywhere in a business’ ecosystem can quickly cascade through other organizations, shutting down operations and creating significant costs.

That means businesses must take an active interest not only in their own information security posture but in the security of companies they rely on. Most companies now face outside data security concerns from three directions:

  • Confirming that your partners handle shared data properly. (Think of scenarios where you share engineering drawings, customer profiles, logistics information, records of billable hours, etc.)
  • Verifying that your suppliers are secure enough to reliably service your company.
  • Proving to your customers that they can trust your security and reliability.

Many Contracts Depend on Security

Because of all this interdependency, companies increasingly demand that suppliers and partners provide actual proof that they maintain an acceptable security posture. The days of simply declaring that you have things under control are quickly fading. Today, responsible companies require at least completion of a very detailed questionnaire specific to their concerns. And frequently, proving your security position means earning an independent, standardized certification such as SOC 2®.

Pushing back against the verification requirements of major companies and government entities may cost you the contract. “You may be providing toilet paper, and someone’s asking you to fill out a cybersecurity questionnaire,” says Pratum Founder and CEO Dave Nelson. “If you don’t, I guarantee there’s someone out there who will do it and take that contract.”

Rather than fighting it, we recommend leaning into the requirements and turning them into a business advantage. Many Pratum clients have leaped ahead of their competitors by staking a position as early adopters of key security standards. In this case study, one marketing company attributes 33% of their current customer portfolio to an advanced security mindset that helps them get more RFPs and win more deals.

New Standards You Should Know About

Attention in this area currently focuses heavily on the new CMMC standard that the Department of Defense is applying to every vendor in its supply chain. More than 300,000 companies will need to get certified at one of CMMC’s five levels, depending on the information they access in the course of executing their contract.

Evolving breach notification laws also drive much of the urgency around securing supply chains. Under these laws (which vary greatly by state), companies face potentially costly legal requirements to notify customers if hackers access sensitive information held by the company. Some organizations are pushing their suppliers to shore up their security as protection against inadvertent leaks of sensitive information when it travels to other companies.

Risks of an Unsecured Supply Chain

As you consider how to secure your supply chain, consider these potential risks:

  • Upstream and downstream liability – If your security failure creates a problem for someone elsewhere in the supply chain, you may have a legal responsibility to pay for the remediation/damages.
  • Cascading failures – In heavily interconnected ecosystems, one failure may quickly ripple out into other areas. If your ordering system corrupts data, you may lose track of how much raw material you need. If your inventory system fails, your ability to fill orders could fall apart. Mismanaged data and system downtime carry real costs.
  • “Weakest Link” targeting – If you do business with a larger company, hackers may target you as a potential way to get to the bigger target.

How to Identify Your Critical Vendors

A first step in securing your supply chain is identifying your critical vendors (and recognizing when you ARE one for your customers). A critical vendor typically:

  • Has access to data or systems within the company environment – Because you control this environment, you can set requirements for access and training for partners such as onsite contractors or partners using an integrated Enterprise Resource Planning (ERP) system.
  • Uses your data outside your company environment – You need to understand the security of the environment where your engineering docs, customer lists, personally identifiable information, etc. are being used. You need to consider how your data travels through e-mail attachments, cloud storage and other situations.
  • Creates data, systems or components imbedded into products – This relates to partners who handle tasks such as developing software for you or building chipsets.

Planning Your Vendor Management Program

As you begin planning your vendor management approach, consider the following steps:

  • Get familiar with best practices –Review NIST 800-171 standards and read up on NIST’s Cybersecurity Framework.
  • Develop your company’s framework – Design a program for identifying critical vendors and bringing them into compliance with your security standards.
  • Decide how you will verify compliance – To ensure that vendors are meeting your minimum security controls, choose one of the following approaches:
  • – Require vendors to fill out a cybersecurity questionnaire and management attestation of their security posture. .

    – Require third-party attestation audits such as ISO 27001, SOC2 or CMMC.

    – Require external audits by your team or a selected third-party auditor.

  • Engage an experienced consultant – A cybersecurity firm like Pratum can help review your needs and establish a supply chain policy that fits your situation. Contact us today to talk with one of our advisors.
Get our blog posts delivered to your inbox:

The information we track while users are on our websites helps us analyze site traffic, optimize site performance, improve our services, and identify new products and services of interest to our users. To learn more please see our Privacy Policy.