The Department of Homeland Security is moving ahead with plans to beef up security for the global IT supply chain and, by extension, for the federal government.
On Oct. 30, DHS announced the creation and chartering of the nation’s first Information and Communications Technology Supply Chain Risk Management Task Force. The task force is a public-private partnership designed to examine and develop “consensus recommendations” to identify and manage risk to the global ICT supply chain.
Although the task force is not specifically focused on protecting just the hardware and software that government agencies use, a DHS official has said that one of its key goals is to help prevent agencies from buying technologies with security problems.
DHS Seeks to Identify Supply Chain Cybersecurity Risks
Foreign adversaries, hackers and criminals present significant new cybersecurity risks to government and industry, DHS notes in a statement, adding that their contractors, subcontractors and suppliers at all tiers of the supply chain “are under constant attack, targeted by increasingly sophisticated and well-funded adversaries seeking to steal, compromise, alter or destroy sensitive information.”
In some cases, advanced threat actors “target businesses deep in the ICT supply chain to gain a foothold and then swim upstream to gain access to sensitive information and intellectual property,” according to DHS.
“Threats to the nation’s IT and communications supply chain can severely impact our national security and nearly every facet of our economy” Christopher Krebs, director of the newly renamed Cybersecurity and Infrastructure Security Agency, said in a statement.
“The nature of supply chain threats, because they can encompass a product’s entire life cycle and often involve hardware, make them particularly challenging to defend against,” Krebs said. “Government and industry have a shared interest and thus a shared responsibility in identifying and mitigating these threats in partnership. The Task Force will seek holistic solutions across a broad set of stakeholders to develop near- and long-term strategies to address supply chain risks.”
The task force will have about 60 members, drawn equally from the federal government, the technology industry and the communications sector, Emile Monette, a cybersecurity strategist at DHS and co-chair of the task force, said at a Nov. 1 meeting of the Information Security and Privacy Advisory Board, according to FCW.
How DHS Hopes to Protect Federal IT Supply Chains
The task force is a key component of the DHS Cyber Supply Chain Risk Management Program. The C-SCRM Program leads national efforts to address risks to ICT product and service supply chains by developing and deploying supply chain risk management capabilities for federal civilian agencies; private sector critical infrastructure owners and operators; and state, local, tribal and territorial governments.
The task force, sponsored by the DHS National Risk Management Center, is the main private sector point of entry for the C-SCRM Program and is jointly chaired by DHS and the chairs of the Information Technology and Communications Sector Coordinating Councils.
Monette said at the ISPAB meeting that the task force will serve as a kind of third-party information broker — like CarMax does in auto sales — and will give federal IT buyers and procurement officials more data and context about IT purchases, according to FCW. That will help them avoid buying technology that may be risky.
“We have to change the behavior and the culture of buyers who are blindly trusting these actors in the supply chain,” Monette said, FCW reports. “We also have to change the behavior and the culture of the technology suppliers.”
While there is a lot of “low-hanging fruit” in supply chain security the task force could implement, Monette said the group will need to use a variety of stakeholders in the public and private sector to change industry practices.
FCW reports: “Some action items could be tackled through the agency's authority to issue binding operational directives to federal agencies, while others would require congressional or private sector action.”
The new task force dovetails with other efforts DHS has made this year to bolster federal IT supply chain security. In August, DHS issued a request for information on ways it can streamline risk assessments to the government’s IT supply chain, based on publicly and commercially available unclassified data.
“DHS seeks information about capabilities that address risk as a function of threat, vulnerability, likelihood, and consequences, and aggregate multiple data sets into structured archives suitable for analysis and visualization of the relationships of businesses, individuals, addresses, supply chains, and related information,” the RFI states.