Want to add new cybersecurity tools to your agency’s IT security mix but are wary about where they’re coming from, and what they might do to your networks? The Department of Homeland Security thinks it has a fix.
DHS is rolling out a new supply chain risk management plan for its Continuous Diagnostics and Mitigation program. The goal is to give agencies more information about the products on the CDM program’s “approved products list” (APL) and to bolster confidence in their reliability and security.
The CDM program allows agencies to identify cybersecurity risks on an ongoing basis, then prioritize the risks based on how severe they might be in an effort to let cybersecurity personnel mitigate the most significant problems first. CDM offers commercial off-the-shelf tools — hardware, software and services — that agencies can access via a central fund. DHS runs the CDM program in partnership with the General Services Administration.
DHS Updates CDM Program’s Supply Chain Management
In a memorandum issued last month by the GSA, the agency said the new supply chain risk management framework is designed to provide agencies and those purchasing equipment through CDM with more information about how the IT vendor “identifies, assesses, and mitigates supply chain risks in order to facilitate better informed decision-making by Agencies and ordering activities.”
The plan is supposed to “provide visibility into, and improve the buyer’s understanding of, how the Offeror’s proposed products are developed, integrated and deployed; as well as the processes, procedures, and practices used to assure the integrity, security, resilience, and quality of those products,” the memo states.
Kevin Cox, CDM program manager at DHS, tells Federal News Radio that vendors that want to be added to the CDM approved-products list must now complete a questionnaire about the products they are submitting.
That questionnaire addresses some background information regarding “how the product was manufactured, what kind of visibility there was in tracking the supply chain of the product and in many cases the original equipment manufacturer,” Cox says.
That kind of knowledge about the supply chain and product components will “give anyone using CDM APL a better sense that the vendors offering products on the approved products list have given some thought and are really looking into understanding the supply chain of the products they are offering.”
The National Institute of Standards and Technology, an arm of the Commerce Department, notes that there are many potential risks associated with cybersecurity IT supply chains.
They include third-party service providers or vendors — from janitorial services to software engineering — that have physical or virtual access to information systems, software code or intellectual property. Poor information security practices by lower-tier suppliers are also a danger.
Additional risks include compromised software or hardware purchased from suppliers, software security vulnerabilities in supply chain management or supplier systems, counterfeit hardware or hardware with embedded malware, and third-party data storage or data aggregators.
NIST recommends that those who want to mitigate cybersecurity supply chain risks develop defenses “based on the principle that your systems will be breached,” and then think about how to mitigate an attacker’s ability to exploit the information they have accessed and how to recover from the breach.
NIST also notes that “breaches tend to be less about a technology failure and more about human error” and that “IT security systems won’t secure critical information and intellectual property unless employees throughout the supply chain use secure cybersecurity practices.”
“There should be no gap between physical and cybersecurity,” NIST says. “Sometimes the bad guys exploit lapses in physical security in order to launch a cyber attack. By the same token, an attacker looking for ways into a physical location might exploit cyber vulnerabilities to get access.”
Feds Take Steps to Procure Secure IT
As Federal News Radio reports, the supply chain risk management plan was introduced weeks after the GSA created a special item number for cybersecurity products under Schedule 70 procurements.
Earlier this summer, as Federal News Radio reports, the Committee on National Security Systems, an intergovernmental body that sets policy for the security of federal systems, issued its own supply chain risk management policy.
The goal is to establish “an integrated, organization-wide cybersecurity risk management program to achieve and maintain an acceptable level of cybersecurity risk for organizations that own, operate, or maintain national security systems.”