Reports of large-scale cyberattacks such as the Russian breach of SolarWinds, the passage of the Federal Acquisition Supply Chain Security Act of 2018 and the signing of President Joe Biden’s cybersecurity executive order have kept cyber supply chain risks top of mind for policymakers and federal agencies.
Here’s an update on what agencies can do to defend against these threats and how the General Services Administration is helping agencies mitigate cyber supply chain risks.
Government depends on a global supply chain ecosystem: vendors, distribution routes, technologies, laws and policies. Each piece of the ecosystem works with the rest to design, manufacture, distribute, use and manage products and services.
However, these supply chain ecosystems can expose government organizations and enterprises to risks. These risks can be financial, geopolitical, environmental and cybersecurity, among others.
EXPLORE: How master data management guides agencies through supply chain difficulties.
Of these risks, one stands out: cybersecurity, involving the exploitation of vulnerabilities in a supply chain to carry out a cyberattack.
An example of a supply chain cyberattack is when a third party, such as a trusted outside partner or vendor with access to a system’s data, is exploited by an attacker to infiltrate the system.
Supply chain attacks are difficult to prevent and can greatly harm an organization. Federal agencies must identify, analyze, respond to and continuously monitor risk within their supply chains.
In a December 2020 report, the Government Accountability Office assessed how 23 civilian Chief Financial Officers Act agencies implemented seven information and communications technology supply chain risk management (SCRM) practices.
In its review, the GAO found that many agencies had not implemented the practices according to its evaluation criteria. Also, no agencies had fully implemented all seven practices.
How to Best Reduce Supply Chain Risk
You can take proactive measures to reduce an agency’s cyber supply chain risks. First, integrate cyber SCRM with the acquisition process. C-SCRM can improve cybersecurity risk management in the supply chain at every step of the procurement and contract management process.
Evaluate your organizational structure. Set up a collective task force to secure your supply chain. Empower this team to hold lower-level suppliers accountable and maintain responsibility for overall supply chain security.
Identify and empower supply chain leadership. Review and monitor key contracts to verify that prime contractors and subcontractors maintain security practices through the contract lifecycle. Threat intelligence and incident response capabilities must work together.
Put data protection and stakeholder communication processes in place. Set requirements for communicating and protecting data, specifically for incidents, breach notifications, and industry or legal reporting requirements.
Build trust by sharing threats with your supply chain partners. Prevent communication delays by being transparent about an attack or a potential breach.
Trust does not happen on its own. Open and transparent leadership and communication create trust, and building that trust includes a commitment to straight talk, the ability to produce results and the ability to restore trust when it is lost.
Finally, provide C-SCRM training and awareness. Everyone within an organization has a role to play in managing cybersecurity risk throughout the supply chain. As such, each person should receive appropriate training to promote and enhance knowledge of C-SCRM throughout the organization.
Click on the banner below to learn more about cybersecurity solutions.
How Agencies Can Find GSA Resources
For the past 10 years, federal guidance and regulations have prioritized SCRM. This priority reflects the increasing threat of the exploitation of vulnerabilities in the nation’s supply chain.
Most recently, the Office of Management and Budget issued additional guidance to support the cybersecurity executive order’s mission, and the National Institute of Standards and Technology’s Special Publication 800-161 Rev.1 published critical success factors in addressing C-SCRM practices for systems and organizations.
We continue to develop ways to help agencies reduce supply chain risk. For instance, here are some of the C-SCRM initiatives integrated into the acquisition process:
- Section 889 Pre-Award Assessment: Section 889 (Part A) of the FY 2019 National Defense Authorization Act prohibits the government from obtaining certain telecommunications equipment or services produced by five covered entities, their subsidiaries or affiliates. To mitigate compliance risk in connection with Section 889, the GSA Federal Acquisition Regulation/Information Technology Category is conducting a pre-award assessment to ensure prohibited equipment or services are identified before a contract is awarded to support a compliant GSA marketplace. The process also identifies Section 889-compliant offerors that present a potential risk of noncompliance in the future and subjects them to continuous monitoring throughout the post-award stage.
- Supply Chain Risk Information Gathering: GSA has developed a comprehensive SCRM questionnaire for gathering supply chain risk information and set out relevant artifact requirements, including SCRM plans, policies and software bill of materials from vendors offering information and communications technology (ICT) products and services in the GSA marketplace. This supply chain risk information and artifacts allow effective evaluation of the integrity, trustworthiness and authenticity of the ICT products, services or vendors.
- 2nd Generation IT (2GIT) Products Blanket Purchase Agreements Assessment: Cyber supply chain risk assessment and continuous monitoring ensure 2GIT BPA vendors’ compliance with an established security baseline throughout the performance of the BPA.
Why Joining a Community of Practice Matters
In August 2021, we established a C-SCRM Acquisition Community of Practice. It includes key acquisition stakeholders from GSA, the Cybersecurity and Infrastructure Security Agency, OMB and other federal agencies.
The goal of the C-SCRM Acquisition Community of Practice is to increase awareness and develop maturity in the areas of cyber acquisitions and information and communications technology and services supply chain risk management across the federal government.
Many federal departments and agencies need to mature their C-SCRM capabilities, guidance and training. This is particularly true for acquiring ICT hardware and software.
We need governmentwide contract language that holds ICT product vendors accountable for assessing the risk of their supply channels, especially for embedded software.
GSA maintains a C-SCRM Acquisition Community Interact Site as a space for government and industry to collaborate and share cybersecurity best practices. Join to stay up to date on the most recent news and information and gain access to cybersecurity acquisition resources.
The Buyer’s Guide to Supply Chain Cybersecurity
In August 2022, GSA developed the C-SCRM Guide to aid agencies in navigating the Biden administration’s evolving cybersecurity requirements and address supply chain risks.
The guide provides a high-level overview of C-SCRM best practices, resources for agencies to use in securing their cybersecurity supply chains and information on how to acquire GSA-offered products, services and solutions for a strong C-SCRM program.
In addition, we are developing a program that can identify, assess and monitor supply chain risks for vendors that do critical work for the federal government. It will audit supply chain risk processes or events, and it may include onsite assessments.
The following criteria will be monitored: risk of foreign ownership, control or influence; cyber risk; and factors that would affect the company’s vulnerability, such as financial performance.
If the risk assessment identifies supply chain risks, we will work with the vendor on a corrective action based on the specific identified risks. We take this seriously. Failing to resolve any identified risk may result in government action up to and including contract termination.
Cyber supply chain risks can impact sourcing, vendor management, supply chain continuity, quality and transportation security. Acquisition professionals need to know more about C-SCRM because data breaches affect an agency’s risk mitigation strategy.
Coordination is necessary for information security. Agencies must continuously monitor their interconnected IT ecosystem and establish the necessary contract requirements to ensure vendors start doing the same.