FedInsights by RSA Archer

Protecting the supply chain to promote operational resiliency

Supply Chain Risk Management

The way we look at this is the risk footprint that an agency has, has expanded significantly and the importance, based on a lot of the nation state cyber criminals that are out there, to make sure that everybody in that expanded risk footprint is doing the best they can to secure those environments.

Operational Resiliency

Just establishing a supplier catalog is a basic start. From there, I could evolve to requiring those contractors to provide me information, maybe from automated tools or vulnerability scanning tools and highlight and attach that document to that particular vendor. Another area where we have seen where people have leveraged technologies and capabilities is independent virtual assessments of a third party contractor to see how secure they are from a public-facing perspective. There are a lot of different things we have seen agencies do where they are starting to leverage technology and tools. It’s an evolutionary thing, it’s a crawl, walk and run process.

Without a doubt, 2020 will be remembered in the federal sector as the year of supply chain risk management. Oh yeah, there’s also the coronavirus pandemic turning everyone’s world upside down.

But if we step back from this tragedy, we can see just how much attention and resources went to supply chain risk management over the last 12 months.

From the Defense Department’s somewhat challenging roll out of the Cybersecurity Maturity Model Certification (CMMC) to the launch of the Federal Acquisition Security Council to the second part of the Section 889 acquisition rule, at every turn there agencies and vendors faced new requirements.

The task is so great that the Office of the Director of National Intelligence outlined three broad goals to improve the security of the federal supply chain. These include implementing enhanced capabilities to detect and respond to supply chain threats and more outreach to public and private sector partners about potential and real vulnerabilities.

Nearly every agency from ODNI to the FBI to DHS to the Commerce Department is involved in protecting the federal supply chain.

Agencies need to take all this data—both from public and private sector sources—and apply it to their specific mission areas.

Dan Carayiannis, the director of public sector at RSA, said the increasing concern about technology products and components, and whether the technology suppliers understand and have transparency into the chain of custody created a wake-up call of sorts for public and private sector organizations.

“The way we look at this is the risk footprint that an agency has, has expanded significantly and the importance, based on a lot of the nation state cyber criminals that are out there, to make sure that everybody in that expanded risk footprint is doing the best they can to secure those environments,” Carayiannis said on the Innovation in Government show sponsored by Carahsoft.

The change in expectations and oversight is highlighted by initiatives such as the CMMC program as well as the Defense Industrial Base Cyber Assessment Center (DIBCAC) effort.

Carayiannis said CMMC, and soon DIBCAC, is pushing vendors to move beyond self-assessments and mandating certain controls and practices to increase the level of secure to address the expanded risk ecosystem.

“The pandemic has caused every agency to modify their thinking about their remote workforces, including the contractor community,” Carayiannis said. “I think the pandemic has opened people’s eyes to how organizations can operate in a more flexible, virtual environments, but also understanding the risks around that and therefore needing to put new security controls, processes, procedures and privacy standards in place to make sure they are doing that in a proper fashion.”

He said RSA hears from DoD and civilian agencies about CMMC and what it may mean for their industry partners especially as they realize that how employees and industry partners work has permanently changed and therefore so has their cyber risk profiles and footprint.

“We have or years been supporting agencies and the contractor community in the way they manage their supply chains. Anything from putting in place an application to track their supply chain community, a supplier catalog, not just the individual organizations, but maybe the contracts they may have in place or the technologies they acquire from them,” he said. “What the pandemic really did was cause people to reflect in a quick way not just on themselves but understanding the reliance they have on their contractors and suppliers. It got them to think through this concept of operational resiliency to ensure they are continuing business as usual.”

Carayiannis said the need for operational resiliency also caused vendors to apply zero trust principles to address the increased risk ecosystem.

“We have seen agencies moving quickly to deploy software solutions where they are tracking, monitoring and requiring their supplier community to attest and demonstrate they are secure on an ongoing basis. They have controls in place, processes, practices and procedures to do this,” he said. “We are able to do that using technology today where we are able to drive controls, be able to pull in information and be able to help contractors show a government organization that the following things are being done to protect the data or the technologies that they are providing are secure and there is a good chain of custody around those things.”

Carayiannis said more agencies and vendors are using these automated tools to “trust but verify” their partners, especially as the pandemic changed the view of the cyber risk ecosystem.

To stand up a fully automated vendor management program, agencies must build piece-by-piece, including starting with data collecting and sharing that information across the agency.

“Just establishing a supplier catalog is a basic start. From there, I could evolve to requiring those contractors to provide me information, maybe from automated tools or vulnerability scanning tools and highlight and attach that document to that particular vendor,” he said. “Another area where we have seen where people have leveraged technologies and capabilities is independent virtual assessments of a third party contractor to see how secure they are from a public-facing perspective. There are a lot of different things we have seen agencies do where they are starting to leverage technology and tools. It’s an evolutionary thing, it’s a crawl, walk and run process.”

 

About Archer

Archer, an RSA company, is a leader in providing integrated risk management solutions that enable customers to improve strategic decision making and operational resiliency. As true pioneers in GRC software, Archer remains solely dedicated to helping customers understand risk holistically by engaging stakeholders, leveraging a modern platform that spans key domains of risk and supports analysis driven by both business and IT impacts. The Archer customer base represents one of the largest pure risk management communities globally, with over 1,500 deployments including over 100 government organizations and 90 of the Fortune 100.

Featured speakers

  • Dan Carayiannis

    Director, Public Sector, RSA Archer

  • Jason Miller

    Executive Editor, Federal News Network

Sign up for breaking news alerts