Dec 16 2019

How to Close Supply Chain Security Gaps

New recommendations, task forces and projects bring agency and industry together to secure technology products.

Over the course of this year, supply chain security rose ever higher on the federal government’s list of cybersecurity concerns — and with good reason.

This is an era in which anything can happen with a product before it reaches a customer. The potential of parts coming from vendors who turn out to be malicious actors is higher today. Manufacturers can be based in countries with problematic work practices or politics. Unscrupulous companies may even lie about the provenance of a product or its parts.

As a result, agencies ask their suppliers even more sophisticated questions about their products, and that’s a terrific development. Critical questions deserve answers, and we at CDW work hard to deliver them.

What most customers want to know is how safe the products are and how we trace the supply chain journey. Where did we source our product? Where was it assembled? Where did the parts come from? Who had hands on it as it moved from point A to point B?

Have Supply Chain Information Readily at Hand

Customers also want to know whether products conform to quality and risk management standards, such as those published by the National Institute of Standards and Technology (NIST) and International Standards Organization, as well as any applicable local, state and federal laws. 

Given that CDW is secure supply chain certified, we maintain a certain level of capability compliances. That translates to transparency with our partners and customers. Our customers are offered the option of auditing us as well.

We collaborate with our partners to get that level of transparency. We require partners to maintain information about their products even before we begin to recommend products to our customers — there is an expectation partners will ensure their products meet certain criteria, comply with applicable regulations and have all of the supporting documentation. 

As we start to get products out to our federal customers, who typically ask for supply chain documentation, we can give them a very straightforward answer: “Yes, we have that information you want; we require that from all the partners.”

LEARN MORE: Get the details on CDW's secure supply chain certification.

New Recommendations and Programs Guide Agencies to Increased Security

Lately we’ve been getting questions about whether products are made in America. Federal agencies are required to buy only products made in the U.S. or in any of the 100-plus Trade Agreements Act-designated countries

Most technology components are made on other continents, and the U.S.-based part of the industry is trying to catch up on governance in that area. While that process continues, we don’t wait for our customers to ask about the product; we are more proactive on their behalf. We’re the forward thinkers who manage potential risk on their behalf.

However, there is only so much a company like ours can do in terms of driving governance on a national level. We’re seeing more assistance from the government through executive orders and regulations that drive supply chain governance. 

The Information and Communications Technology (ICT) Supply Chain Risk Management Task Force organized by the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency (CISA) recently released a report outlining nearly 200 specific threats across nine categories, including counterfeit parts, cybersecurity, insider threats and inherited risk; the report also comes with interim recommendations for future action.

In addition, the General Services Administration and the Defense Logistics Agency teamed up for the first Federal Supply Class review in nearly 50 years. Each of the government’s 600 FSCs classifies more than 7 million items into like categories. The agencies are working together to solve supply chain challenges including fraud, cybersecurity and troublesome shipment routes (especially critical for the military). 

Between the additional concern from our customers, industry efforts to address supply chain risks and these actions from the federal government, an agency looking to shop safely for new technology should find its procurement path less troublesome and more secure.

This article is part of FedTech’s CapITal blog series. Please join the discussion on Twitter by using the #FedIT hashtag.

CapITal blog logo

Stocknroll/Getty Images

Learn from Your Peers

What can you glean about security from other IT pros? Check out new CDW research and insight from our experts.