One common refrain for securing information and communication technology (ICT) supply chains is to focus on acquisition and supplier visibility. According to top IT leaders at a FCW workshop this week, federal entities seeking to secure their ICT supply chains have a knowledge problem.
Keith Nakasone, deputy assistant commissioner for acquisition at the General Services Administration, said rolling out ICT supply chain risk management (SCRM) use cases will be key for helping federal agencies identify and remedy security vulnerabilities in their supply chains.
“We're looking at the acquisition process, but also the cybersecurity side and the supply chain risk management side,” he said at the event. “From our portfolio perspective, we do have the cyber tools and some SCRM tools. As we do the assessment and look at the foundation of how things are built over time, we'll be able to see where those touchpoints may be and how to build these acquisitions solutions going forward.”
SCRM requires constant monitoring and information-sharing, Nakasone added. When you combine continuous supply chain monitoring with a robust information-sharing strategy across relevant federal agencies, suppliers, shippers, logistics providers and other vendors, you’ll develop a clearer picture of the state of supply chain security.
"It's never ending. The data changes, the profile of a company may change, the profile of the product may change," Nakasone said. "How can we do proper assessment across parts, products, components, services and solutions? As we build that out, this is some of the effort CMMC is driving toward, having that continuous process built into the acquisition lifecycle. It's not just one and done.”
Cyberspace Solarium Commission Executive Director Mark Montgomery echoed similar themes and suggested for the presidential administration to set up a national supply chain intelligence center to better coordinate information-sharing efforts regarding ICT SCRM.
“We have to make sure we're collaborating where additional research is needed, identifying new strategies to identify risk,” he said, “[and] just doing better supply chain risk intelligence and information-sharing. We already have some work going on to collect and disseminate information on supply chain risk that involves a national intelligence task force. We think Congress might want to look at directing the president to [set up] a national supply chain intelligence center. It's got to be designed to integrate supply chain intelligence efforts from across the federal government and serve as a central, shared knowledge resource on the supply chain.”
Jon Boyens, an ICT supply chain expert from NIST, thinks the reason federal agencies have a knowledge problem is because ICT SCRM has grown increasingly complex and confusing.
“It's the nexus between traditional information security and traditional supply chain risk management, and because it falls between the two, it's often neglected,” he said at the event. “I think where organizations get lost is they try to fly before they can walk.”
Boyens recommends federal agencies start slowly with their ICT SCRM practices, beginning with a formal program then identifying critical suppliers and dependencies.
“You have to know what you're dependent upon, but you also have to know who the suppliers of that technology are and be able to manage the risk of those suppliers,” he said. “It can be as simple as due diligence. Are those suppliers financially sound? What are the implications to my organization? If you're dependent on specific technology and that tech is being developed in certain countries that may have foreign ownership, control or influence. Get your own house in order. You have the most control over your own organization.”
The Department of Homeland Security, which leads ICT SCRM efforts through its Cybersecurity and Infrastructure Security Agency (CISA), provides a wealth of information and resources about ICT SCRM and helms multiple task forces aimed at improving ICT SCRM practices across the federal register.
“It all comes down to the ability to make sure supply chain risk is at the top of the risks you're worried about as an agency and being thought of as a key element of the business of government and industry,” said Bob Kolasky, assistant director for CISA’s National Risk Management Center.
Keying in on risk sources “will be key to SCRM,” he added. "A lot of what we're trying to advance is risk management at multiple levels."
CISA's ICT SCRM Task Force produced an overall threat evaluation guide for risk managers to reference and understand priorities around, Kolasky said.
For federal agencies just getting started, Kolasky recommends thinking about ICT components and how they affect critical functions.
“Start to think about the threats and the things that are most vulnerable,” he said. “Then you layer that with consequences — availability, confidentiality, integrity of the network. That's really the practice of identifying your risk."