The SolarWinds software supply chain breach at the end of 2020 thrust supply chain risk management (SCRM) into the forefront of IT news, but many organizations still struggle to reconcile business opportunities with potential supply chain risks and plan for them accordingly.
Leidos, a technology, engineering, and science solutions and services leader working to solve the world’s toughest challenges in defense, intelligence, civil, and health markets is working with private companies and public sector organizations to transform supply chain risk management from a “nice-to-have” to a baseline requirement for doing business.
“In the last couple decades, with the increase of cloud computing and the Internet of Things, all of a sudden the secured supply chains and finite supply chain parts of the supplier networks are abruptly interconnected into this crazy web of where's the data flowing and who has it and where is it residing and how is it protected,” said Leidos Senior Manager for Cybersecurity Risk Management Nika Zannini in an interview with GovCIO Media & Research. “It creates this huge new complex problem that didn’t exist before, and it adds a lot more risk and concern for security upstream of the customer.”
Brian Johnson, who was Leidos’ first SCRM manager and is now Director of Supply Chain Risk and Resiliency at Leidos, said one hurdle to effective SCRM is getting C-suites to greenlight SCRM funding and resources.
“We as humans want to mitigate things that are immediate and more measurable,” he said in an interview with GovCIO Media & Research. “True risk management is about evaluating the potentialities, the likelihood, and that impact. It's very nebulous, so making the business case that speaks to the executive leadership team about resourcing risk management activities and staff can be a challenge. Having clearly defined roles and clear accountability for supply chain risk is a great first step, as we’ve done here in our Procurement organization. Working collaboratively across all affected functions is another necessary step.
“For Leidos specifically, it was recognized a number of years ago that this was an area we couldn't ignore and needed to be more strategic and thoughtful for resolving the issue, otherwise we were marching off a cliff,” Johnson said.
Risk management in general suffers across organizations, not just SCRM, Zannini added.
“A lot of risk management is working in the realm of could happen or might happen, and so the actual dollar signs and value is a lot harder to assess and come up with,” she said. “In that sense, risk management tends to be kind of less a priority in a company’s overall business strategy. The fires we put out on one side are unrealized fires that we have assessed would have a concerning impact on the business, and the other side of that is risk management of the actual immediate fires and realized risks that are occurring.”
What is helping our industry improve in SCRM is federal entities such as the Cybersecurity and Infrastructure Security Agency (CISA), the Defense Department, the National Institute of Standards and Technology (NIST), the Office of the Director of National Intelligence (ODNI) and others routinely update SCRM guidelines and strategies.
Brian Paap, a cyber engineering consultant at CISA, recently said the agency will release a new SCRM guide that integrates SCRM guidelines from CISA, DOD, NIST and industry. Paap highlighted a lack of funding, resources, and workforce training as major challenges to effective SCRM.
Last year, General Services Administration Cyber Advisor Alyssa Feola said “shadow IT” and failing to track technology throughout the supply chain contributes to lapses in SCRM and increased risk. Software bills of materials (SBOMs) and a zero trust approach to cybersecurity can help organizations track technologies such as software and IoT devices throughout the supply chain.
CISA and DOD also released a joint report of recommended practices for software developers and buyers to manage software supply chain risk this month.
Last week, the White House Office of Management and Budget (OMB) published a memo aiming to improve software supply chain security by requiring federal agencies to use software compliant with basic cybersecurity controls.
Leidos uses a few strategies to reach organizations uninitiated in SCRM, including education and strengthening terms and conditions around cybersecurity.
Constant, clear communication between procurement teams, contracts administrators, legal and privacy teams and IT and security teams is critical.
“Continuous collaboration between CISO and procurement SCRM teams ensures visibility, transparency, and cooperation for supplier agreements, onboarding and risk reviews, restricted suppliers, supply chain incident handling, policy and procedure revisions, continuous monitoring and all other facets of a proactive risk management approach to supply chain,” Zannini said.
Johnson said he likes to focus on general education and strong cybersecurity controls, then work with organizations to tailor their SCRM practices to their individual needs and include measures such as cybersecurity assessments or privacy reviews as needed.
“Kind of like all politics is local, all SCRM is local to the service you're buying,” he said. “Step one preventing stuff from coming in house to begin with, step two affecting a new mitigation gate (if you must allow the risk). From a hardware standpoint, it's really monitoring appropriate distribution channels. SCRM is cradle to grave. It's from the initial design to the evaluation of the product and the source to the monitoring of that source and disposal of that product.”
Looking to the future, Johnson and Zannini want Leidos and other organizations to get to a point where they’re no longer “reacting” to risk but taking a proactive approach. Emerging technologies such as artificial intelligence (AI) and machine learning (ML) can help SCRM managers develop clearer risk profiles and predict and prevent — or at least mitigate — incidents before they happen.
“How do we leverage mind boggling amounts of data we already have access to and use systems to automate processes and create assessments and create a capability where the noise gets filtered out and we can dial into mechanisms that predict what could occur so the small response and mitigation teams can evaluate a smaller subset of all the risks that are happening and put in place strategies before it even occurs, so we're not reacting but getting ahead of it and halting them before they even start?” Johnson said. “Some of that activity is already happening. We need to be doing it at a more enterprise level. We're only as good as our weakest link.”
Educating Leidos employees, subcontractors, SMB partners, and critical supply chain suppliers on how to be proactive at identifying and mitigating risk is also a key ingredient in the proactive supply chain risk management recipe. Zannini explains:
“Building and nurturing an effective, proactive supply chain risk management program takes time, energy, and resources and investing in our team and partner relationships through training, communication, and collaboration to better our overall business security benefits everyone along the path, from supplier to customer to end users. As we say in the Navy, ‘One team, one fight.’”
This article is sponsored by Leidos.