Best listening experience is on Chrome, Firefox or Safari. Subscribe to Federal Drive’s daily audio interviews on Apple Podcasts or PodcastOne.
Agencies finally have a basic understanding of the threat landscape around the federal technology supply chain.
And chief information officers, acquisition executives and others shouldn’t feel good about what they’ve learned.
The Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency’s Information and Communications Technology (ICT) Supply Chain Risk Management Task Force identified 190 threats across nine groups, including counterfeit parts, cybersecurity and economics.
The task force highlighted the supply chain topography as part of its interim report and four recommendations released last week.
“I think it’s important to make one note on the scope, the group focused on threats as opposed to risks. There was a lot of discussion in the group on that topic because it’s not necessarily immediately clear where a threat might end and a risk might begin. I think the easiest way to kind of explain about how the group thought about the interplay there is they defined risk as the intersection of threats with assets and vulnerabilities,” said John Miller, co-chairman of the task force and the vice president of policy and senior counsel for the IT Industry Council. “Through that lens, you can see why this group’s work was so foundational.”
Along with the threats, the task force outlined 40 scenarios mapped to each of the nine groupings, covering everything from ransomware attacks to contractor compromise challenges to supplier ownership changes to natural disasters.
“In building out those scenarios, several categories were considered by the group, including the interplay of particular vulnerabilities in that context: business impacts, potential business mitigation strategies and controls,” Miller said. “It was a very contextual analysis for each of them.”
All of this information comes at a time when the focus and concerns about supply chain threats are rising.
The two most obvious examples are the banning of Huawei and ZTE products in federal and contractor networks earlier this summer, and the prohibition on Kaspersky Lab products and services in 2018.
Jeanette Manfra, the DHS assistant secretary for cybersecurity at CISA, said supply chain is one of four priorities for an interagency working group focused on increasing collaboration and coordination to better secure industrial control systems.
“It can’t be your solution to say ‘I’m air-gapped.’ We all know you are not air-gapped,” Manfra said at CISA cybersecurity conference last week. “You have to make sure you understand both the hardware and software chain of those systems that you are putting into play, and you understand things like access.”
Manfra added it’s more than just understanding the prime supplier of the hardware or software, but getting to know the tier 2, 3 and 4 providers as well as business relationships and ownership.
“Sometimes that’s hard to completely understand, but it’s really important when you are buying a really expensive piece of equipment or system that you make it clear to whomever is selling that to you that you want that level of visibility,” she said. “That can go a long way to solving what I would say are individual supply chain issues.”
Bob Kolasky, the deputy director of the National Risk Management Center in CISA, said the task force’s recommendations focus on strategic and tactical aspects of supply chain risk management.
On the tactical side, the group suggested agencies only buy IT products from authorized resellers or from original equipment manufacturers (OEM). It also recommended agencies should rely on a trusted vendors or products list when the risk is greatest.
“There is a higher likelihood in the analysis we’ve seen that if you are not buying from OEMs or authorized resellers, there’s an increased risk of getting counterfeit products in the system, and with counterfeit systems comes a whole level of technical risk within that,” Kolasky said after a panel at the CISA conference. “We thought that this was a risk mitigation strategy that makes sense and there is an opportunity with federal acquisition policy to push that.”
The General Services Administration is considering rescinding the IT schedule special item number for refurbished or used products because of supply chain concerns. The Defense Department also adopted this policy in 2016.
“The more you buy from OEMs or authorized resellers, you have the ability to actually monitor their practices and make some judgements around that. There may be some source of concern with the original equipment manufacturer for different reasons, but it raises the bar of trust,” he said. “There was a general consensus that this was an issue we should take on as a task force. We talked about prospects of this and the premise of this was not that controversial.”
The use of an approved products or qualified bidders list came from research around the DHS continuous diagnostics and mitigation (CDM) program, GSA’s IT schedule and NASA’s SEWP contract.
Strategic ideas around threats, information sharing
The working group laid out 11 factors where the use of a qualified bidders or approved products list may make sense.
“That group probably didn’t go as far in the initial rounds as one might have thought. We didn’t come in with the recommendation that you have to establish as a qualified bidder or a qualified manufacturer list. Instead, we worked as a task force to come up with the characteristics you should consider if you do that,” Kolasky said. “I think that’s a little bit of a risk management approach to understand the qualified bidder or qualified manufacturer may be the right solution in certain cases, but not in all cases.”
He added industry was supportive of using this approach when appropriate, especially in light of the additional costs that using an approved products or manufacturer list could incur.
On the strategy side, the task force recommended agencies and contractors understand the cyber threats they face, and share information about those risks more broadly and more quickly.
Kolasky said the goal is to improve private-to-private information sharing and how to get that information into the broader ecosystem, including the government. He said that brings in a whole set of legal challenges, including liability
In the report the working group states that it “concluded that legal analysis and guidance are a prerequisite to developing a framework for any systematic, omni-directional information-sharing system relating to suspect suppliers. The result of these legal considerations could set forth the guidelines for addressing the process, operational and financial barriers that restrict effective implementation.”
The second strategic recommendation determined the 190 threats across nine groups and how to mitigate them through tools and controls.
Kolasky said the supply chain task force will figure out its next areas of focus, including helping small and medium-sized business manage their risks and connect with other critical infrastructure providers about how they are managing ICT challenges.
He said the task force will finalize its year two plan at the end of October or in early November.