Supply Chain Management Obligations
Compliance, Regulations and Standards
Without regard to the size of your supply chain, you must ensure that it is compliant with the regulations and standards. It may involve a great deal of continued effort, but it is totally worth it. If your business is found to be non-compliant due to risks within the chain, you may be finding yourself facing financial losses, loss of reputation, lawsuits, and a lot more. No regulator will cut you any slack for “not being aware” of prevailing or imminent risks.
Your Supply Chain Management obligations begin with being aware of the regulations and standards that govern it – NIST Compliance is one of them. That is exactly what this article aims to help you with. Here you will have a basic and valuable understanding of what supply chain compliance is, the various forms it takes, how major regulations include it in their mandates, and what measures you can undertake to fulfill supply chain management obligations the right way.
Fundamental Understanding of Supply Chain Compliance
Supply chain compliance refers to an organization’s adherence to the established guidelines and requirements pertaining to tackling every type of risk pervading the supply chain and its ability to meet or exceed the expectations of its stakeholders. The guidelines and requirements can be in the form of:
- National, state, provincial and local or border/international regulatory requirements
- Industry standards. Examples are ASTM (American Society for Testing and Materials) or HIPAA (Health Insurance Portability and Accountability Act)
- Contractual obligations or requirements
- Customer and non-governmental organization (NGO) expectations
Being able to achieve Supply Chain Management, demonstrate and maintain compliance with these multiple standards requires comprehensive collaboration with your third-party partners. It is important to say that your business would be able to make it happen only when you and your business associates/partners are fully aware of the prerequisites for full compliance.
While most standards and regulations consider supply chain compliance management in one way or the other, some of them incorporate it as a part of their mandates. HIPAA, the EU’s General Data Protection Regulation (GDPR), and the Cybersecurity Maturity Model Certification (CMMC) are a few regulations that do so.
Let’s take a closer look at how these three agencies specify the need of fulfilling compliance requirements:
- HIPAA: you are required and held responsible for holding a business associate agreement that defines the way your third-party vendors and partners manage personal health information (PHI) or electronic PHI (ePHI).
- GDPR: their well-known 72-hour breach notification rule applies to both data controllers (your business) and data processors (your supply chain). Even in the event of a security breach at your vendor’s end, you are responsible for notifying your customers within 72 hours.
- CMMC: If you are a member of the Defense Industrial Base (DIB), the U.S. Department of Defense lays equal emphasis on your business and your supply chain earning the necessary levels of certification (defined under CMMC) by demonstrating compliance with NIST CSF 800-171 requirements.
Here is one example of how costly has been. Marriott International was fined under GDPR for a 2018 data breach. In November of that year, security vulnerabilities at Marriott’s acquisition network, the Starwood Hotels Group – part of their supply chain – exposed guests’ data of over 339 million records.
After a two-year-long investigation, they were initially fined £99 million ($137M) for the exposure of records of 31 million EEA residents. In October 2020, the fine was reduced to £18.4 million ($25.5M) due to several mitigating factors. Nonetheless, Marriott had to pay a hefty price for not detecting and mitigating the risk.
Precautionary Measures to Undertake Proactively
Now let us look and better understand a list of precautionary measures you must undertake right away to ensure your supply chain management is covered.
- Your security and compliance posture: you and your organization must begin this process by carrying out a thorough and accurate assessment of the security and compliance of your business and your entire supply chain.
- Ask the right questions: be prepared and ready to examine your entire chain on whether they are up-to-par with your business’ security and compliance policies. If they do not, don’t shy away from making it mandatory for them to be on the same page.
- Data integrity and structure: your business and client data are paramount when it comes to compliance. Where is it stored? How is it managed? How secure it is in your business’ network as well as your suppliers? Let your third-party vendors and partners know how crucial it is for them – and for you – to ensure the data is always kept safe and secure.
- Ongoing monitoring and evidence of compliance: regular threat monitoring and documented evidence of compliance will truly help you in demonstrating your commitment to full compliance with the necessary regulations. This applies to your supply chain too.
- Assume and prepare for a “worst-case scenario”: remember this throughout the process of ensuring your and others’ compliance. Clearly communicate the same thought process among your third-party partners too.