Two recent developments speak to both a market-driven and governmental response to the vital operational role technology, innovation, standardization, and collaboration will play in a transition to 1) a resilient supply chain that mitigates risk in the global IT supply chain; and 2) cybersecurity processes to protect the defense industrial base. We provide a brief analysis of both developments:  The Athinia Platform and the DoD Cybersecurity Maturity Model Certification (CMMC) 2.0 Program.

OODA Loop provides actionable intelligence, analysis, and insight on global security, technology, and business issues. Our members are global leaders, technologists, and intelligence and security professionals looking to inform their decision making process to understand and navigate global risks and opportunities.

You can chose to be an OODA Loop Subscriber or an OODA Network Member. Subscribers get access to all site content, while Members get all site content plus additional Member benefits such as participation in our Monthly meetings, exclusive OODA Unlocked Discounts, discounted training and conference attendance, job opportunities, our Weekly Research Report, and other great benefits. Join Here.

The Athinia Platform

A new partnership was announced today to deliver a secure collaborative data analytics platform for the semiconductor industry.  Merck KGaA, Darmstadt, Germany, and Palantir have partnered to develop, according to a press release from Merck KGaA, a “collaborative analytics platform to help improve supply chain transparency and tackle chip shortage.”  To avoid confusion with the similarly named pharmaceutical company, Merck KGaA uses the name EMD Electronics for its North American electronics business.

According to Reuters, at the time of the announcement of the Athinia Platform, Merck KGaA ( a supplier of chemicals used by chip factories) also announced a commitment to expand operations in the U.S. if the CHIPs Act “is enacted to bolster domestic chip manufacturing in the U.S. The company plans to spend $1 billion through 2025 for sites in Arizona, California, Texas, and Pennsylvania.”

In a statement, the CEO of Athinia, Laura Matz, described the pain point the big data analytics and AI platform is designed to solve:  “Both the suppliers and the chip factories have extensive trade secrets and have historically been reluctant to share data beyond their own organizations.  That has been the hurdle of solving this problem (of supply-chain inefficiency) for years.  Until we came up with the concept of how we’re structuring the data in a way that there’s no (intellectual property) contamination, we couldn’t get over it.”

On the platform development efforts ahead, Matz added:  “Athinia will deliver a collaborative data analytics platform for the semiconductor industry by leveraging AI and big data to solve critical challenges in the industry.  With this platform, we will enable collaboration within the semiconductor materials ecosystem in a way that drives progress in materials quality and supply chain transparency while still protecting each company’s proprietary data and information. I am excited to be part of the semiconductor evolution and enabling progress across the ecosystem.

Merck KGaA, Darmstadt, Germany, and Palantir have a track record of collaboration that dates back to the 2017 partnership “Syntropy” in biotechnology.

Strategic Direction for Cybersecurity Maturity Model Certification (CMMC) Program

Back in August of 2020, OODA Loop’s Bob Gurley  first covered the DoD CMMS Program, offering an analysis of “The Smart Way For Contractors To Meet New DoD CMMC and DFARS Requirements.”  In it, he described an early iteration of the program:

“A new government program, called the Cybersecurity Maturity Model Certification (CMMC), is a way of measuring compliance with existing regulations. The CMMC builds on previous work, so there are no real surprises here, but it does change things. The CMMC puts in place requirements for DoD contractors to have their compliance with security rules evaluated. The goal is to measure compliance in a way that generates repeatable metrics and helps both the government and the contracting world make better decisions regarding mitigating security risk.  The CMMC is an assessment and certification program that will require independent assessments.”

“The aggregate loss of Controlled Unclassified Information (CUI) from the defense industrial base (DIB) sector increases risk to national economic security and in turn, national security,” the DOD says on its website. “In order to reduce this risk, the Department has continued to work with the DIB sector to enhance its protection of CUI in its unclassified networks.  The DIB is the target of increasingly frequent and complex cyberattacks by adversaries and non-state actors. Dynamically enhancing DIB cybersecurity to meet these evolving threats, and safeguarding the information that supports and enables our warfighters, is a top priority for the Department. CMMC is a key component of the Department’s expansive DIB cybersecurity effort.”

