Issue link: https://iconnect007.uberflip.com/i/1472190
14 SMT007 MAGAZINE I JULY 2022 e chain starts from a simple email. at's oen the entry point. Matties: at's an extremely vulnerable point to protect because you're relying on user judg- ment. Patel: But if you have users trained and aware, you're less vulnerable. e next question to ask in reducing vulnerabilities is whether the IT folks know what to do with the technology on the production floor. In a contract manu- facturing organization or a cable assembly house, you might have things like cable strip- ping machines and that sort of thing. Are those vulnerable? How much do you know about the vulnerability of the systems running in your company? at will tell you how vulnerable your entire business is. Johnson: at's a situation where a prime con- tractor for a system to the government, say, might find themselves liable, and sanctioned or penalized in some way for a component of their product from multiple steps up the sup- ply chain. Of course, that prime contractor is going to start taking ownership of everything, all the CMMC certifications in the supply chain upstream from them. ey must. Patel: at's correct. Matties: e people upstream are at risk as well, aren't they? Patel: Ever ybody in the supply chain gets affected one way or another. Upstream ven- dors will be affected the most. If the incident is a downstream vendor, you have proper con- trols in place, and if there is a breach, what happens? It affects everybody upstream from that point on and possibly downstream as well. It affects everybody in the supply chain. at's why vendor risk assessments are so important. ISO primarily requires this, but there are other compliances, and DoD is based on NIST 800-171, but very heavily modi- fied. Level one of CMMC is the easiest level, but there are many companies that couldn't self-attest to compliance today. Other compa- nies may need to be compliant with level two, which has more controls in place. It depends on the nature of your business with the DoD. is is about risk mitigation. If there is a breach or an incident, what sort of incident response plans do you have in place? For example, do you notify your upstream vendors of what hap- pened? Do you even have the capability to determine what was breached, what was taken, and what the ramifications may have been to the business and your business partners? ose things are nowhere near being in place at many EMS companies I have come across. Taking it Seriously Matties: If these houses aren't taking this seri- ously, why is that? If the penalty is severe enough, obviously they would. Or are they just willing to gamble? Patel: ey just don't understand why it's important. I'll give you an example. At IPC APEX EXPO in San Diego this year, a CEO and I discussed the CMMC. He said, "I don't care because I don't do any business with the DoD." Well, maybe you don't have a direct DoD customer, but does your business do business with other vendors who are part of the supply chain? When HIPAA first came out, healthcare pro- viders refused to take it seriously. ey were just saying, "We'll deal with it when—and if— we have to." Twenty-five years later, there's a If you have users trained and aware, you're less vulnerable.