How agencies can start catching up on supply chain risk management
February 11, 20213:31 pm
5 min read
This content is provided by EY.
When the Government Accountability Office (GAO) investigated the supply chain risk management practices of the 23 civilian CFO Act agencies in late 2020, the results were concerning. It found that none of those agencies had fully implemented seven critical supply chain risk management (SCRM) practices outlined by the GAO and grounded in guidance from the National Institute of Science and Technology (NIST), and 14 agencies hadn’t begun implementing any of them at all.
“As a result of these weaknesses, these agencies are at a greater risk that malicious actors could exploit vulnerabilities in the [information and communications technology] supply chain causing disruption to mission operations, harm to individuals, or theft of intellectual property,” GAO said in the report. “For example, without establishing executive oversight of SCRM activities, agencies are limited in their ability to make risk decisions across the organization about how to most effectively secure their ICT product and service supply chains. Moreover, agencies lack the ability to understand and manage risk and reduce the likelihood that adverse events will occur without reasonable visibility and traceability into supply chains.”
And one thing that really drove home the importance of supply chain risk management, according to Alex Gurney, a principal at EY, is the pandemic. Shortages in toilet paper early on, followed quickly by hardware shortages as businesses scrambled to equip their new stay-at-home workforce, forced the public and private sector alike to examine where their goods and services came from.
“When we talk about supply chain risk management, the first thing you need to know is who are your suppliers?” said Gurney. “Where do they reside, where are their operations? Is it domestic, is it non-domestic, and who are the suppliers in their supply chain that they rely on to support your mission?”
In the public sector, supply chain risk management tends to go hand in hand with cybersecurity in most conversations. Kaspersky and Huawei were the early warnings, perfect examples of why supply chain risk management is important. SolarWinds became the cautionary tale of what happens when the weaknesses get exploited.
But cybersecurity isn’t the only domain in which the supply chain poses a threat. It’s about goods, services, finances, maintenance and repair. For example, if the Defense Department has a radar system that relies on a part that comes only from a single supplier, that’s a vulnerability. If the business supplying the part is mismanaged and goes under, the inability to obtain a $20 replacement part could cripple a multimillion-dollar defense system.
That’s why, Gurney said, it’s imperative that federal agencies finish implementing the guidance outlined by NIST.
“There are ways to accelerate a program like this and get it up and running quickly,” she said. “We’ve established a SCRM program for the Department of Energy, and there is a lot of market data out there that agencies can leverage. Also, agencies could benefit from each other’s efforts, because most agencies share a common set of contractors and suppliers.”
At DoE, EY helped establish a SCRM program that enables leadership to make risk-informed decisions and reduce the risk introduced by suppliers. The SCRM program identifies, assesses, helps to mitigate and monitors supplier risks: the greater the potential risk a supplier presents to DoE’s supply chain, the greater the diligence conducted to assess the supplier. The program assesses suppliers across multiple risk lenses to include financial, cybersecurity, geo-political, corruption and foreign interest. Applying multiple lenses enables a more complete picture of the health of the supplier. For example, a particular supplier might not be financially viable or it may rely on multi-layered subcontractors to provide a product, each layer of which needs to be analyzed for potential risks.
“So, we do the analysis and establish a risk profile, from which management can make a risk-informed decision and evaluate options to reduce any risks identified,” Gurney said. “We built it to be scalable and customizable, so it can continue to expand quickly and adapt to constantly changing requirements and supply chain threats.”
This solution combines open source, subscription-based, and federal-based information about suppliers with control-based questionnaires and the suppliers’ potential impact on the agency to build supplier risk profiles. And while it does provide mitigation strategies to lessen supply chain vulnerabilities, Gurney also sees it being used proactively. For example, during the procurement lifecycle, agencies could utilize this process and factor this information into the awards process.
And because supplier data can be leveraged across the entire government, Gurney recommends that agencies develop a common service, such as that at the DoE, to develop a robust database of supplier risk information. Leveraging programs and processes already in place could also provide a jumpstart to agencies that have yet to begin implementing supply chain risk management guidance.
“Despite numerous conversations I have had with various clients about this issue, I don’t see a lot of agencies taking really accelerated action to address it. And then we see things like SolarWinds happen,” Gurney said. “Developing an initial supplier risk assessment is a very quick action and took our team only 2 weeks to establish at DoE, but I think there are a lot of steps that are involved in setting up an integrated program. And it really starts with executive sponsorship, just like anything else.”
To learn more, join EY for a knowledge sharing series focused on SCRM.REGISTER HERE for the next session, Supply Chain Risk Management: Securing suppliers within your organization (24 March). We will be discussing the types of challenges organizations face post-procurement and how to secure your suppliers utilizing a SCRM-focused Risk Management Framework (RMF) approach, Identity & Access Management (IAM), Privileged Access Management (PAM), and Application Security.