It's much easier to block a cybersecurity threat from getting in the door than to try and track it down once it's already inside.
That's why the Homeland Security Department recently launched an initiative to identify and target risks in the IT supply chains of government agencies and their contractor partners. The effort also involves government contracting leaders from the General Services Administration and counterintelligence officials, according to Jeanette Manfra, the assistant secretary for the office of cybersecurity and communications at DHS' National Protection and Programs Directorate.
Speaking at a panel discussion on Feb. 14 at the Brookings Institution in Washington, D.C., Manfra said DHS wants to close any gaps between agencies and their contracting partners as they address cybersecurity risks in their IT equipment.
The initiative, which Manfra said came about via an internal DHS memo earlier this year, is designed to give actionable intelligence to users, buyers, manufacturers and sellers of government technology products. The goal is to identify risks earlier in the process so that risky IT equipment does not turn into a cybersecurity vulnerability inside an agency's walls or network.
DHS Wants a Collaborative Process to Reduce Supply Chain Risk
DHS is not tackling this problem on its own, Manfra said. The agency is consulting with some industry leaders on how they manage supply chain risks, though she declined to name them, Nextgov reports.
DHS and the GSA have given agencies tools to reduce supply chain risks in the past, and the National Institute of Standards and Technology has also offered detailed guidance on the topic. Manfra mentioned NIST as a partner in the effort during the panel discussion, according to FCW.
The new program is "a focused effort with dedicated staff," Manfra said, FCW reports. Still, she made clear that DHS is working with other agencies on the effort.
"We need to have improved ability for DHS, GSA [and] the intel community to be in a position to help inform procurement decisions by the federal government agencies throughout the civilian government," Manfra told reporters at the event, according to Federal News Radio. "We're working on building those mechanisms and DHS' role in pulling all of that altogether, and also working with industry experts to refine what are the supply chain risks that we should be concerned about."
A timeline has not been set for the program to achieve its goals, but Manfra said DHS is considering it more of a "potentially enduring function" that serves as a "concerted effort to take all of the potential gaps that may be in the federal system or industry and figure out, what is the role of DHS," FCW reports.
The Supply Chain Is the Soft Underbelly of IT Security Risk
Rep. James Langevin who co-founded the Congressional Cybersecurity Caucus nearly a decade ago, said at the event that the federal supply chain threat is one of the most confusing and potentially insidious cybersecurity threats the government faces, according to Federal News Radio.
"The increase in breaches stemming from third-party vendors highlights that it's no longer enough to secure your own network from cyber intrusions. Of course, now you have to ensure that your vendors' networks are protected as well," Langevin said at the event.
Federal networks remain vulnerable to malicious actors, including foreign intelligence services and counterfeiters, as agencies and their contractors use equipment from all over the world.
"We need to properly incentivize organizations to take a risk-based approach to cybersecurity, rather than having just a compliance-based mindset that encourages doing the bare minimum," Langevin said, according to Federal News Radio. "'Just check the box' is not going to get it done."