The Federal government and critical infrastructure owners and operators spend $500 billion annually on information and communications technology (ICT) from thousands of suppliers – small, medium, and large; national and international. Digital transformation and globalization have brought technology advancements and operational efficiencies to Federal agencies. But the increasingly labyrinthine nature of Federal supply chains impacts the security of Federal systems, data, and missions.
Separate, ongoing policy efforts at three of the largest Federal departments – Defense (DoD) and Commerce (DoC), and the Cybersecurity and Infrastructure Security Agency (CISA) in the Department of Homeland Security – are aiming to take some of the confusion – and potential security harms – out of the supply chain equation.
The roots of supply chain complexity
“These supply chains can be long, complex, and globally distributed and can consist of multiple tiers of outsourcing. As a result, agencies may have little visibility into, understanding of, or control over how the technology that they acquire is developed, integrated, and deployed …” Gregory C. Wilshusen, Director of Information Security Issues at the U.S. Government Accountability Office, noted in July 2018 congressional testimony.
Essentially, supply chain complexity is a threat to Federal agencies because of its extensive and growing interdependencies, which contribute to limited visibility into third-party products and services. Agencies are subject to risk by proxy.
One of the biggest challenges agencies face is incomplete vendor reporting, experts say. Vendors may be managed by multiple organizations in an agency, and reporting may be accomplished using various tools. That can lead to information silos, and ultimately, inaccurate insights into vendor risks.
Another significant area of vulnerability is the reseller ecosystem. Resellers are the “last mile” in the ICT supply chain, connecting original equipment manufacturers (OEMs) to their government customers. As such, they are targets for cyber threats due to the vast amount of government information they manage and have access to. What’s more, the reseller channel’s approach to cybersecurity is uneven; smaller organizations, in particular, may lack the resources to protect against sophisticated threats, and all it takes is one successful attack to jeopardize an agency by proxy.
“You have to know your resellers,” said Jeff Moore, senior vice president at Sterling Computers. “It starts with more time educating and training contracting officers and buyers to look beyond just the bill of materials and part number.”
Software is a growing area of concern, amid rising awareness that security issues can be introduced at any point in the software supply chain, from production to implementation to operation. “When mitigating risks in software supply chains, one must think holistically and assess the components of an application, the language framework being used to develop it, the third-party dependencies, and any inherent vulnerabilities that can be exploited,” said Rick Stewart, Chief Technologist at DLT.
A supply-chain risk management program begins with cataloging the agency’s third parties and where they are used throughout the organization. During the contracting stage, the agency needs to assess risk, and then periodically reassess it. Many employ annual questionnaires, which are helpful but don’t go far enough, noted Patrick Potter, Digital Risk Strategist at RSA.
Goal: Risk-informed decision-making
Automation can help agencies monitor vendor risk thoroughly, unobtrusively, and regularly. Via third-party security risk monitoring – which employs automated searching of Internet-facing systems – an agency can monitor vendor systems based upon criteria it sets. Those may include vulnerabilities, patches, and utilization of security tools and best practices, at intervals that reflect the risk of the third parties and the criticality of the products or services they provide. Then, the agency can engage with its third parties to address identified cyber risks.
“Gathering information on each risk, evaluating them, and taking action – it’s a huge undertaking. Automation takes the busywork away and lets agencies focus on exercising human judgment,” Potter said.
In modern software development, automated testing is essential, Stewart noted. “Software is being built, enhanced, and deployed too frequently to rely on manual testing, as humans cannot perform these repetitive tasks at speed, and keep up with the continuous nature of getting changes out to end users,” he said. “It is important to employ automated testing that ensures software is not only secure, but also functionally meets or exceeds requirements and operates resiliently.”
Bob Kolasky, Director of the National Risk Management Center at CISA, agreed that automation has the potential to take supply chain security efforts to the next level. “I’m really eager to see some of these [technologies] succeed in using machine learning, using big-data analytics to put information together and translate it into an understanding of risk, and then be able to translate that risk understanding to process decisions,” he said. “I think technology is going to be a great enabler of more risk-informed decision making.”
CISA: “We’re in the middle of a transformation”
Agency and industry executives praise the 2018 National Cyber Strategy and the SECURE Technology Act – which was signed into law in December 2018 – for raising awareness of supply chain risks among Federal agencies and driving integration of supply chain risk management into agency processes, as well as better information sharing among agencies.
“We’re in the middle of a transformation around building supply chain risk management best practices into procurement and acquisition decisions,” Kolasky said. “It starts with putting contractual requirements in place and pushing expectations down to second, third-order suppliers. The way that happens effectively is through establishing standard practices, templates for information, and information-sharing environments … so companies that want to offer their commodity can demonstrate pretty quickly that they’re following good security practices.”
Kolasky leads an effort at the forefront of the transformation, the CISA Information and Communications Technology (ICT) Supply Chain Risk Management Task Force, which identified more than 190 supplier-related threats to agencies last fall.
The task force’s working groups are taking on myriad efforts to improve ICT supply chain security, including:
- Developing a legal framework to underpin information sharing about supply chain risk between government and industry;
- Building a library of threat scenarios that include recommended controls;
- Creating templates for organizations that need to build qualified bidder lists and qualified manufacturer lists;
- Developing a trusted attestation framework, which is intended to provide a standard set of questions about trust factors that organizations should consider when making supplier decisions; and
- Coordinating efforts across the Federal government and the ICT industry to ensure harmonization around supply chain security initiatives, including efforts by DoD and DoC.
In early May, CISA released the Supply Chain Risk Management (SCRM) Essentials, which outlines actionable steps organizations can take toward implementing SCRM practices to improve their overall security posture. It also published the ICT Supply Chain Risk Management fact sheet, a quick reference guide to ICT supply chain risks.
The SCRM Essentials was designed to encapsulate guidance from the National Institute of Standards and Technology, as well as other supply chain best practices and ideas emphasized in the Defense Department’s Cybersecurity Maturity Model Certification (CMMC), in a useful format for executives who need to build and oversee a supply chain security program, Kolasky noted.
The Defense Department (DoD) CMMC program aims to apply unified cybersecurity standards to DoD acquisitions and assess contractors based on their cybersecurity maturity.