Issue link: https://iconnect007.uberflip.com/i/1472190
12 SMT007 MAGAZINE I JULY 2022 to do business at any level within the DoD sup- ply chain. Other government agencies will fol- low suit; it's not just DoD. Johnson: Hypothetically, I'm a circuit board assembler and one of my customers sends a board for me to build. at board happens to get used in a vision system in the general market- place, but then I find out that vision system has been specified into a surveillance drone being sold to the U.S. military. As the assembler, I have no idea; I'm just working with my customer. I don't have visibility to where that board might ultimately end up. Now it's in a military appli- cation. at pushes the CMMC requirement all the way up the supply chain, not just to me but beyond to my suppliers. Is that correct? Patel: If you're part of that supply chain, and you handle controlled unclassified information (CUI), absolutely. If you're a printed circuit board manufacturer, for example, that board may be part of a bigger assembly, and you'll be accountable for meeting CMMC requirements. e bigger problem is that there's no cyberse- curity hygiene anywhere in the supply chain. And beyond the DoD, companies that don't have compliance requirements like CMMC are failing to take security as seriously as they should. Yes, it is going to be up and down the supply chain, at least for those building these printed cir- cuit boards. Lack of Information Is the Weakest Link Johnson: Tell me more about cyber- security hygiene. Patel: I'll give you an example. Cyber- security hygiene is having security awareness training across the orga- nization, having access control, and adhering to best practices of cyber- security for office productivity tools like email (no clicking links from unknown sources, no sharing sensitive files with vendors, etc.). Cybersecurity hygiene is not willfully doing something "the way we've always done it." For example, those who share confidential docu- ments via email were never following the ITAR or cybersecurity hygiene processes. ITAR states that users cannot forward CUI docu- ments via email to a vendor—but many simply aren't aware. is highlights the need for cybersecurity hygiene training. ose who have taken CMMC more seri- ously are asking their vendors to fill out some- thing as simple as a cybersecurity question- naire. Questions include: • What would you do with this type of information if we were to send it to you? • What type of information are you sending? • Do you use email as your main form of delivering? • Do you also have a secure method of delivering documents? • How are you controlling these? e company says, "We've got this nice cus- tomer agreement that came in and we have to Divyash Patel