Flow down – not flush down

Having control of the defence supply chain is more important than ever – last week we met the defence industry in Oslo talking about the importance to flow down requirements and information in the supply chain.

Last week we had the pleasure of meeting up with partners in the defence industry, catch up, share knowledge and experience and discuss supply chain protection at the The Norwegian Defence and Securities Industry Association (FSi), US Government Procurement Regulations ‘FAR/DFARS’ Seminar. 

The defence sector operates under stringent regulations and requirements. Within this complex ecosystem, compliance plays a pivotal role in maintaining control over all parts, prime contractors, and sub-contractors. With multiple entities involved in the defence supply chain, adherence to strict compliance standards becomes crucial to uphold quality, security, and accountability. Control over all parts within the defensc supply chain is paramount. How to manage? 

Audun Abrahamsen, VP Supply Chain, Kongsberg Defence & Aerospace and Ragnar Løkka, Supply Chain Manager, Kongsberg Defence & Aerospace, presented under the topic Supply Chain Management & Flowdowns to Subtiers.  

Flow down, not flush down
One can never repeat enough the importance of flowing down the important information in the supply chain and categorize what a subcontractor is. What are the different perspectives in the supply chain? The one from US Government, the one from the Prime contractor and of course the sub perspective. It’s about contracts, information, regulations and control. 

Listening to Stephen D. Knight, Senior Counsel, Haynes and Boone, LLP, talking about the basics on US Government Acquisition Regulations – a Peculiar Customer, is always both educating and entertaining. The learning one is left behind with, is, that defence contracts and defence supply chains is complex, and that documentation and traceability are key elements for security. 

Jay Peterson, Director of Government Finance & Compliance, Lockheed Martin Corporation let us into the world of audits. What information is requested in the jungle of audits and how to handle them? Three key words:  Assess, Address and Respond (or Decline?). Other topics at the seminar included coverage of costs, information requested, documentation requirements, defence vs commercial products and services, and of course the mythical CMMC. 

Mysterious and talked about
Defence requirements are sometimes seen as mysterious and hard to interpret. A requirement that has been thoroughly discussed the last years, is the CMMC, Cybersecurity Maturity Model Certification. Kenneth Crawford, CMMC RP and Group Leader, Mnemonic AS, talked about Demystifying CMMC: Implementing and Integrating CMMC with other Frameworks. Starting with the basics. What is CMMC?

CMMC is, as stated in the presentation: The Cybersecurity Maturity Model Certification is/ will be the program used by the DoD to certify that individual companies within the Defence Industrial Base (DIB) adequately protect Controlled Unclassified Information (CUi). 

CUI is information the Government creates or possesses, or that an entity creates or possesses for or on behalf of the Government, that a law, regulation, or Government-wide policy requires or permits an agency to handle using safeguarding or dissemination controls. (US DoD). 

Third party assessments
The US is implementing CMMC to increase national security, reduce risk against cyber-attacks, and reduce the risk of loss of controlled unclassified information in the entire supply chain. It is applicable to all subcontractors on a DoD contract, irrespectively of where you are in the supply chain, and every contractor needs to be audited and certified by a third-party auditor.

CMMC certification is conducted through third-party assessments. Independent auditors evaluate an organization’s cybersecurity practices and controls, to determine their compliance with the relevant CMMC level. This assessment process is different from self-attestation, which was previously used for certain cybersecurity standards. 

If you are interested in learning more about how we handle PCB data and how we can protect your supply chain, do not hesitate to reach out.  

We are looking forward to hearing from you.

Flow down – not flush down

Written by: Guro Krossen

Related news

Sign up

Make sure to sign up for our newsletter