The new resource center will allow federal agencies and industry stakeholders to get their hands on practical tools to help meet new cyber supply chain risk management.
The Cybersecurity and Infrastructure Security Agency is developing a new resource center for federal agencies to help address compliance issues associated with a wave of recent cyber supply chain risk management — or C-SCRM — and software security mandates.
The hub will first be piloted by an initial set of agencies, though CISA plans to include a section for industry as part of a broader effort to expand information sharing across the public and private sectors, according to Shon Lyublanovits, the lead for the agency’s C-SCRM project management office.
“We want to take some of the things coming from [the National Institute of Standards and Technology] and actually create practical checklists or guides to help with some of the compliance issues,” Lyublanovits said at FCW’s Supply Chain Workshop on Tuesday.
Lyublanovits said that the goal of the new resource center is to help organizations operationalize C-SCRM practices and enhance their overall cyber hygiene. CISA is envisioning that the hub will eventually allow agencies and other stakeholders to conveniently explore practical C-SCRM information assets like pull-down templates, checklists, guides and other tools.
"We want to give a few, select agencies an opportunity to test it out first and to make sure that they give us good feedback," Lyublanovits said, adding that a launch date for the hub has not yet been planned, though additional announcements will be made at the beginning of the next fiscal year.
CISA is also set to launch a new training initiative promoting the operational aspects of C-SCRM with various tracks for federal government and industry stakeholders.
Lyublanovits said the training will take a four-tiered approach to understanding C-SCRM processes and requirements, adding: “I want to move us away from just having documents and policies, to give them the tools and techniques to actually move forward to reduce risk.”
NIST and other federal entities have released a steady stream of C-SCRM and supply chain security guidelines in recent years, and the agency is also revising its Cybersecurity Framework with an emphasis on governance and supply chain security. The White House also released a cybersecurity executive order in 2021 that aimed to strengthen the federal government's overall cyber posture and the nation's supply chain security.
“We really want to be a lighthouse,” Lyublanovits said. “There should be no question that agencies and industry partners can come to CISA and get some real information on operationalizing C-SCRM.”