Even in a secure environment, supply chain security can contain gaps. The seller may have its supply chain locked down, but the manufacturer — confident in its own practices — may be dealing with parts suppliers who work with unsecured companies.
The smaller the company, the larger the gaps and lack of information may be. The National Defense Industrial Association recently surveyed small and medium-sized defense contractors, and found that fewer than 60 percent of them read the document outlining the minimum security standards for defense contractors.
“Most of [the supply chain problem] is outside the individual’s ability to do anything about, and beyond the ability of small businesses to grapple with. … We do need more national focus on the problem,” Tony Sager, senior vice president and chief evangelist of the Center for Internet Security, told Krebs on Security.
The risks federal agencies face in the supply chain include gray-market and counterfeit products, tampering and vendors that don’t properly assess their own risk.
Federal Task Forces Study Supply Chain Risk
At least two federal task forces are working on supply chain security guidelines encompassing everything from how to spot problems to when to ban a company as a supplier. But agencies are concerned about the issue now, and they’re looking for steps to take to protect themselves in the interim.
The General Services Administration took some early steps in the process. As part of the Department of Homeland Security’s Continuous Diagnostics and Mitigation (CDM) program, GSA requires potential government vendors to include supply chain risk management plans in order to become part of the CDM Approved Products List.
The APL catalog can serve as a guide for agencies that want to buy products meeting federal security standards. Agencies may also want to consider including supply chain security requirements in service-level agreements with their vendors, if they’re not buying through a GSA vehicle that already includes one.
In some cases, the solution may be to employ a third party to supplement the monitoring GSA is already trying to do. Large resellers often work with their own suppliers to make sure the supply chain is intact; they’ve got the staff to take care of that, while an agency may not.
Double-Check Outside Security Policies
Agencies should regularly check in with those third parties, however, making sure supply chain security policies are regularly audited and updated. Ask specifically what they’re doing and how they’re carrying out changes. Learn how they create a chain of custody when it comes to handling the merchandise. A good reseller will be happy to discuss the process.
Another threat is counterfeit or gray-market goods that find their way into the government supply chain because a vendor is not vetting its products well enough. Ten years ago, the Army and other agencies discovered they had unwittingly bought counterfeit products from an unsuspecting supplier. Since then, GSA adopted new processes for supply chain management risk in that area.
Vigilance in the management of supply chains can be difficult, given that much of the manufacturing process may not be transparent. But agencies have many avenues for assistance in assessing risk these days, and that’s an important step.
As Infosec’s “Cyber Security Risk in Supply Chain Management” states: “Cyber security of any one organization within the chain is potentially only as strong as that of the weakest member of the supply chain.”