Even in a secure environment, supply chain security can contain gaps. The seller may have its supply chain locked down, but the manufacturer — confident in its own practices — may be dealing with parts suppliers who work with unsecured companies.
The smaller the company, the larger the gaps and lack of information may be. The National Defense Industrial Association recently surveyed small and medium-sized defense contractors and found that fewer than 60 percent of them read the document outlining the minimum security standards for defense contractors.
The risks federal agencies face in the supply chain include gray market and counterfeit products, tampering and vendors that don’t properly assess their own risk.
Task Forces Study Supply Chain Risk
Federal agencies and task forces are working on supply chain security guidelines encompassing everything from how to spot problems to when to ban a company as a supplier.
The Cybersecurity and Infrastructure Security Agency’s Information and Communications Technology Supply Chain Risk Management Task Force just released an interim report on its progress. This task force has created an inventory of possible threats that can be used by both the public and private sectors; is developing a list of factors that an enterprise can use to determine which bidders and manufacturers to trust; and may recommend that technology be purchased only from the original manufacturers or their authorized resellers.
Recently, the Defense Department created a CISO position assigned to its acquisition department, and is looking for ways to buy even more American-made IT.
And as part of the Department of Homeland Security’s Continuous Diagnostics and Mitigation program, the General Services Administration requires potential government vendors to include supply chain risk management plans in order to become part of the CDM Approved Products List. The APL catalog can serve as a guide for agencies that want to buy products meeting federal security standards.
Agencies may also want to consider including supply chain security requirements in service-level agreements with their vendors, if they’re not buying through a GSA vehicle that already includes one.
In some cases, the solution may be to employ a third party to supplement the monitoring GSA is already trying to do. Large resellers often work with their own suppliers to make sure the supply chain is intact. They’ve got the staff to take care of that; an agency may not.
Double-Check Outside Security Policies
Agencies should regularly check in with those third parties, however, making sure supply chain security policies are regularly audited and updated. Ask specifically what they’re doing and how they’re carrying out changes. Learn how they create a chain of custody when it comes to handling merchandise. A good reseller will gladly discuss the process.
Another threat is counterfeit or gray-market goods that find their way into the government supply chain because a vendor is not vetting its products well enough. For example, 10 years ago, the Army and other agencies discovered they had unwittingly bought counterfeit products from an unsuspecting supplier. Since then, GSA has adopted new processes for supply chain management risk in that area.
Vigilance in managing supply chains can be difficult, given that much of the manufacturing process may not be transparent. But agencies have many avenues for assistance in assessing risk these days, and that’s an important step.
As Infosec’s “Cyber Security Risk in Supply Chain Management” states: “Cyber security of any one organization within the chain is potentially only as strong as that of the weakest member of the supply chain.”