Reducing Cyber Supply Chain Risks

From reports of large-scale cyber attacks such as Solarwinds to President Biden’s signing of Executive Order 14028, Improving the Nation’s Cybersecurity, cyber supply chain risks have been top of mind for policymakers and federal agencies governmentwide.

GSA is committed to helping agencies mitigate cyber supply chain risks. By understanding the threats, agencies are positioned to take defensive action against them.

Ecosystem threats

Government depends on a global supply chain ecosystem: vendors, distribution routes, technologies, laws, and policies. Each piece of this ecosystem works together to design, manufacture, distribute, use, and manage products and services.

However, these supply chains’ ecosystems can expose government organizations and enterprises to financial, governance and cybersecurity risks.

Of these risks, one of the most troubling is that someone will use vulnerabilities in a supply chain to carry out a cyberattack.

A supply chain cyber attack occurs when an attacker uses a trusted outside partner or vendor with access to a system’s data to infiltrate an information system.

Because supply chain attacks are difficult to prevent and can greatly harm any organization, federal agencies must identify, categorize, manage, and mitigate risks within their supply chains.

In its December 2020 report, the Government Accountability Office (GAO) assessed how 23 civilian CFO Act agencies’ implemented 7 Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) practices.

In their review, the GAO found that many agencies had not implemented the practices according to their evaluation criteria and that no agencies had fully implemented all 7 practices.

What you can do

You can take proactive information and operational technology acquisitions measures to reduce an organization’s cyber supply chain risks.

  • Evaluate your organizational structure. Set up a collective task force to secure your supply chain and empower this team to hold lower-level suppliers accountable and to have responsibility for overall supply chain security.
  • Identify and empower supply chain leadership. Review and monitor key contracts to verify that prime and subcontractors maintain security practices through the contract lifecycle. Threat intelligence and incident response capabilities must work together.
  • Put data protection and stakeholder communication processes in place. Set requirements for communicating and protecting data, specifically for incidents, breach notifications, and industry or legal reporting requirements.
  • Build trust by sharing threats with your supply chain partners. Prevent communication delays by being transparent about an attack or a potential breach. Transparent leadership and communication creates trust. Building that trust requires a commitment to straight talk, the ability to produce results, and the ability to restore trust when trust is lost.

GSA C-SCRM Resources

For the last 10 years, federal guidance and regulations have prioritized SCRM. This priority reflects the increasing threat of vulnerabilities in the nation’s supply chain.

We’re continuing to develop ways to help agencies reduce supply chain risk, like the Vendor Risk Assessment Program and the Cyber Supply Chain Risk Management Acquisition Community of Practice.

Vendor Risk Assessment Program

We are currently developing a program that can identify, assess, and monitor supply chain risks for vendors who do critical work for the federal government. It will audit supply chain risk processes or events and may include on-site assessments.

The following criteria will be monitored:

  • Risk of foreign ownership, control or influence;
  • Cyber risk; and
  • Factors that would affect the company’s vulnerability, such as financial performance.

If the risk assessment identifies supply chain risks, we will work with the vendor on a corrective action.

We take this seriously. Failing to resolve any identified risk may result in government action up to and including contract termination.

Cyber Supply Chain Risk Management Acquisition Community of Practice

In August 2021, we established a C-SCRM Acquisition Community of Practice (ACoP). It includes key acquisition stakeholders from GSA, Cybersecurity and Infrastructure Security Agency (CISA), Office of Management & Budget (OMB), and other federal agencies.

The goal of C-SCRM ACoP is to increase awareness and develop maturity in the areas of cyber-acquisitions and Information Communication Technology and Services (ICTS) supply chain risk management across the federal government.

Many federal departments and agencies need to mature C-SCRM capabilities, guidance, and training. This is particularly true for acquiring ICT hardware and software.

We need governmentwide contract language for getting ICT products that holds vendors accountable for assessing the risk of their supply channels, especially for embedded software.

To learn more about the C-SCRM ACoP or to join, email C-SCRM_ACoP@gsa.gov.

Coordination is key

Agencies must continuously monitor their interconnected IT ecosystem and establish the necessary contract requirements that ensure vendors are doing the same.

Stay up to date on the latest GSA C-SCRM initiative by following us on Twitter @GSA_ITC.