The new cybersecurity bill introduced in the Senate on Tuesday would order agencies to make sure they buy genuine products from vendors with a secure supply chain. Last year’s Defense Authorization bill also emphasizes supply chain security. The Obama administration has called for stricter procurement measures the Comprehensive National Cybersecurity Initiative.
Now a collaboration between academia and NIST has produced a plan for supply chain policy.
The University of Maryland has published a report, in collaboration with NIST, on how the government and industry are addressing the cyber supply chain challenge.
“We know that accelerating globalization and outsourcing of both software code and hardware production is presenting tremendous assurance challenges to the government and to the vendor community,” said Sandor Boyson, co-director and research professor of supply chain management at the University of Maryland, in an interview with The Federal Drive with Tom Temin.
In their first phase of research, NIST and the university found that nearly half of 200 federal IT vendors surveyed did not have any kind of risk management mechanism in place. The results, Boyson said, were “quite disturbing.”
In the past couple of years, industry has increased focus on risk management internally and in acquisition, but Boyson said more focus needs to be dedicated to “enterprise risk management across the supply chain.”