IT modernization ranks as a top priority for the federal government, but it also further complicates a concern that agencies have faced for decades: managing the risks to their cyber supply chains. In May 2019, President Trump issued an executive order underscoring the danger the federal information and communications technology supply chains present to the U.S. Four months later, the Cybersecurity and Infrastructure Security Agency (CISA) published a report identifying nearly 200 security threats to these supply chains, including counterfeit components, poor product designs, and malicious hardware and software. For federal IT supply chains, security missteps can damage the economy, national security and even public health. Learn the latest strategies for managing supply chain risk in “Meeting the Requirements of the Supply Chain Imperative,” a guide created by GovLoop and Carahsoft featuring insights from the following technology thought leaders.
Seeing the Risks in Your Chain Supply Chains
“When it comes to government supply chains, agencies can’t properly defend what they can’t see. Supply chains are the systems that move products or services from suppliers to customers, and they are only growing more complicated in today’s hyper-connected world. Each supply chain contains activities, information, organizations, people, technologies, and resources that are vital to government operations. Consequently, supply chains are a top priority for agencies to understand, put controls in place, monitor, and help defend. Agencies that fail to understand their supply chain risks may spend significant energy, money and time addressing disruptions to their missions.”
Read more insights from RSA’s Vice President/General Manager Rob Carey and Archer Government Public Sector Director Dan Carayiannis.
Supply Chain Risk Management Isn’t Just About the Supply Chain
“We learned some lessons in our work with Kaspersky and similar work that helped in the first year of the task force. But one of the things that the working group members identified was that there is private-to-private information-sharing gaps. A big IT company or comms player could decide not to do business with somebody. They’re not necessarily sharing that information with other players in the ecosystem, because they’re concerned about their ability to do so. We think we can make some recommendations around policy shifts, statutory shifts that maybe would encourage more sharing so there’s less risk in sharing information.”
Read more insights from Forescout Technologies’ Vice President for Government Affairs Katherine Gronberg.
How to Make CMMC Deliver Value
“For one, [regarding] the sundry pieces of legislation that have come through around supply chain risk, we actually started a Robomod pilot for prohibited products. It is a process to identify and remove prohibited products and compatible products from across the offerings that we have, from different contracts and from our buying platform. In this instance, it was started around the Kaspersky ban, ZTE [and] Huawei. It goes across the thousands of different products that are associated with those prohibited product areas, and we can do the work of locating, isolating and moving forward in the removal of those products in mere minutes, as opposed to what would take humans weeks to be able to crawl through and search for those things. We’re finding great results in being able to do that.”
Read more insights from Chief Product Officer Tieu Luu.
Internet Assets Are “Unwitting Insiders”: A Challenge To Traditional Supply Chain Risk Management (SCRM) Programs
“There’s only one way to know which suppliers can be trusted. Agencies need to research suppliers before completing transactions, as well as consider security right alongside price, schedule and quality. Going through authorized sellers is a way to ensure sellers are trustworthy, and agencies then can limit the amount of work they have to do alone. To truly get the best all-around contracts that will practice good SCRM, agencies need to reframe the acquisition mindset from lowest cost to best value. Defining a rubric for ’best value,’ agencies can then train employees, and agencies should reward those who excel in meeting the criteria.”
Read more insights from Expanse’s Co-Founder and CTO Dr. Matt Kraning.
Securing Supply Chains With Cyber Collective Defense
“Rather than relying on entities in the supply chain to defend against the most capable threat actors, including Russia, China, Iran and North Korea, agencies should have their suppliers share critical threat information in real-time to defend the entire supply chain as a whole. Attackers are moving rapidly. If our threat sharing and cyber collaboration isn’t happening in real-time, and if we aren’t focused on the behaviors that indicate preparations for an attack, we’ll continue to fall far behind the attackers. It’s important to have the right systems in place when attackers come. Being able to identify an attacker faster and take action against them is critical to limiting the impact of an attack and to restoring services.”
Read more insights from IronNet Cybersecurity’s Senior Vice President for Strategy, Partnerships & Corporate Development Jamil Jaffer.
Download the full GovLoop Guide for more insights from these Government Supply Chain thought leaders and additional government interviews, historical perspectives and industry research from GovLoop.