It was clear from the get-go: Securing technology supply chains requires a “long-term, strategic collaboration between public and private sectors” across the world. So notes the National Cyber Strategy.
The strategy points out that the information and communication technology supply chain provides products and services that underpin the U.S. economy. But a dependency on foreign products and services from “untrusted suppliers” injects “multiple sources of systemic risk to our digital ecosystem.”
To foster collaboration and address those supply chain concerns, the National Institute of Standards and Technology’s National Cybersecurity Center of Excellence has convened projects in recent years to look at issues ranging from digital identity and software supply chain security to the security of water and wastewater technologies.
NCCoE has also been working with several major technology vendors on supply chain assurance to demonstrate how organizations can verify the internal components of the computing devices they buy are genuine and haven’t been altered.
Emphasis on tech supply chain risk management
The issue has become crucial as data centers and cloud computing have become integral to most agencies, businesses and other organizations.
“How do you ensure what was put in that system during manufacturing is actually what’s in that system when it arrives at a data center that’s got to provide service?” Daniel Carroll, field chief technology officer for Dell Technologies, said during Federal News Network’s Cyber Leaders Exchange 2023.
One of the key outcomes from NCCoE’s projects to date is guidance about how to verify devices and components by organizations involved throughout the technology lifecycle, from original equipment manufacturers to platform integrators and information technology departments.
Carroll pointed to the need to have a ledger throughout the process.
“You basically do an inventory of what’s in that system when it’s put together in manufacturing to include serialization of all the components,” Carroll said. “And that serialization has to be done in ways that are basically using methods to tie serials to the components using different technologies. So that way, you can do an inventory on the other side to ensure that all those serial numbers still match up.”
Using blockchain to advance supply chain security
NCCoE is now in the early stages of a new project aimed at using blockchain technologies to advance supply chain traceability. The center plans on publishing a notice in the Federal Register in late 2023 for organizations interested in participating in the project.
Carroll said the supply chain assurance work has featured collaboration in the private sector that previously was unthinkable.
“The information that we are sharing today and some of these collaborations would have been looked at as critical, strategic market intellectual property that we could use to compete against our competitors with,” Carroll said. “Now, we have an understanding that we have to come together in order to share some of this information to drive better practices across the industry because we’re not in the data center alone. … The reality is that other vendors are going to be in that data center, and if they’re compromised, well, then there’s a compromise for us too. It makes it harder for us to protect our interests and protect the interests of our customers. So we have to work together in that aspect.”