3 Supply Chain Cybersecurity Questions Buyers Can Ask Suppliers

How can companies determine if their suppliers are taking cybersecurity risks and requirements seriously?

They can turn to their buyers, who speak with suppliers on a regular basis and can make cybersecurity part of those conversations. Here are three questions to help buyers get those conversations with suppliers started:


1.   Are you taking cybersecurity seriously enough?


Many manufacturers don’t make cybersecurity a priority. They may think that such an attack will never happen to them. But a recent survey by cybersecurity company BlueVoyant found that more than 90 percent of companies they surveyed said they suffered a direct cybersecurity breach because of supply chain weaknesses. And ENISA, the European Union Agency for Cybersecurity, predicts that supply chain attacks this year will likely quadruple compared to 2020. Identifying weak links in the supply chain can pinpoint risks faced by suppliers that are not taking basic steps to avoid high-risk cyber issues. 


2.   Are you planning for the future? 


U.S. Department of Defense suppliers in the United States recently received updated guidance from the Pentagon when it simplified its Cybersecurity Maturity Model Certification (CMMC) program, which was to go into effect as early as 2022 for some contracts. The program, which aimed to standardize DoD suppliers’ cybersecurity practices, has morphed into CMMC 2.0, with rule-making under way. Manufacturers won’t be required to comply with CMMC 2.0 rules until those regulations are in effect, which could take as long as two years, according to some estimates. 


However, CMMC 2.0 rules are coming eventually. And it’s not just CMMC 2.0 that manufacturers need to think about. For example, most DoD suppliers must currently meet DFARS 7020 clause requirements, including  a self-assessment as outlined in the NIST SP 800-171 standard. Companies all along the supply chain are also setting requirements. The key thing that targeted questions from buyers can help determine is: Are suppliers making progress on cybersecurity safety measures? Such investments aren’t just to ensure compliance with requirements. They protect suppliers’ businesses from significant cyber risks.


3.   Do you have a plan if you have a problem?


A plan for how to deal with a cyberattack is crucial. But companies can’t stop there. They also need a plan for how they will alert everyone up and down their supply chain about that attack. A ransomware attack, for example, can take out a factory and its supply chain overnight, with recovery taking a month or more.


The three questions designed to get cybersecurity conversations jump-started are among outreach efforts Rolls-Royce has launched to help suppliers navigate cybersecurity concerns. Rolls-Royce’s new partnership with MxD, which the DoD has designated the National Center for Cybersecurity in Manufacturing, is centered on helping to increase the awareness of cybersecurity requirements within the company’s supply chain and providing a way for suppliers to reach out for help. 


The toolkit being rolled out also includes webinars and educational resources for external suppliers and internal procurement personnel. The goal is to make sure companies are taking risks and requirements seriously so that they — and their supply chain — are protected from and resilient to cyberattacks.



Members of the Rolls-Royce community will continue to learn more about supply chain cybersecurity through its partnership with MxD. Email info@mxdusa.org with any questions.