What it takes to future-proof federal IT supply chains

By Tommy Gardner,
Dr.

By Tommy Gardner

|

We have now advanced past that initial disruption brought about by the COVID-19 pandemic, and agencies and organizations should ask themselves: how can we make our supply chains better for the long term, and how do we continue to improve work-from-home security?

BY By julia.m Royalty-free stock vector ID: 779956477
 

COVID-19 sent supply chains into shock and forced many organizations in both the private and public sectors to quickly recalibrate their operations in order to enhance security and ensure public safety. With little time to prepare only so much could be done to avert disruption. We witnessed doctors, nurses and medical staff on the frontlines of the fight face personal protective equipment (PPE) shortages for similar reasons that many high-profile data breaches occur. The operational and supply chain systems often forgotten behind the scenes were interrupted.

We have now advanced past that initial disruption. We have adapted, and things are getting better in security and the supply chain. Yet we still contend with the day-to-day reality of the pandemic, and agencies and organizations should ask themselves: how can we make our supply chains better for the long term, and how do we continue to improve work-from-home security?

Leaders at all levels of federal and local governments as well as in the private sector have a role to play in future-proofing our national and international supply chains, including both the physical routes they run along as well as the digital capabilities that drive them. The silver lining in this scenario is that COVID-19 brought a closer level of partnership between the private and public sectors. Together these entities must ensure that supply chains are built to contend with the next major disruption, whether it be an evolution of this virus or from weather pattern changes or world political power plays. Here are three recommendations of how:

Mitigate the Threat of Complexity

The U.S. federal government and owners of our nation's critical infrastructure spend $500 billion annually on information and communications technology (ICT) from thousands of suppliers, both national and international. The growing interdependencies between agencies and third-party vendors can lead to information silos, where agencies are not able to assess vendor risk. This requires agencies to trust their prime vendors and it demands the time, effort and financial investment to do it right. The Department of Defense is moving to a Cybersecurity Maturity Model Certification (CMMC), which will involve a third-party assessment to prevent the danger of security breach or continuity disruption. If this model is perceived to work, the rest of government procurement will follow.

As Gregory C. Wilshusen, Director of Information Security Issues at the U.S. Government Accountability Office, said in a July 2018 congressional testimony, agencies often have little visibility or control over how the technology they acquire is developed, integrated and deployed. This is not pejorative. Most agencies do not want to become systems integrators.

Nevertheless, there is a growing support for policy changes among many of the federal government's largest agencies, including the Department of Defense and Department of Commerce, to make vendor risks more transparent. The National Cybersecurity Strategy released in Sept. 2018 was a big step calling for better integration among agencies. My time serving on the DHS Supply Chain Risk Management Task Force that came out of that bill proved to me just how astonishing the number of threats identified were.

Agencies are working to gain a better view of the security strategies of their vendors, and complexity is inevitable, but trust between contractors and the government programming offices is essential to improving security. The best programs today are run as a team and not in an adversarial manner.

Ensure Security in the "Last Mile" of the Reseller Network

A significant risk area is in the "last mile" of ICT supply chains within the reseller ecosystem. This is where original equipment manufacturers connect to their government partners. It is also a soft spot for risk.

To secure the "last mile," agencies may want to conduct an internal audit of all their prime vendors. This can be done by agency personnel or a third party, such as a SETA contractor. The resulting evaluation of the security practices could then be given a relative grade, which would determine risk and set a timetable to inspect for improvement. The lower-risk companies would be audited less. Another approach would follow the CMMC path in giving corporations levels of security achievement, which qualifies the company for bidding higher-risk contracts. This system is mutually beneficial. In fact, this is the approach the Naval Nuclear Power Program took under Adm. Hyman Rickover with regards to Reactor Safety. Annual inspections called Operational Reactor Safeguards Exams (ORSE) allow boats to assess their safety compliance from an independent group that goes from boat to boat to see the best and the worse in the fleet. The result is the whole fleet gets better year over year.

According to research from the Ponemon Institute, 59% of organizations worldwide (and 61 percent in the U.S.) have experienced a data beach caused by a third-party vendor. Meanwhile, COVID-19 is causing dramatic spikes in the short- and medium-term risks of organizations' supply chains. As a result, organizations must practice even more extreme caution in choosing which suppliers. Beyond vendor selection, government agencies should also understand potential hardware vulnerabilities. When agencies are running on nearly 50-year-old systems with non-secure hardware, supply chain risks are high.

Capitalize on Opportunities for Partnership

Ultimately, the best way to shore up our ICT supply chains is through a coordinated private-public effort to increase visibility and information sharing for all parties. This kind of partnership is already underway. In early July, the National Telecommunications and Information Administration announced the establishment of a partnership between five agencies and the private sector to share information on supply chain risks. The Communications Supply Chain Risk Information Partnership (C-SCRIP) will work in four phases to declassify materials on supply chain risks, share it with trusted providers and expedite the advancement of security clearances for representatives of trusted providers.

In the coming months, COVID-19, like other future disruptions, will continue to expose security and supply chain vulnerabilities and hopefully push us all toward better systems. While there is no turnkey solution, the first step every organization should take today is to identify trusted vendors who are willing to proactively partner with them to build better, more resilient supply chains for the future.

NEXT STORY: Watchdog says Pentagon's effort to 'harmonize' cyber is lacking

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.