From cyber hackers to counterfeit products, phishing, ransomware and theft of intellectual property, agencies face significant cyber threats from their supply chains. There is growing concern focused on the reseller channel, an often vulnerable link. In too many cases, agencies are trusting without verifying and opening the door to potential threats.
As the last mile in federal supply chains, the channel manages an enormous amount of federal data, including Controlled Unclassified Information (CUI). While large original equipment manufacturers (OEMs) have vigorous supply chain practices, and some resellers will have all the required controls in place, other resellers do not have the resources to combat threats in the reseller channel. Adversaries exploit the reseller because it is the most cost effective opportunity, and vulnerabilities with small resellers are often magnified, resulting in a disruption in the entirety of a supply chain.
Consider, there are thousands of small resellers selling to federal agencies, the Defense Department, and the Intelligence Community. The barrier to entry is low. There is also often intense economic pressure to sell products, regardless of whether they meet federal requirements or whether the reseller has the proper authorization from the OEM. And unfortunately, in some cases, resellers who are authorized to sell specific products to federal agencies will co-mingle counterfeit products with genuine articles.
Federal Chief Information Security Officer Grant Schneider said at a cyber summit earlier this year that it is “getting harder and harder in the global economy to understand” where IT components come from. Agencies must be able to discern “what’s inside the box, who built it, what was their intent.”
The Trade Agreements Act (TAA) helps to mitigate risk by ensuring that vendors have manufactured or “substantially transformed” components of a product in the United States or another country. But this does not reduce the risk of components being tampered with prior to arriving at its location, so it can give (and does give) a false sense of security.
What can agencies do to combat the inherent risk in their reseller ecosystems? While agencies can never completely eliminate risk, contracting officers need better visibility into their entire supply chain to be able to vet suppliers and ensure each have proper authorization and certifications. In short, they need more education and they need to know their partners – a closer relationship. Agencies need to balance fair and open competition with the need to protect federal data and missions.
As agencies evaluate resellers to build out their reseller ecosystem, they should spend time training contracting officers and buyers to better understand and recognize risks, beyond confirming the bill of materials and part numbers.
First, agencies should identify if the vendor is an authorized reseller of the OEM. There are various routes to the market. Government end user contracting officers need to be knowledgeable of the authorized vendors, so they are not put in risky situations.
Agencies also need to understand reseller ownership structure and sourcing methods. They should have clear visibility into where all components of a product are coming from and how they got there.
Finally, there needs to be an awareness and enforcement of legislation and regulations within federal IT supply chains. Agencies should consider what requirements and certifications the vendors have, including International Organization for Standardization (ISO) certifications, Open Trusted Technology Partner Standard (O-TTPS) requirements, and Cybersecurity Maturity Model Certification (CMMC), which will be released in 2020. From the beginning, contracting officers should include these requirements in Requests for Information, Requests for Proposals, and any other initial documentation with vendors.
Government and industry are working together to secure federal supply chains through a joint industry and government task force — Cybersecurity and Infrastructure Security Agency’s (CISA) Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force. The task force released an interim report in September identifying over 190 supplier related threats, outlining threat scenarios, and providing recommendations for agencies to better evaluate and secure their supply chains.
With thousands of federal resellers to choose from, how can agencies evaluate and decipher which resellers have the least risk? The Office of Management and Budget (OMB) is also working toward minimizing the number of large-scale, agency-wide contracts. NASA’s Solutions for Enterprise-Wide Procurement (SEWP) has taken measures to reduce the list of suppliers through a contract vehicle site, where buying officials can find a consolidated list of authorized suppliers that have met O-TTPS requirements. This reduces efforts to evaluate suppliers and allows agencies to better manage the threat landscape.
Going forward, securing the federal IT supply chain will need to be a collaborative effort. Agencies should consider developing a past performance database, beyond the current CPARS, to report on progress, track repeat offenders, and share best practices among resellers, manufacturers and the entire federal IT ecosystem. The approval of ISO/IEC 20243, which addresses specific threats to the integrity of hardware and software COTS ICT products through the product life cycle, including the design and development, as well as the supply chain aspects of that life cycle, should assist in creating a standard level of security across the reseller channel.
For now, industry and government can take proactive measures to evaluate qualified bidders and manufacturers, know their suppliers, and recognize risky scenarios.