IT modernization ranks as a top priority for the federal government, but it also further complicates a concern that agencies have faced for decades: managing the risks to their cyber supply chains. In May 2019, President Trump issued an executive order underscoring the danger the federal information and communications technology supply chains present to the U.S. Four months later, the Cybersecurity and Infrastructure Security Agency (CISA) published a report identifying nearly 200 security threats to these supply chains, including counterfeit components, poor product designs, and malicious hardware and software. For federal IT supply chains, security missteps can damage the economy, national security and even public health. Learn the latest strategies for managing supply chain risk in 鈥淢eeting the Requirements of the Supply Chain Imperative,鈥 a guide created by GovLoop and 探花视频 featuring insights from the following technology thought leaders.
Seeing the Risks in Your Chain Supply Chains
鈥淲hen it comes to government supply chains, agencies can鈥檛 properly defend what they can鈥檛 see. Supply chains are the systems that move products or services from suppliers to customers, and they are only growing more complicated in today鈥檚 hyper-connected world. Each supply chain contains activities, information, organizations, people, technologies, and resources that are vital to government operations. Consequently, supply chains are a top priority for agencies to understand, put controls in place, monitor, and help defend. Agencies that fail to understand their supply chain risks may spend significant energy, money and time addressing disruptions to their missions.鈥
Read more insights from RSA鈥檚 Vice President/General Manager Rob Carey and Archer Government Public Sector Director Dan Carayiannis.
Supply Chain Risk Management Isn鈥檛 Just About the Supply Chain
鈥淲e learned some lessons in our work with Kaspersky and similar work that helped in the first year of the task force. But one of the things that the working group members identified was that there is private-to-private information-sharing gaps. A big IT company or comms player could decide not to do business with somebody. They鈥檙e not necessarily sharing that information with other players in the ecosystem, because they鈥檙e concerned about their ability to do so. We think we can make some recommendations around policy shifts, statutory shifts that maybe would encourage more sharing so there鈥檚 less risk in sharing information.鈥
Read more insights from Forescout Technologies鈥 Vice President for Government Affairs Katherine Gronberg.
How to Make CMMC Deliver Value
鈥淔or one, [regarding] the sundry pieces of legislation that have come through around supply chain risk, we actually started a Robomod pilot for prohibited products. It is a process to identify and remove prohibited products and compatible products from across the offerings that we have, from different contracts and from our buying platform. In this instance, it was started around the Kaspersky ban, ZTE [and] Huawei. It goes across the thousands of different products that are associated with those prohibited product areas, and we can do the work of locating, isolating and moving forward in the removal of those products in mere minutes, as opposed to what would take humans weeks to be able to crawl through and search for those things. We鈥檙e finding great results in being able to do that.鈥
Read more insights from Chief Product Officer Tieu Luu.
Internet Assets Are 鈥淯nwitting Insiders鈥: A Challenge To Traditional Supply Chain Risk Management (SCRM) Programs
鈥淭here’s only one way to know which suppliers can be trusted.听 Agencies need to research suppliers before completing transactions, as well as consider security right alongside price, schedule and quality. Going through authorized sellers is a way to ensure sellers are trustworthy, and agencies then can limit the amount of work they have to do alone. To truly get the best all-around contracts that will practice good SCRM, agencies need to reframe the acquisition mindset from lowest cost to best value. Defining a rubric for 鈥檅est value,鈥 agencies can then train employees, and agencies should reward those who excel in meeting the criteria.鈥
Read more insights from Expanse鈥檚 Co-Founder and CTO Dr. Matt Kraning.
听
Securing Supply Chains With Cyber Collective Defense
鈥淩ather than relying on entities in the supply chain to defend against the most capable threat actors, including Russia, China, Iran and North Korea, agencies should have their suppliers share critical threat information in real-time to defend the entire supply chain as a whole. Attackers are moving rapidly. If our threat sharing and cyber collaboration isn鈥檛 happening in real-time, and if we aren鈥檛 focused on the behaviors that indicate preparations for an attack, we鈥檒l continue to fall far behind the attackers. It鈥檚 important to have the right systems in place when attackers come. Being able to identify an attacker faster and take action against them is critical to limiting the impact of an attack and to restoring services.鈥
Read more insights from IronNet Cybersecurity鈥檚 Senior Vice President for Strategy, Partnerships & Corporate Development Jamil Jaffer.
Download the full GovLoop Guide for more insights from these Government Supply Chain thought leaders and additional government interviews, historical perspectives and industry research from GovLoop.
