The Cybersecurity and Infrastructure Security Agency is building out a new supply chain risk management office to help agencies, industry and other partners put a torrent of recent guidance and policies into practice.
The new office is being spearheaded by Shon Lyublanovits, a former General Services Administration official. She now leads the project management office for cyber supply chain risk management (C-SCRM) within CISA’s cybersecurity division.
“We’ve got to get to a point where we move out of this idea of just thinking broadly about C-SCRM and really figuring out what chunks I want to start to tackle first, creating that roadmap so that we can actually move this forward,” Lyublanovits said during a Jan. 30 event hosted by GovExec.
In 2018, Congress passed the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure (SECURE) Technology Act, establishing the Federal Acquisition Security Council to develop governmentwide policies and criteria for security IT supply chains.
The council has designated CISA as its “information sharing agency,” said Sean Peters, deputy program manager for the FASC at the Office of Management and Budget.
“They do a lot of the coordination and communication of FASC activities throughout the federal government,” Peters said.
Agencies have jump-started efforts to develop their own C-SCRM programs, while new laws and executive orders continue to pile on additional requirements and considerations for managing risks in the technologies the government purchases.
While some agencies like NASA have long been leaders in managing supply chain risks, Lyublanovits said others are still struggling with the basics.
“I think the thing that plagues agencies the most are two things: One, where to start? And two, how do I have that conversation with my leadership?” she said. “If you don’t have leadership buy-in, you can’t get funding, you can’t go hire people to help you do what you want to do.”
CISA is developing new training courses for supply chain risk management that it aims to debut later this year. The agency is also starting a series of roundtables focused on “operationalizing C-SCRM,” she said. There will be three different tracks geared toward federal employees; industry; and state, local, tribal and territorial governments, respectively.
“We want to make sure that we’re collectively looking at all of this because again, it isn’t a government problem. It isn’t industry problem. It is a nation problem,” Lyublanovits said.
FASC developing scorecard
The Federal Acquisition Security Council, meanwhile, continues to coordinate governmentwide policies and guidance.
The council is often pulling on best practices and guidance established by agencies like NASA and the National Institute for Standards and Technology, according to Jaimie Clark, senior advisor and lead program manager for the FASC at the Office of Management and Budget.
“A lot of what we’re trying to do is not have everybody reinvent a practice,” he said at the GovExec event. “This is one environment where you’re not going to be penalized for plagiarism.”
NIST has since published new cyber supply chain guidance to help organizations manage potential risks in IT products like malicious functionality, counterfeit components or other vulnerabilities. Clark said the FASC helped contribute to that guidance.
“If you haven’t read it, you absolutely should,” he added.
The council is now developing a scorecard to help agencies and other organizations grapple with their supply chain risk management challenges, Clark said.
“But instead of just identifying another checklist that we’re asking folks to fill out, we first want to identify, where is everyone? And then where do we need to go?” he continued. “What does best practice look like? And that incorporates identifying whether there needs to be a different context for small, medium, large [agencies]. Is there a different context based on your mission? And trying to understand more from the user’s perspective, as opposed to issuing a policy or putting out a scorecard that we think captures all of it.”
Clark and other officials pointed to the need to understand industry’s perspective on supply chain challenges. Contractors typically have more information about the companies in their supply chains and also provide products across multiple agencies, putting them into a position to understand which supply chain initiatives are working and which aren’t.
Jon Boyens, deputy chief of the computer security division at NIST, said companies are participating more in supply chain security conversations than they were a decade ago.
“I actually think we’re kind of in the midst of relationship changes between acquirers and suppliers,” Boyens said. “Ten years ago, the reception I received from some industry colleagues, typically IT vendors was, ‘Go pound sand. Here’s my product. You get it if you want it. If not, it’s a global market, we’re going elsewhere.’ That’s changed.”
The complexity of modern technology requires a “constant relationship between the supplier and the acquirer,” he continued.
“So I think industry has been more accepting that yeah, we do have risk, and I think government’s trying to be a little bit more accommodating in terms of, we can’t just tell you what to do,” he said. “This is more of a partnership. I think often government gets in the habit of asking for a lot of information that it doesn’t use, and asking for a lot of requirements that costs more money, that are unnecessary. So I think we’re getting there. We’re not yet. It’ll be a few more years, but we’re on the right road.”