Federal government leaders are looking to foster supply chain monitoring and cross-agency collaboration with the goal of bolstering public sector cybersecurity, particularly as a means of proactively identifying and correcting against key vulnerabilities.
These measures appear to be a dual response to the rapid pace of technological change as well as the deficits exposed by the recent SolarWinds breach that crossed multiple agency networks.
“We need to be thinking about security and protecting our assets," said Department of Homeland Security Chief Procurement Officer Soraya Correa at the 2021 ACT-IAC Acquisition Innovation Forum. "The best way to do that is to have a good, strong mitigation plan. You have to understand the supply chain, you have to understand the elements of the supply chain and how they're impacted. You have to understand where these products and services come from and how they could be accessed or touched in any way that could be vulnerable."
Much of this centers on more rigorously evaluating the IT supply chain, particularly to notice and address potential weak links — a collaborative process occurring both within DHS and across the federal government as a whole.
“We work in partnership with our Cybersecurity and Infrastructure Security Agency, and we also work together with our CIO and others in our organization to make sure that we're building security throughout the process, and that we are identifying the vulnerabilities and risks in our procurements and mitigating those to the best extent possible,” Correa said.
One of the most productive cybersecurity partnerships occurring across government appears to be forming between DHS and the Defense Department, particularly with a network security standardization process DHS is looking to share with private-sector partners.
“Many of our industry counterparts are asking if we're going to adopt the Department of Defense's Cybersecurity Maturity Model Certification," Correa said. "Our chief information security officer is working directly with DOD, and we have a working group that consists of procurement, CISA and several other organizations to look at those processes and see how we can implement them at DHS."
In addition to the adoption of the Cybersecurity Maturity Model Certification (CMMC), DHS is looking to establish a comprehensive means of evaluating the separate components that go into public sector software to prevent the vulnerability exploitation that allowed for the SolarWinds breach.
“A concept that's being discussed quite a bit lately is the software bill of materials. The SolarWinds compromise kind of gave birth to this discussion. The software bill of materials is a list of all components that make up a potential software solution, including commercial software as well as open source software. And a bill of materials is used in supply chain risk management to assess vulnerabilities in a product or software solution. So again we're looking at this concept and how we can use that in our processes to make sure we fully understand the composition of a software solution or a system solution,” Correa said.