The Importance of Supply Chain Risk Management in Government

What Are the Largest IT Supply Chain Risks in Federal IT?

The size and scale of the federal technology ecosystem makes it inherently vulnerable. With so many moving parts, and the growth of the Internet of Things, there is ample opportunity for adversaries to insert themselves.

“The complexity, the diversity and the scale of the IT infrastructure in federal government: All that makes for a very complex risk,” says Ismael Valenzuela, a SANS-certified instructor and senior principal engineer at McAfee. “Now we are hooking up to hundreds of new IoT devices every day, devices that were not built with security in mind, and the attack surface just explodes exponentially.”

Experts worry that bad actors could insert malicious hardware or software into IT products that eventually get incorporated into federal systems. By compromising the supply chain, they could effectively open a back door into these systems.

By targeting the supply chain, adversaries can potentially gain entry into systems even before those tools are deployed into the federal space. “They could be trying to lay zero-day attacks within the system before it reaches the user,” says Kelvin Coleman, executive director of the National Cyber Security Alliance.

Such attacks could give bad actors significant leeway. “The real fear is that an external entity can breach that third party to gain a foothold in a federal network. They would then be able to move laterally within that network, with privileges that they should not have,” McGladrey says.

MORE FROM FEDTECH: Learn three ways to stay ahead of supply chain security challenges.

What Is Supply Chain Risk Management?

One way to address potential vulnerabilities around supply chain cybersecurity is through a risk management approach.

“Risk management is about assessing the risk of all the companies in that supply chain,” says Daniel Gonzales, a senior scientist at Rand. “That includes knowing who the companies are, who owns the company, where they are based, where they develop software and where they source hardware components.”

All that data helps federal agencies to determine the potential risk associated with any given element within the supply chain.

The risk management approach then looks at the downstream effects, considering the possible impact of supply chain cyberattacks. “You need to ask, what’s the potential consequence?” says Center for Internet Security CEO John Gilligan. “If I am looking at software that is of modest importance in an agency, that may be less risky than a system that is critical to the fundamental mission, or one that deals with sensitive information.”

In a risk management methodology, “the first step is to identify,” Coleman says. “It’s about knowing what you have in the supply chain. Then, you divide and separate: You can have batches of most important, very important, less important. It’s about prioritizing the most valuable resources.”

By evaluating the risk in this way, it becomes possible to organize one’s protections, applying defensive strategies to the places where they can have the greatest impact. Through risk management, “you narrow the focus to a smaller set of things that are really important. Then you have a better chance of deploying your resources where they will have the most benefit,” Gilligan says.

DIVE DEEPER: What is the NIST Risk Management Framework?

How Does the NIST C-SCRM Apply to Federal IT?

NIST makes available its Cyber Supply Chain Risk Management tool to help agencies better understand the risks inherent in their IT supply chains.

NIST describes C-SCRM as a “process of identifying, assessing and mitigating the risks associated with the distributed and interconnected nature of [technology] product and service supply chains.” This process covers the entire lifecycle of a system, including design, development, distribution, deployment, acquisition, maintenance and destruction.

Experts say it makes sense for federal agencies to leverage NIST’s tools. “The advantage of a risk management framework is that people smarter than you who have studied best practices have codified that into a model, so you don’t have to figure that out for yourself,” McGladrey says.

“If you go with a published model, rather than making it up on your own, you avoid some of the harder problems. They tell you how to document risk, how to interview a supplier, all the best practices around collecting supplier data,” he says. “The models have already processed all of that and can give it to the user in a form that they can follow and interpret.”

At the same time, cyber professionals note that the NIST guidance offers a fairly high-level take on supply chain risk. In order to make effective use of the NIST tools, they say, agencies likely will have to apply their own mission-specific spin.

The NIST guidelines “are well written, they are logical, they give good guidance, but they tend to be a bit general,” Gilligan says. “Organizations need to bring something extra to the implementation: They need to bring a keen understanding of the criticality of their systems and the nature of their infrastructure. Then you can tailor that NIST guidance based on that specific knowledge.”

READ MORE: Find out how to best update your agency’s incident response plan.

How Does an Agency Conduct a Cybersecurity Risk Assessment?

While it is possible to minimize risk in the supply chain, that risk level never drops to zero. Given the inherent vulnerability of IT systems, experts say the best hedge against supply chain risk is to harden an agency’s cyber defenses.

“In an uncertain supply chain situation, even having basic cyber hygiene can go a long way toward helping,” Coleman says.

For many agencies, this starts with a cyber risk assessment — a deep dive into the operational vulnerabilities associated with a given IT deployment.

“If you are deploying a system into the core of a government agency’s network, where it will communicate with sensitive servers, that is one level of risk,” Gonzales says. “If it’s deployed at the edge of the network and it doesn’t have access to a sensitive database, there is less risk associated with that.”

The cyber risk assessment will also look at the third-party providers who support those deployments. “Do you know all the third parties you are dealing with? Because not all of them should be treated equally. You have to be more stringent with certain companies to ensure they are meeting your standards,” Coleman says.

In terms of the supply chain, a cyber risk assessment “is about asking very specific questions about your third-party providers,” he says. “Are they adhering to your standards, from endpoint protection to perimeter protection? Every third-party vendor should meet the same standards that the organization uses for itself.”

By evaluating the risk associated with internal systems, as well as the risk surrounding third-party providers, a cybersecurity risk assessment helps to ensure that federal systems can maintain their integrity even in the face of a supply chain breach.

“You can never get risk to zero, but you can mitigate risk to an acceptable level for that agency or that project,” McGladrey says. “You need to know what risks you can accept and what you have done to mitigate the potential damage associated with those risks.”