What it takes to future-proof federal IT supply chains
We have now advanced past that initial disruption brought about by the COVID-19 pandemic, and agencies and organizations should ask themselves: how can we make our supply chains better for the long term, and how do we continue to improve work-from-home security?
COVID-19 sent supply chains into shock and forced many organizations in both the private and public sectors to quickly recalibrate their operations in order to enhance security and ensure public safety. With little time to prepare only so much could be done to avert disruption. We witnessed doctors, nurses and medical staff on the frontlines of the fight face personal protective equipment (PPE) shortages for similar reasons that many high-profile data breaches occur. The operational and supply chain systems often forgotten behind the scenes were interrupted.
We have now advanced past that initial disruption. We have adapted, and things are getting better in security and the supply chain. Yet we still contend with the day-to-day reality of the pandemic, and agencies and organizations should ask themselves: how can we make our supply chains better for the long term, and how do we continue to improve work-from-home security?
Leaders at all levels of federal and local governments as well as in the private sector have a role to play in future-proofing our national and international supply chains, including both the physical routes they run along as well as the digital capabilities that drive them. The silver lining in this scenario is that COVID-19 brought a closer level of partnership between the private and public sectors. Together these entities must ensure that supply chains are built to contend with the next major disruption, whether it be an evolution of this virus or from weather pattern changes or world political power plays. Here are three recommendations of how:
Mitigate the Threat of Complexity
The U.S. federal government and owners of our nation's critical infrastructure spend $500 billion annually on information and communications technology (ICT) from thousands of suppliers, both national and international. The growing interdependencies between agencies and third-party vendors can lead to information silos, where agencies are not able to assess vendor risk. This requires agencies to trust their prime vendors and it demands the time, effort and financial investment to do it right. The Department of Defense is moving to a Cybersecurity Maturity Model Certification (CMMC), which will involve a third-party assessment to prevent the danger of security breach or continuity disruption. If this model is perceived to work, the rest of government procurement will follow.
As Gregory C. Wilshusen, Director of Information Security Issues at the U.S. Government Accountability Office, said in a July 2018 congressional testimony, agencies often have little visibility or control over how the technology they acquire is developed, integrated and deployed. This is not pejorative. Most agencies do not want to become systems integrators.
Nevertheless, there is a growing support for policy changes among many of the federal government's largest agencies, including the Department of Defense and Department of Commerce, to make vendor risks more transparent. The National Cybersecurity Strategy released in Sept. 2018 was a big step calling for better integration among agencies. My time serving on the DHS Supply Chain Risk Management Task Force that came out of that bill proved to me just how astonishing the number of threats identified were.
Agencies are working to gain a better view of the security strategies of their vendors, and complexity is inevitable, but trust between contractors and the government programming offices is essential to improving security. The best programs today are run as a team and not in an adversarial manner.
Ensure Security in the "Last Mile" of the Reseller Network
A significant risk area is in the "last mile" of ICT supply chains within the reseller ecosystem. This is where original equipment manufacturers connect to their government partners. It is also a soft spot for risk.
To secure the "last mile," agencies may want to conduct an internal audit of all their prime vendors. This can be done by agency personnel or a third party, such as a SETA contractor. The resulting evaluation of the security practices could then be given a relative grade, which would determine risk and set a timetable to inspect for improvement. The lower-risk companies would be audited less. Another approach would follow the CMMC path in giving corporations levels of security achievement, which qualifies the company for bidding higher-risk contracts. This system is mutually beneficial. In fact, this is the approach the Naval Nuclear Power Program took under Adm. Hyman Rickover with regards to Reactor Safety. Annual inspections called Operational Reactor Safeguards Exams (ORSE) allow boats to assess their safety compliance from an independent group that goes from boat to boat to see the best and the worse in the fleet. The result is the whole fleet gets better year over year.
According to research from the Ponemon Institute, 59% of organizations worldwide (and 61 percent in the U.S.) have experienced a data beach caused by a third-party vendor. Meanwhile, COVID-19 is causing dramatic spikes in the short- and medium-term risks of organizations' supply chains. As a result, organizations must practice even more extreme caution in choosing which suppliers. Beyond vendor selection, government agencies should also understand potential hardware vulnerabilities. When agencies are running on nearly 50-year-old systems with non-secure hardware, supply chain risks are high.
Capitalize on Opportunities for Partnership
Ultimately, the best way to shore up our ICT supply chains is through a coordinated private-public effort to increase visibility and information sharing for all parties. This kind of partnership is already underway. In early July, the National Telecommunications and Information Administration announced the establishment of a partnership between five agencies and the private sector to share information on supply chain risks. The Communications Supply Chain Risk Information Partnership (C-SCRIP) will work in four phases to declassify materials on supply chain risks, share it with trusted providers and expedite the advancement of security clearances for representatives of trusted providers.
In the coming months, COVID-19, like other future disruptions, will continue to expose security and supply chain vulnerabilities and hopefully push us all toward better systems. While there is no turnkey solution, the first step every organization should take today is to identify trusted vendors who are willing to proactively partner with them to build better, more resilient supply chains for the future.