Since this initial coverage, the enhanced CMMC went into a review in April 2021.  Last month, DoD announced the enhanced “CMMC 2.0″, with streamlined requirements that:

• Cuts red tape for small and medium-sized businesses
• Sets priorities for protecting DoD information
• Reinforces cooperation between the DoD and industry in addressing evolving cyber threat

This CMMC version is encouraging on a few fronts:

• CMMC 2.0 requires certification which forces the prioritization of cybersecurity compliance by DIB companies in order to continue doing business with DoD and moves away from voluntary certification.
• Recent OODA Loop analysis quoted Suzanne Spaulding, a Senior Advisor for the Center for Strategic and International Studies (CSIS), and former DHS Under Secretary for the National Protection and Programs Directorate (NPPD), on voluntary cybersecurity regulations:  “…I have always favored voluntary, market-based solutions to cybersecurity.  Markets are generally more efficient and, important for such a dynamic area as cyber, nimbler. However, over the last couple of years, I have reluctantly had to conclude that we cannot rely upon markets alone to ensure the continuity of nationally critical functions…”.
• The Cyberspace Solarium Commission (CSC) also concluded that “the market was not going to be sufficient to provide the level of security and resilience that is urgently needed for the most important elements of our infrastructure…”.
• We recently did an analysis of cybersecurity efforts at NIST, including the adoption by Google Cloud of the NIST Cybersecurity Framework.  We also questioned the recommendation of ISO Standards for international cybersecurity collaboration between North American allies with no regard for interoperability with NIST Standards.  The CMMC integrates all the required ISO and NIST standardization, including a requirement to port over the compliance from the NIST SP 800-171 cybersecurity controls to the new Cybersecurity Maturity Model Certification standard.

Clear streamlined compliance directives, in a federal environment littered with standardization specifications, will make a huge difference.  For that reason alone, the CMMC review and the enhanced version of the certification model seem worth the months of DoD review efforts.

Please contact us if you have any questions or concerns about either the Athinia Platform or the DoD CMMC 2.0 Program.

Further Reading:

The Smart Way For Contractors To Meet New DoD CMMC and DFARS Requirements

What Business Needs To Know About The New Way DoD Will Measure Your Security Posture

Federal Market Sensemaking | OODA Loop

Related Reading:

Black Swans and Gray Rhinos

Now more than ever, organizations need to apply rigorous thought to business risks and opportunities. In doing so it is useful to understand the concepts embodied in the terms Black Swan and Gray Rhino. See: Potential Future Opportunities, Risks and Mitigation Strategies in the Age of Continuous Crisis

Cybersecurity Sensemaking: Strategic intelligence to inform your decisionmaking

The OODA leadership and analysts have decades of experience in understanding and mitigating cybersecurity threats and apply this real-world practitioner knowledge in our research and reporting. This page on the site is a repository of the best of our actionable research as well as a news stream of our daily reporting on cybersecurity threats and mitigation measures. See: Cybersecurity Sensemaking

Corporate Sensemaking: Establishing an Intelligent Enterprise

OODA’s leadership and analysts have decades of direct experience helping organizations improve their ability to make sense of their current environment and assess the best courses of action for success going forward. This includes helping establish competitive intelligence and corporate intelligence capabilities. Our special series on the Intelligent Enterprise highlights research and reports that can accelerate any organization along its journey to optimized intelligence. See: Corporate Sensemaking

Artificial Intelligence Sensemaking: Take advantage of this megatrend for competitive advantage

This page serves as a dynamic resource for OODA Network members looking for Artificial Intelligence information to drive their decision-making process. This includes a special guide for executives seeking to make the most of AI in their enterprise. See: Artificial Intelligence Sensemaking

COVID-19 Sensemaking: What is next for business and governments

From the very beginning of the pandemic, we have focused on research on what may come next and what to do about it today. This section of the site captures the best of our reporting plus daily intelligence as well as pointers to reputable information from other sites. See OODA COVID-19 Sensemaking Page.

Space Sensemaking: What does your business need to know now

A dynamic resource for OODA Network members looking for insights into the current and future developments in Space, including a special executive’s guide to space. See: Space Sensemaking

Quantum Computing Sensemaking

OODA is one of the few independent research sources with experience in due diligence on quantum computing and quantum security companies and capabilities. Our practitioner’s lens on insights ensures our research is grounded in reality. See Quantum Computing Sensemaking.

The OODAcast Video and Podcast Series

In 2020, we launched the OODAcast video and podcast series designed to provide you with insightful analysis and intelligence to inform your decision-making process. We do this through a series of expert interviews and topical videos highlighting global technologies such as cybersecurity, AI, quantum computing along with discussions on global risk and opportunity issues. See The OODAcast.