The Cybersecurity and Infrastructure Security Agency (CISA), a sub-agency within the Department of Homeland Security (DHS), recently released a report providing recommendations on combatting emerging threats to the federal technology supply chain. The report is a summation of the work conducted by the agency’s Information and Communications Technology Supply Chain Risk Management Task Force, which has operated for the past year. The report comes hot on the heels of recent DoD policy changes mandating contractors formalize approaches to supply chain risk.
The task force behind the report is comprised of a mixture of federal and industry expertise. Interos contributed to the task force as one twenty participating organizations whose expertise was credited with helping meet the “fundamental challenge of securing the ICT supply chain, an important homeland and national security priority.”
Their guidance coincides with the DOD’s mandate to incorporate supply chain risk management in RFP responses, and the release of a cyber security maturity standard. The report articulates that there are significant policy and organizational barriers preventing effective information sharing regarding bad actors and other supply chain threats. These include:
- Product-based risks like counterfeit goods, device impersonation, and malicious code insertion
- Organizational risks like insider threats or physical harm to people and products within the supply chain
The report also articulates risks that are unique to SCRM, specifically highlighting a lack of uniformity around delivery mechanisms for information. The report articulates that actionable intelligence regarding supply chain risk often contains sensitive information that is difficult to legally disseminate.
Threat Inventory
Another working group with the task force focused on leveraging National Institute of Standards and Technology (NIST) risk management methodologies to analyze identified threats and create a threat inventory, creating 9 threat categories. They are:
- Counterfeit Parts
- Cybersecurity
- Internal Security Operations and Controls
- Compromise of System Development Life Cycle (SDLC) Processes and Tools
- Insider Threat
- Inherited Risk (Extended Supply Chain)
- Economic
- Legal
- External End-to-End Supply Chain
190 Supply Chain Threats
The report further identified 190 specific supply chain threats which have yet to made public due to their highly sensitive nature. The task force further outlined 40 scenarios aligned to the 9 threat categories. John Miller, co-chairman of the task force stated that “In building out those scenarios, several categories were considered by the group, including the interplay of particular vulnerabilities in that context: business impacts, potential business mitigation strategies and controls,” Miller said. “It was a very contextual analysis for each of them” according to an interview with the Federal News Network. The task force also created a draft report including analysis of differing approached to supply chain assurance alongside examples of existing supply assurance programs.
Additionally, the report highlights proposed evaluation criteria for creating lists of Qualified Bidders and Manufacturers (QBL/QML) that factor in supply chain risk. The factors include:
- Amount an entity spends on a covered article
- Market conditions of the covered article
- Importance of the covered article to the goal/mission
- Frequency of known attacks to or through the covered article or its supply chain
- Probability of threat or the likelihood of an attack to the supply chain.
- Level of Control over the Manufacturing and Distribution of the covered article.
- Volume of known vulnerabilities in the covered article or in common configuration(s) of the covered article
- Ease of compromise/vulnerability of the covered article
- Existence of standards applicable to the covered article (NIST, ISO, etc.)
- Existence of policy mechanisms applicable to the covered article
- Liability if the covered article is compromised
The report highlights both the importance of, and inherent challenges to, supply chain risk management activities. Federal agencies and their contractors need comprehensive solutions to manage the risk in their digital and physical supply chains. The best way to mange this risk is by leveraging intelligent technologies that can effectively and securely ingest and communicate relevant supply chain risk information in a manner that’s timely enough to enable decisive action.