All the hubbub over concerns about Kaspersky Lab software and its alleged connection to the Russian government really is the tail of an effort that has been building over the last five-plus years.
It may seem concerns about the federal IT supply chain have reemerged after a five-year absence from the spotlight. But in fact, a dedicated group from the Defense and Homeland Security departments, the intelligence community and the General Services Administration has moved the government to the cusp of addressing this growing challenge.
The most recent and significant sign of this long-term effort is a new policy from the Committee on National Security Systems. CNSS released a new supply chain risk management policy in late July to establish “an integrated, organization-wide cybersecurity risk management program to achieve and maintain an acceptable level of cybersecurity risk for organizations that own, operate, or maintain national security systems.”
Sandy Boyson, a research professor and the co-director of the Supply Chain Management Center at the University of Maryland, said the new policy is an important milestone for a long-term strategy.
“To get to the point where there is a common recognition that they have to adapt more of the enterprise risk management model that is common in the private sector, this is an important iteration and consolidation of work they have been doing for past few years,” Boyson said, in an interview with Federal News Radio. “They spent a lot of time studying what’s going on in industry and trying to blend DoD and civilian agencies perspectives to see where commonalities are.”
Before recent fears over Kaspersky Lab products became mainstream, the last time agencies really talked publicly about securing their technology supply chain was 2011, when Sens. John McCain, (R-Ariz.) and Carl Levin (D-Mich.), then-ranking member and chairman of the Armed Services Committee, issued a report about counterfeit products “flooding” the DoD supply chain.
NASA set up a value-added reseller program for its SEWP V contract to further ensure confidence in its vendors’ supply chains.
And lawmakers are putting provisions in the Defense Authorization bill asking for reports and more attention to supply chain risks, including a provision from Sen. Jean Sheehan, (D-N.H.) that would ban Kaspersky Lab from DoD networks and systems.
Jennifer Bisceglie, CEO of Interos Solutions, said there has been a lot of activity over the last decade, including as many as 14 policies and laws that are trying to address supply chain risks, but few have really made a difference.
“It’s clear that more needs to happen and that is why we’re seeing movement,” she said. “The difference now is the government is owning more of the responsibility about the areas in which they are concerned about and holding the prime contractor accountable to mitigate those concerns. That is a big deal, because it means the government is doing a better job understanding its risk tolerance and risk transfer. This is based on how best to work with industry.”
Bisceglie said too often the policies and laws didn’t come with any teeth or funding and that’s why these actions were ineffective.
She said the CNSS document has a lot of potential, but still needs some clarity around accountability within each agency, the sharing of information across the government and whether GSA can get the funding to create a shared service to review products for their supply chain risks.
“Agency leaders must understand and be part of the solution, because nothing will be successful if it’s not led and has the resources at the right level,” Bisceglie said. “Every agency needs to identify their priorities for each program before implementing anything. This is not a compliance activity, but really understanding what’s important and a mission essential function, and what are the consequences if the function is impacted.”
Interos Solutions has been working on this SCRM issue for the last few years, and conducting its fourth pilot with GSA under their business due diligence program to see how a governmentwide shared service could work.
Bisceglie said GSA awarded the most recent effort at the end of July.
“The first two pilots were trying to get a shared service stood up and get other agencies’ attention to really prove the business case,” she said. “They did get multiple agencies to use it. We would look across commercial IT hardware, software and services and look at open source information about ownership, financial, cyber and other concerns.”
Bisceglie added each pilot focused on a different set of commercial vendors.
Pam Walker, the senior director of federal public sector technology for the IT Alliance Public Sector (ITAPS), said there is a lot of industry interest in the GSA business due diligence program.
“How does the government find the right balance to address concerns when they are no longer the biggest player in the market, but still must make sure there aren’t any vulnerabilities in the products they buy,” Walker said. “Companies do have SCRM plans in place now, and they have these processes in place to secure the supply chain. But I’m not sure how agencies will describe their program. NIST gave guidance and questions to ask so agencies can be better about SCRM in their procurements.”
Boyson also has been working on several pilots with the National Institute of Standards and Technology.
He said NIST and GSA have spent the last 18 months on a predictive analytics product to compare industry partners. The initiative just entered into phase 2.
“The first phase was aligning the portal to do self-assessments for cyber risk based on the NIST framework,” Boyson said. “We finished that with the latest NIST standards in phase 1. For phase 2, we are currently working with data breach providers to look at the NIST self-assessment process and see if there is a relationship between that profile and data breach patterns over time. The project will be done in October, but it’s a tough project because the data is so fragmented.”
In the meantime, congressional involvement and oversight of supply chain risk management is increasing.
In the House version of the NDAA, lawmakers want to make the DoD chief information officer responsible for the policy, oversight and coordination of supply chain risk management efforts for IT products and services.
“The committee remains concerned that the Department of Defense is not adequately postured or resourced to conduct the necessary planning, analysis, and assessment for supply chain risk management of Department of Defense information technology systems,” the House report on the NDAA stated. “This problem is exacerbated by the globalized nature of both the hardware and software supply chains for IT, and by the reliance of the department on primarily commercial systems that are the products of the globalized management and supply chain. While the committee is aware that much progress has been made in developing policies and guidance, as well as creating the core of an analytic capability, the committee believes there is more to be done. In addition to rethinking how to address this problem with less manpower, the committee also believes the department should do more to invest in automated information feeds, including from business and commercial intelligence providers, to fuse with classified information when needed, but also to provide stand-alone products more easily shareable with industry, interagency, and international partners.”
In another section, lawmakers want the Government Accountability Office to look at the defense industrial base, including “an assessment of the national security risks to the U.S. defense industrial base of such outsourcing, including the integrity of the Department of Defense acquisition system, logistics network, or supply chains.”
Additionally, the committee directed DoD to implement the recommendations of the Defense Science Board in its cyber deterrence report.
Finally, the committee wants DoD to create a pilot program to enhance information sharing for the security of its supply chain.
“This section would require the Secretary to select 10 acquisition or sustainment programs to participate in the pilot program and would further provide criteria that the secretary would be required to satisfy when selecting the 10 programs,” the report stated.
The Senate version of the NDAA does address supply chain risk management, but not in the same way or with the similar provisions, so whether these new directives make it into the final bill is unclear.
But no matter what lawmakers end up doing, the issue of supply chain risk is quickly becoming well understood by non-IT and cyber experts, which always is the first step toward improvement.