Over the past couple of years, the Department of Homeland Security’s (DHS) Critical Infrastructure and Security Agency (CISA) has been asking itself several questions to increase cross-agency governance for cybersecurity and supply chain management. Establishing the ICT Supply Chain Risk Management Task Force was key to increasing governance and understanding supply chain vulnerabilities, Director Chris Krebs says.
“What information are we able to provide out to the critical infrastructure community? What information can the critical infrastructure community provide to ask back what are these bidirectional frameworks?” Krebs posited at the AFCEA Homeland Security Conference, today.
Establishing a threat management framework that can be used for cross-agency implementation became a priority for CISA to better understanding supply chain. Understanding the criteria for qualified buyers and shrinking the shadow market for counterfeit products required a structured approach and being able to speak the same language.
“Since the OPM (Office of Personnel Management) hack, the DHS, the cyber agency provides a number of services and capabilities out to agencies, but I think what we found is in addition to providing our threat – or threat feeds – whether it’s through the National Cyber Defense Protection System, or it’s providing actual tooling and capabilities through the continuous diagnostics and mitigation program, what we’re finding is a great deal of success in improving cybersecurity posture, through just understanding what the risk environment is,” Krebs said.
In addition to understanding the supply chain framework more effectively, CISA has addressed patch management to fixing critical vulnerabilities. The initial timeframe for patching vulnerabilities was 149 days on average and it is now at an average of approximately 20 days.