Share This

NeoSystems Corporation

Latest News

Browse NeoSystems' archived press releases to learn more about how we have grown over time with services, products, management, staff, and more.

Security Risk and Threat Response for Supply Chain Security, with Chris Nissen of MITRE

May 10, 2021 | BY: Cece Messerschmidt

NeoSystems Town Hall, March 10, 2021 Blog 

Security Risk and Threat Response for Supply Chain Security, with Chris Nissen of MITRE

Each week, our Chief Information Security Officer, Ed Bassett, hosts an interactive 30-minute town hall discussion on Cybersecurity Maturity Model Certification (CMMC) and related government security topics. During the March 10 edition, Bassett met with Chris Nissen, Director, Asymmetric Threat Response & Supply Chain Security, at MITRE to discuss the complexities of security risk and threat response regarding supply chain security. Nissen, an expert on supply chain security, greatly influenced the origin of CMMC through his work leading a senior study team that produced the report “Deliver Uncompromised, A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War”. Nissen also is working on a new book related to cybersecurity and the extended supply chain of the defense industrial base (DIB).

Below is a recap of Nissen and Bassett’s conversation.

Nissen discussed one of his core principles for supply chain security; trust. He said:

“I think it’s a mistake to call something trusted unless you’re continuously monitoring it and the group that assigns trust is much broader than a handful of people, that deduce whatever certification or that they need to do and say, ‘this is now clean,’ because that’s very attractive. Once something’s trusted, then they can activate a vulnerability that’s already there or really go after getting one in.”

The state of security is changing, with adversaries no longer asymmetric in their attacks. To address this changing environment, Nissen advocates for a heightened awareness of risk vectors that reside within our IT supply chain with various tiers of suppliers and contractors.

Nissan defines the supply chain as a contractor within the DIB which includes those who provide cyber-IT, cyber OT, software, hardware, services, and other products.

On the topic of CMMC, Nissen added:

“What I’ve always liked to say is CMMC is necessary, but not sufficient. So, there’s several things. In addition to this attack vector that I looked at with the companies that I consult with. It’s important for everybody to remember that. In my view, this asymmetric era started in the late ’80s, early ’90s, and that’s when Russia and China said, ‘We don’t want to take the United States on kinetically.’ The United States really didn’t realize that. In my view, some of us started to realize it after the OPM breach, but that was quite a while ago now, so they’ve got more than a couple of decades, so it’s going to take us a while to fix that, but there’s things you can do in the short, medium and long term.”

What can organizations do? Nissen recommends shifting to an approach of continuous monitoring.

You can watch the full town hall discussion between Bassett and Nissen here: add link.

Additionally, you can register for upcoming CMMC town hall discussions here:

Related News

Software & Industry Partners