1. Understand the True Scale of the IT Supply Chain
The CISA ICT interim report notes that $500 billion worth of annual ICT investment comes from the federal government. The report also points to an uptick in commercial off-the-shelf deployments as agencies look to make the best use of federal budget allotments.
The result is a rapidly scaling supply chain. While organizations may purchase a laptop, router or security gateway from known providers, the machine’s component parts aren’t single-source. Just as federal agencies hope to streamline IT infrastructure with cost-effective purchasing, suppliers are similarly managing the price of production by diversifying component origins.
According to R.V. Raghu, ISACA board director and director of Versatilist Consulting, this creates a problem: “Chains are so complex, you don’t know who’s part of your supply chain.”
But with executive orders and international legislation such as the General Data Protection Regulation putting pressure on agencies to improve visibility, complexity does not obviate culpability.
To reduce supply chain risk, agencies must standardize sourcing best practices across two key areas:
- Mapping: As Raghu notes, it’s critical for organizations to “create a map of their supply chains to understand where things are coming from.” This means asking providers for a list of component part suppliers and ensuring this list is regularly audited to meet key compliance requirements.
- Management: Standardization also applies to incident management. As Raghu points out, “vendors and organizations may have different understandings of incident reporting.” Here, contractual agreements that define potential risk factors and mandate regular reporting can help organizations spot supply chain risks as they emerge.
2. Conduct Cybersecurity Assessments and Get Leadership Support
The CISA ICT task force has identified multiple supply chain threats ranging from counterfeit parts to poor product designs and insecure manufacturing processes, while the U.S. Government Accountability Office points to key risks including installation of harmful software, reliance on unqualified service providers and unintentionally vulnerable hardware.
The agency notes that even basic ICT solutions such as workstations or printers could have components manufactured across dozens of countries worldwide.
Risk is compounded by the increasing use of mobile devices used across federal networks; as noted by NextGov, nearly 40 percent of government employees now use unapproved technology for work. But this rapid expansion of cybersecurity scope is often unmatched by commensurate controls, creating the ideal environment for potential supply chain breaches.
For Raghu, the conceptual solution is simple: Organizations must deploy “basic security hygiene to develop reasonable security practices” capable of withstanding both federal and legal scrutiny. In practice, this means implementing actionable network protection strategies, including:
- Security assessments: Holistic supply chain security demands a combination of network, application and advisory assessments. This allows organizations to gain insight across infrastructure, functional and high-level cybersecurity practices to determine where controls are effective and where they need to improve.
- C-suite support: Raghu speaks of the need for cybersecurity to “bubble up into the board level to create an overarching cybersecurity strategy for the supply chain.” While assessments are critical to identify specific challenges, boardroom support provides the impetus for large-scale change.
3. Bridge the Cybersecurity Skills Gap to Improve Supply Chain Security
The growing cybersecurity skills gap poses a problem for government agencies. As diversifying supply chains increase total risk, the lack of trained professionals makes it more difficult to identify and remediate potential risks.
While internal training can help boost overall information security impact, Security Boulevard points to a worrisome trend: “subtle” supply chain risks that easily go unnoticed, such as the increased use of internal messaging apps to connect agency teams and suppliers. Critical information may be accidentally shared or compromised through these insecure channels.
Also worth noting is the increasing time between initial compromise and detection. Recent IBM and Ponemon data found it took enterprises 206 days on average to identify breaches.
Supply chain security isn’t a one-size-fits-all approach for federal agencies or enterprises. Instead, effective ICT management depends on multiple solutions working together to deliver outcomes greater than the sum of their parts.
To help bridge the skills gap, agencies are best served with an approach that relies on synthesis of specializations across supply chain risks. Internal expertise makes up the first component of this approach.
Next is the use of key standards such as the National Institute of Standards and Technology’s Risk Management Framework to develop cybersecurity programs capable of both meeting current challenges and adapting to future needs.
Finally, organizations must recognize the need for reliable third-party expertise, such as ISO 27000- and ISO 28000-certified technology suppliers with a proven history of effective supply chain management at scale.
Supply chain threats are evolving as production scale expands, cybersecurity scope increases and necessary skills grow scarce. Staying ahead of security risk requires a synthesis-based approach that combines skills, standards and strategy to deliver consistent supply chain outcomes.