 |
DSS shared with industry its plans to execute on Deliver Uncompromised. A few key initiatives under way are the passage of Public Law 115-390; The SECURE Technology Act; NIST 800–171, DFARS 252.204-7012; and the establishment of a DoD Cybersecurity Maturity Model Certification (CMMC), where a required CMMC Level (potentially 1 through 5) will be contained within RFP sections L&M and will serve as a gate of entry to bid on a contract. All these requirements are targeted at lowering supply chain risk.
One approach for the Defense Industrial Base (DIB) to consider as it competes within a Deliver Uncompromised environment is through Integrated Risk Management (IRM).
According to Gartner, by 2021 more than 50% of large enterprises will use an IRM solution set to provide better decision-making capabilities.
KPMG recently conducted a survey of more than 800 audit committee and board members and found that the top challenge facing companies is the effectiveness of their risk management program. Many noted that, increasingly, the focus should be on “key operational risks across the extended global organization – e.g. supply chain, Information Technology (IT) and data security risks, etc.” In order to manage complexity of the risks, executives have a multitude of options.
Some could consider a “top-down” approach to link their strategic efforts to an organization’s risk profile. Others might put efforts in the “bottom-up” method, primarily focusing only on the individual lines of business. The key to IRM success is the dependency on the integrated view built on a solid foundation of framework, metrics and systems.
Another major trend is building up an Organizational Resilience capability which increases business resilience and agility in response to deep uncertainty. It requires considerable effort and is dependent on the variety of crucial-to-success elements such as leadership, culture, people, processes and infrastructure. Another huge step towards the IRM goal is breaking organizational risk silos in order to achieve a comprehensive, company-wide security posture.
One established approach to enterprise-wide risk is based on the security convergence model, bringing all business functions (IT, Security, HR, Legal, CISO, acquisitions, physical access and compliance) together to break down stove-piped systems.
It is the only possible way to understand Enterprise in one holistic view. Strategic risk needs to be constantly defined based on the policies and procedures in place, with access, and measured
vulnerabilities remediated. C-Suite and boards will drive Risk Management programs not just because of the mitigation planning, but on creating value and differentiators for the organization as a whole.
Today there are more than 300,000 companies that are part of the Defense Supply Chain, ranging from small to major enterprises. And all of them are facing a multitude of issues from cybersecurity to compliance. Solutions for solving them should be secure, nimble, affordable, and scalable. Cybersecurity challenges give rise to bad actors; social engineering attacks drive new decision-making where defending network perimeter simply is not an option.
Dynamic, context-aware trust is necessary in such projects. Many vendors are answering this call to action by providing risk or trust scoring as a part of their next generation firewalls or
endpoint services. What is needed to maintain this is Continuous Adaptive Trust (CAT), acting as an arbiter or orchestrator of that trust providing context beyond cyber data streams and that
looks beyond basic User and Entity Behavioral Analytics (UEBA) capabilities.
Use of these types of systems and their integration capabilities can provide a much lower capital and operational cost to the DIB by allowing them to maintain a single system of record, collapse
networks, access tokens, and help link the need for access with personnel security systems. Additionally, this approach ensures that the user is still the same user who was originally authenticated, and deemed trustworthy by the system.
The government’s Trusted Workforce 2.0 initiative will bring changes to Adjudicative Guidelines, Tiers, Policy, Continuous Vetting, etc. which will drive need for integrated, dynamic context of the workforce. This goal will be on the management forefront and could only be achieved by governing the end-toend employee lifecycle, from onboarding to retirement. Key challenges will be change management, increased compliance, and privacy. With limited budgets and resources, one viable solution is embracing a holistic view of the dispersed systems steered by data-driven decision-making, automation, metrics and standardized processes.
Deploying IRM solutions supporting combined personcentric and device-centric architecture provides a way to further close the supply chain security gap between the person, their personnel/industrial security profile, and their exposure to classified contracts, critical technologies, secure facilities, and the government agency purchaser.
The Integrated Risk Management approach empowered by a Trust Engine enables a security convergence model and risk mosaic which should be evaluated by different parts of an organization to enable meaningful risk assessment, mitigation and enforcement.
In summary, as the DIB prepares to compete in a Deliver Uncompromised environment, they should take a closer look at CAT and Trust Engines implementations for solving complex
supply chain challenges and uncertainty while remaining innovative, competitive, compliant and profitable.
Andrew Razumovsky is Principal of CANDA Solutions, LLC providing Cloud, Security and Agile software development service to both, public and private, sectors. Andrew is heavily involved
with Fresh Haystack platform, an innovative solution for providing Insider Threat Defense and Integrated Risk Management. Andrew brings more than 22 years of information technology, startups, security, risk management and business experience.
This article was published Oct. 30, 2019 in the
fall edition of PSC's Service Contractor magazine.
Click here to view the PDF of this article.
“Top 10 Factors for Integrated Risk Management Success” | Gartner, 2017
“Is Everything Under Control? Audit Committee Challenges “ | KPMG, 2017