And earlier this summer, the federal government confirmed that several agencies were impacted by the MOVEit software hack allegedly carried out by a Russian ransomware gang.
The steady increase in frequency of cyberattacks has led to a flurry of new regulations, including Section 889 of the National Defense Authorization Act, Executive Order 14028 on Improving the Nation’s Cybersecurity and the Cybersecurity and Infrastructure Security Agency’s Software Bill of Materials (SBOM) guidance.
These efforts send a strong signal to companies interested in the federal contracting space: For those hoping to tap into the $700 billion market, cyber supply chain risk management (C-SCRM) must be a priority. Here’s what they need to do to earn the trust (and business) of the federal government:
When companies inherit, purchase or outsource software capabilities, they’re not always aware of the cyber risks contained within those products. SBOMs are one of the most valuable resources to combat this problem.
SBOM visibility enables companies to generate verifiable information that allows them to identify third party risk in software components. Software teams can use these insights to detect malware during development, track known vulnerabilities and identify upstream risks in advance of a known vulnerability. Customers who require SBOMs are already using advanced capabilities to analyze and monitor those lists of software ingredients.
Incorporate new requirements as early in the development process as possible
While tech and development teams may feel that incorporating SBOMs early in the process will restrict innovation, it’s a mistake to start without them. In fact, beginning the process with all players on board – from legal and security teams to risk auditors and government advisors – will encourage collaboration and avoid late stage refactoring, saving time and money.
Cyber security architects need to stay up-to-date on new insights, concepts and tools as they become available. Because customers are placing more value on cyber diligence, this extra effort is an opportunity to gain a competitive advantage — the more you can prove you’re being proactive, the less risky your product seems in comparison to less diligent competitors.
Be open to collaboration with regulators
The federal government has been a leader in forging guidelines and policies that are driving enhanced software visibility. Agencies like the National Institute for Technology and Standards, for example, offer further guidance. Treat these government agencies as resources and an ally in your journey to creating a trusted C-SCRM system.
Medical device makers, for example, successfully collaborated with the Food and Drug Administration to shape new standards in their field that require all companies to obtain and maintain SBOMs.
Treat C-SCRM as a long-term business investment
Meeting the new standards for C-SCRM may make it more expensive to do business with the government in the near-term, but boosting supply chain resilience could safeguard your company and your partners from hacks and expensive remediations in the future. That’s a lot of savings when you consider that just one data breach costs an estimated $9.44 million.
Breaches are not only expensive, they can also damage your company’s reputation, leading to distrust with existing and prospective customers. And when your client is the federal government, C-SCRM vulnerabilities can be the cause of disruption to critical infrastructure and social services across the country.
Building trust is essential for businesses working with the federal government. The key is to start by making the effort and investments necessary to secure your cyber supply chain. Acting in good faith and providing transparency will demonstrate trustworthiness and create more business opportunities.
Here’s the bottom line: Enhanced C-SCRM regulatory standards and increasing emphasis on SBOM visibility are raising the bar for private companies targeting the government procurement space. While new requirements are increasing the cost of entry to this lucrative sector, the investment is likely to pay dividends for your company’s long-term reputation, security and operational resilience. With embarrassing and costly data breaches happening regularly, few companies can afford not to invest in building a trustworthy and credible C-SCRM system.
JC Herz is senior vice president of cyber supply chain at AI and supply chain risk management company Exiger.