Reducing Cybersecurity Risks in Supply Chain Risk Management

Shon Lyublanovits, IT Security Subcategory Manager and Director of the Security Services Division

[Editorial note: This blog is the last of a three part series by Shon Lyublanovits, GSA’s IT Security Subcategory Manager and Director of the Office of IT Security Services for Office of Information Technology Category (ITC). Designed to help build awareness of the Department of Homeland Security’s (DHS) annual October National Cyber Security Awareness Month, this blog series describes a suite of cybersecurity products, services and solutions provided by GSA, outlining the unique benefits each provides to government].

Federal Information and Communications Technology (ICT) systems rely on a complex, globally distributed, and interconnected supply chain ecosystem encompassing geographically diverse routes and multiple tiers of outsourcing. Managing ICT systems is a difficult and complex task for government agencies — especially when these system are affected by various laws, trust models, interests, and national/international supply chains. It becomes even more difficult when criminals constantly introduce proprietary counterfeits and malware, conduct data tampering, and access sensitive information.

To protect ICT systems from criminals, we are working with government agencies to reduce cybersecurity risks through the acquisition of IT hardware and software. We’re also helping government leaders, chief information officers, and IT experts develop and implement sound policy guidance to deploy Supply Chain Risk Management (SCRM) activities throughout the entire acquisition lifecycle.

Challenges for government and industry

The federal government is facing significant cybersecurity challenges when procuring IT products or services resulting from inadequate in-built cybersecurity controls in the supply chain. An increase in the use of ready made, off-the shelf products, plus a rise in outsourced computer and communications operations make it more difficult to manage the supply chain.

Our industry partners are facing challenges as well. Companies require agile, elastic business models to remain competitive and keep pace with emerging technologies, but they also need to protect themselves against volatile cybersecurity threats, especially in the supply chain. From a national security perspective, when large components of these business models become vulnerable to cyber threats, the private sector becomes a target of nation states.

Enhancement of IT procurement through sound policy drives

Within the global marketplace, particularly the supply networks, criminals have more opportunities to penetrate and potentially manipulate information and technology. In order to mitigate these threats, GSA supports various statutory, regulatory, and policy requirements that address the current challenges of the global marketplace.

We are currently developing a Business Due Diligence Information Service that will give agencies a common government-wide capability for identifying, assessing, and managing cyber and supply chain risk throughout the acquisition process.

GSA is also leading the implementation of an IT policy that enhances IT acquisition vehicles, resulting in increased security of customers systems and networks. We are working with federal agencies to address supply chain risks by:

  • Reviewing base ITC acquisition vehicle contract language
  • Developing an acquisition assurance baseline by identifying provisions and clauses that are related to IT security and SCRM to use in IT product and service solicitations
  • Creating a repeatable, scalable SCRM response process for ICT to effectively respond to SCRM incidents and issues of public interest. This includes a description of various roles, responsibilities, and definitions for six phases of the ICT Supply Chain Threat Event (SCTE) Incident
  • Using Response Life Cycle — i.e., notification, escalation, evaluation and validation, reporting, response, and closure activities
  • Establishing a Vendor Risk Assessment Program to provide a well-defined process and robust capability to evaluate known or potential risks related to suppliers of products and services using open source information

Comprehensive SCRM cybersecurity regulations and requirements

ICT systems need the best IT solutions to protect against proprietary counterfeits and malware, data tampering, and unauthorized access to sensitive information. We ensure that our IT products and services in the supply chain are deemed cyber low-risk by complying with cybersecurity regulations and requirements specific to SCRM. This will establish sound policy safeguards, so that when government agencies purchase IT products and develop systems, they do so knowing that we worked with suppliers to determine if SCRM capabilities have been applied to acquired products and services.

We’re also establishing a comprehensive SCRM capability that will ensure government agencies procure IT hardware and software from original equipment manufacturers, including authorized resellers or other trusted sources. Furthermore, GSA is:

  • Managing incidents within IT contracts
  • Establishing and maintaining contact with both internal GSA stakeholders and external agencies on cyber incidents
  • Maintaining awareness of government-wide supply chain policy/trends

GSA remains committed to helping government leaders, chief information officers, and IT experts improve cybersecurity through SCRM. Read the first and second blogs in this series to learn more about our cybersecurity products, services and solutions and how they can help you focus on your mission, while maintaining quality, reducing costs, and minimizing duplications and redundancies.

Follow us on Twitter @GSA_ITC to join the conversation.