There are real risks to federal agencies in the IT supply chain.
The Department of Homeland Security recognizes this. Earlier this year, DHS launched an initiative to identify and target risks in the IT supply chains of government agencies and their contractor partners. The effort involved government contracting leaders from the General Services Administration and counterintelligence officials, according to Jeanette Manfra, the assistant secretary for the office of cybersecurity and communications at DHS’ National Protection and Programs Directorate.
In recent weeks, DHS has signaled that it will step up these efforts. In late July, NPPD Undersecretary Christopher Krebs said DHS would push Congress to pass legislation that would “give it broad authority to expeditiously bar companies that might pose” cybersecurity risks from civilian government supply chains, Nextgov reports.
Meanwhile, last week DHS issued a request for information on ways it can streamline risk assessments to the government’s IT supply chain, based on publicly and commercially available unclassified data.
“DHS seeks information about capabilities that address risk as a function of threat, vulnerability, likelihood, and consequences, and aggregate multiple data sets into structured archives suitable for analysis and visualization of the relationships of businesses, individuals, addresses, supply chains, and related information,” the RFI states.
DHS wants information about capabilities that enable it to identify and mitigate threats from hardware, software and devices “that may contain potentially malicious functionality, are counterfeit, are vulnerable due to deficient manufacturing practices within the supply chain, or are otherwise determined to enable or constitute a threat to the United States.”
Additionally, DHS wants to identify and mitigate supply chain risks “presented by ICT-based services (e.g., cloud services, managed services), as well as service providers that use ICT and the ICT contains, transmits, or processes information provided by or generated for the stakeholder to support the operations or assets of a stakeholder entity (e.g., professional services),” the RFI says.
As FCW reports: “The idea here is for the solution to be non-classified, easily sharable across different levels of government and aligned with existing practices ‘in the vendor community and insurance industry.’”
Best Practices for Enhancing IT Supply Chain Cybersecurity
While DHS pushes forward with its own efforts, agencies can look to other sources for best practices on how to boost IT supply chain security.
In an April report, the U.S.-China Economic and Security Review Commission warned that the Chinese government’s policies target U.S. federal networks and the networks of federal contractors, heightening risk to the U.S. technology supply chain. The report also noted that more than half of shipments to the leading providers of federal information and communication technologies originate in China.
Attacks on supply chains will become easier and more prevalent, the report warns, as emerging and future technologies, including 5G mobile network and Internet of Things technologies, increase avenues for attack.
The report’s authors argue that political or economic shifts will be insufficient to push IT manufacturers to reduce their operations in China or partnerships with Chinese firms. Instead, the authors suggest, a national strategy is needed to manage risk in the federal IT supply chain. They recommend that the government do the following:
- Craft forward-looking policies regarding supply chain security (rather than being reactive and basing security on incident response)
- Centralize the leadership of federal technology supply chain risk management efforts
- Link federal funding to supply chain risk management
- Promote supply chain transparency
To learn how federal agencies can address their IT modernization challenges, read the CDW white paper “How IT Modernization Improves Government.”