In the private sector, supply chain security is seen as a looming threat: 25 percent of those who responded to a Supply Chain Insights poll last year identified it as a major threat driver over the next five years.
But for the federal government, the threat is immediate. It’s already experienced dubious gray market IT product entering its infrastructure, and banned the use of Huawei, ZTE and Kaspersky Lab technology by federal employees or contractors because the companies are considered security threats.
The Federal Acquisition Supply Chain Security Act (FASCSA), which became law earlier this year, requires agencies to develop supply chain risk management programs. Every federal agency now has legal obligations to ensure its IT supply chain risks are assessed, mitigated and managed.
At about the same time as the law went into effect, the Department of Homeland Security set up a new task force to figure out what best practices could assist agencies in better supply chain supervision.
April Is National Supply Chain Integrity Month
More critically, the Navy recently reported that it is “under cyber siege” from Chinese and other hackers, and that its current system of relying on its contractors and vendors to self-report supply chain security issues is an “after-the-fact system [that] has demonstrably failed.”
In this newly urgent environment, DHS nand other agencies created a public-private task force that’s writing a playbook on how to handle supply chain malfeasance.
“Private industry is making supply chain threat mitigation a big part of their corporate strategy,” says William Evanina, director of the National Counterintelligence and Security Center. “For the first time ever, government is also seeing a threat change.”
The NCSC declared April National Supply Chain Integrity Month, hoping to raise more awareness among its federal partners about the risks to the cyber supply chain. Those include the traditional types of worries, such as someone tampering with a motherboard on the assembly line or inserting spyware into software during the production process.
Best Practices Can Protect an Agency from Most Attacks
The first-ever unclassified version of the center’s annual Foreign Economic Espionage in Cyberspace report, released in May 2018, called 2017 “a watershed year” for supply chain disruption, including a malware operation called Kingslayer that compromised a defense contractor.
But supply-chain vulnerability can be organic as well. The very nature of a network enables people to access and work on the system from anywhere; that is its built-in functionality — and its inherent risk. Agencies must know where the weak points in a system are in order to protect it, no matter how the threat is introduced.
Some of this information is already available. The National Institute of Standards and Technology has been researching industry best practices since identifying supply chain risk management as a potential area of focus in 2014, and has posted many of those documents on its website.
Learn the Basics of Supply Chain Protection
The issue is a multilayered one, and complex new tasks are difficult to integrate into an already demanding work environment. While employees at agencies understand the need for security in the supply chain, it’s not clear that they have all the information they need to conduct solid evaluations of that security in a government space.
To assist in giving employees that knowledge, the NCSC set up a site where agencies can find basic information on supply chain risk management, along with some early best practices. Separately, the task force plans to encourage agencies to develop and publish similar best practices designed for government.
The new law, which mandates monitoring of the supply chain, along with attempts to educate employees about the risk, will be valuable resources for agencies that don’t want to get caught by an unexpected, and often subtle, means of attack.