As cyber and software supply chain threats continue to increase in volume, government agencies must take into consideration how vulnerable their supply chains are to potentially catastrophic cyber-attacks.
In a recent webinar hosted by Digital Government Institute, Brian Paap, Supply-Chain Technical Operational and Risk Management (STORM) Lead at CISA shared that many cybersecurity incidents take 18 months to resolve and close, which is too long, especially for the government. Integrating the supply chain aspect into the overall incident response would be valuable for organizations to start investigating. This is especially crucial since cyber and software supply chains are often very complex. Sometimes hundreds of components go into building a product, so many entities are involved.
The goal in managing this risk is to reach a state where government agencies understand which organizations are trustworthy. Not only this, but mitigating risk also entails which processes, products, and services are reliable and of sufficient quality.
This is where Cyber Supply Chain Risk Management (C-SCRM) comes into play. C-SCRM is the process of identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of IT and operational technology product and service supply chains. Though it is advised that all government agencies adopt C-SCRM, many don’t know where to begin since just purchasing a tool is not enough. After all, security is a process, not just a product.
Security is a process, not a product.
If an agency starts by looking into purchasing a tool to fix a security issue, that’s not the appropriate approach. Government agencies need to focus on their C-SCRM strategy, governance, and policies in order to build toward what they need within their program. Agencies need to ensure that they have this groundwork in place before researching and purchasing various security tools.
C-SCRM shouldn’t be a siloed function; it is about integrating and building upon existing operations and processes throughout the entire agency. Agencies need to think about security upfront, build it in, and then understand where their software might be vulnerable. Getting that upfront policy in place can assist in communicating that it’s a priority for the organization, which will, in turn, foster a C-SCRM culture. This culture can be strengthened by including C-SCRM in agency-wide messaging and training.
In addition, government agencies must have a strategy in place to address when a bad actor attempts to compromise their software.
Creating a strategy
C-SCRM is a multidisciplinary activity that will need to involve a wide range of people across the organization, including risk management, system and software development, information technology (IT), legal, human resources (HR), acquisition/procurement, and information security. This may sound daunting, but begin with a small cross-organizational core team of people who are competent in these areas and willing to do the hard work, then the group can grow from there. It is also best to include agency leaders to further instill a C-SCRM culture.
After this cross-organizational group is established, agencies then need to create a strategy and plan to understand what resources are needed. This would also be the time to begin implementing governance to ensure all compliance requirements are met.
Once the C-SCRM core group and strategy are set in place, agencies may want to share risk information with other entities the agency already works with. Then agencies can focus on implementing security controls to address supply chain risks and supply chain risk assessments. These actions all need to be conducted working across the organization with various experts across disciplines in a coordinated fashion. C-SCRM implementation really does require coordination, ongoing commitment, and teamwork.
C-SCRM resources are desperately needed.
If you look at C-SCRM, it’s one of those things that has been listed as a redheaded stepchild for decades; however, the government is beginning to see more emphasis as more risks arise. But resources in this area are very low. This is because there are not many people in this area of expertise that have the knowledge to speak the jargon for legal, internet protocol, HR, InfoSec, DevSecOps, risk management, acquisitions, and cyber. It takes someone well-rounded in multiple fields to truly understand what a C-SCRM program needs or what it does.
In addition, there is a fundamental need for funding and resources to sustain C-SCRM. A champion is needed to engage leaders to sit down and take a look at what funding and resources would be needed to make this a possibility. And then further, how to sustain it for the next three to five years.
Agencies need to know who and what they are working with.
Government agencies purchase a lot of products, and these organizations tend to have many suppliers. Of course, not only do agencies need to know who their critical suppliers are but also, agencies need to do their due diligence and conduct assessments before making decisions about who they will do business with. It may not be possible to assess everything, so prioritizing what’s most critical is where agencies need to start.
What agencies accomplish through assessment is really identifying and getting in front of those risks that might need to be avoided or mitigated in some way. Assessments also help validate that the agency is working with a trustworthy supplier and has trustworthy, quality processes in place.
There is a need for greater visibility into third-party software providers and downstream suppliers. Unlike a can of soup, software doesn’t have a list of ingredients on the package. So, how do agencies verify? Agencies need to ask their software supplier for better information, whether that’s an exon or a software scan report. This is something agencies need that provides them with better assurance that what they are receiving is what they are getting.
Building requirements in supplier contracts can help achieve this. It is also important to think of C-SCRM as a lifecycle, since risk doesn’t begin or end at the point of procuring a digital asset; changes can occur during the extent of a contractual arrangement.
If a government agency follows these steps, it will have created a foundation upon which it can continue to build its C-SCRM program, address their risk exposure, and put those protections and risk response actions in place.
To learn more about how to secure the cyber/software supply chain in your agency, click HERE.