Federal agencies face a twofold problem when it comes to managing a secure IT supply chain: First, there are many laws and mandates agencies need to be in compliance with. Second, there are simply a lot of risks out there.
The risks include industrial sabotage and counterfeit or fraudulent parts, and those are just a small subset of the cybersecurity risks at play. Regulations and compliance requirements force agencies to make decisions about their IT supply chains. For example, a rule issued this summer from the Federal Acquisition Regulatory Council bars agencies from purchasing products or services from companies that use Huawei or ZTE, or video surveillance products or telecommunications equipment from other prohibited Chinese firms.
The most recent of these is the Federal Acquisition Supply Chain Security Act of 2018, which created the Federal Acquisition Security Council. FASC, an element of the Office of Management and Budget, brings together senior leaders from across the government to better protect agencies’ acquisition of IT. As the Office of the Director of National Intelligence notes, FASC develops criteria to enable agencies to determine IT supply chain risks, send out supply chain risk information and decide how to mitigate risks.
Earlier this month, OMB released an interim final rule to implement the requirements of the laws that govern FASC’s operation and its recommendations. There are multiple factors FASC will consider: security, authenticity and integrity, including that of embedded, integrated or bundled software; the implications to national security and source-critical functions; and the vulnerability of federal systems, programs and facilities.
Other federal mandates that cover acquisitions include the Federal Acquisition Regulations System and the related FAR defense supplement for defense agencies. Outside of those regulations, agencies need to follow executive orders such as EO 13873, issued in May 2019, which is designed to “prevent foreign adversaries from exploiting vulnerabilities in the ICT supply chain and protect the vast amount of sensitive information being stored in and communicated through ICT products and service,” as the Cybersecurity and Infrastructure Security Agency notes.
What’s clear is that IT supply chain risks abound. But there are clear ways that agencies can mitigate those risks.
What Are the Main IT Supply Chain Risks?
The biggest IT supply chain risk right now is sabotage. Other adversarial risks include the installation of counterfeit hardware and software, the installation of malicious logic, and malicious or unqualified service providers. Flawed product designs and poor manufacturing processes and maintenance procedures can also introduce vulnerabilities.
Agencies need to think twice about who their IT suppliers are and whether they are based in a country or linked to a partner that is considered high risk.
A report that the Government Accountability Office reportedly will soon release outlines more than 100 recommendations for how agencies can mitigate risks from IT suppliers in foreign countries. “The vast majority of agencies lack comprehensive processes in order to effectively manage their supply chains,” Carol Harris, the director of GAO’s IT and cybersecurity team, tells Nextgov. Harris told lawmakers in August that the government’s dependence on China for IT supplies represents a “significant risk” to national security, but added that Japan, South Korea, India, the U.K., Germany and France are included in the GAO’s forthcoming analysis as well.
Agencies need to ensure that their suppliers, down to the manufacturing level, have the right rules and regulations, and they need to verify that those controls are in place.
CDW has achieved ISO 28000 certification, the first international standard to address end-to-end supply chain risks. The depth and breadth of our experience around supply chains has led to us being able to provide best-in-class secure supply chain solutions to federal customers. We verify our partners and have the capabilities and practices in place to meet compliance requirements. Frequently, we monitor raw materials through the Government-Industry Data Exchange Program guidance, and in turn, monitor to ensure suppliers have appropriate governance in place to filter any blacklisted raw material. Suppliers may also be asked to provide documentation to support their attestation. In some cases, we may take this further and request an audit in addition to the standard requirements.
Other risks that need to be addressed include who and what goes in and out of suppliers’ facilities and who provides logistics. Who is the supplier’s last-mile logistics provider? Does the supplier have appropriate controls in place to ensure IT supplies and equipment are not stolen or tampered with?
All points of the supply chain — from sourcing the raw materials to manufacturing, production and distribution — represent an opportunity for malicious actors to sabotage a product or tamper with it.
How to Mitigate Technology Supply Chain Risks
The IT supply chain is complex, and as the National Counterintelligence and Security Center notes, foreign adversaries “use this complexity to obfuscate efforts to penetrate sensitive research and development programs, steal vast amounts of personally identifiable information (PII) and intellectual property (IP), and insert malware into critical components.”
Foreign adversaries, hackers and criminals may seek to “steal, compromise or alter, and destroy sensitive information can target government and industry via the contractors, sub-contractors, and suppliers at all tiers of the ICT supply chain,” CISA adds
IT supply chain vulnerabilities can be introduced “during any phase of the product life cycle: design, development and production, distribution, acquisition and deployment, maintenance, and disposal,” CISA adds. However, existing processes may not be sufficient to effectively counter such risks.
For CDW, risk mitigation has three pillars that work in a continuum. The first pillar addresses being proactive and checking through all of the elements of risk in the supply chain.
Agencies need to enhance their risk analysis in the acquisition process to ensure that they are partnering with trusted, authorized suppliers. This matters deeply to government agencies and procurement officials, as it should. If components are tampered with or come from the wrong place, lives could be at stake in some government missions. Furthermore, government officials can go to jail if sanctioned entities’ components wind up in an agency’s supply chain.
The second pillar addresses managing through reactive situations. We work with government agencies to respond to their mission needs. What additional risks are we not thinking of that need to be mitigated? We come up with a plan together to mitigate risks within a defined timeline.
Agencies need to collaborate with private sector partners like CDW•G to develop industrywide standards and best practices for addressing risks.
The last pillar is all about avoiding risk altogether and not working with a supplier if it is deemed questionable.
At CDW, we strive to take a customer-first, vendor-agnostic approach to suppliers, and we tailor our supply chain solutions to meet and exceed our customers’ needs. Taking a vendor-agnostic approach to suppliers can help mitigate risks.
Additionally, agencies can invest in IT service management platforms to help mitigate supply chain risk by enabling best-in-class service management tools like ServiceNow to manage the entire lifecycle of the supply chain of IT assets. Such tools can inform the agency’s business and the operational teams of risks, performance and cost. However, while the technology clearly has benefits in terms of identifying gaps in knowledge or capabilities, agencies still need properly trained procurement staff and governance rules in place to make the most of such platforms.
IT supply chain risks are complex, and they’re not growing any simpler to identify or mitigate. Risk can never be totally eliminated. But with the right approach and help from trusted partners, it’s possible to reduce it.