Security and your supply chain: 5 steps to take right now

The future of contracting looks like an oasis, or rather an OASIS+ contract. Government contractors and companies in the defense industrial base just have one catch: They are on the hook to help secure the nation’s supply chains.

The Government Accountability Office published a series of reports recently that outlined the highest cybersecurity risks to the government, including those that need to be addressed urgently. The reports highlight the need to protect the nation’s critical infrastructures, the technology systems used to carry out fundamental operations and maintain these infrastructures, and the need for cybersecurity and supply chain risk management (C-SCRM) to address significant supply chain vulnerabilities.

The GAO reports have led to cybersecurity requirements for those wishing to bid on new contracts and a warning: The Government may perform a cyber-supply chain risk assessment of the awarded contractor at any time during the period of performance.

That might not sound impressive until you consider the impact.

Nearly every business in America will feel the effects—not just primes and subs. Any company that is a vendor to a prime or sub or that sells a commercially available product that a contractor uses is considered part of their supply chain—and therefore needs to demonstrate advanced cybersecurity—or risk being labeled as unsafe.

OASIS+ has a requirement upon submission for contractors to submit an initial cybersecurity supply chain risk management plan with their proposal. And if awarded, they must add to or improve that plan within 90 days.

This imperative is a wake-up call for contractors who have been hoping to skate by without investing in more rigorous or sophisticated cybersecurity. If OASIS+ is your vision, there are five steps you must take.

1. Know your security stance and requirements

Conduct an assessment of your current security profile and study up on what is required by your current contracts.

If you’ve got your ducks in order, this could be as simple as checking your latest Supplier Performance Risk System (SPRS) score, System Security Plan (SSP), and Plan Of Action & Milestones (POA&M) and providing the relevant information to your contracting officer. However, data suggests that many contractors and companies in the supply chains aren’t prepared, and their cybersecurity is severely lacking—unable to meet even the basic 15 controls outlined in FAR 52.204-21.

There are lots of free resources to help you understand the standards and break down the technical language, including resources from the National Institute of Standards (NIST), the gold standard for government cybersecurity. Dig in and keep going—security is a new operational area that every company will need to address.

2. Apply the standards—and prove it

Companies looking to do business are increasingly asked about their security stance. Your compliance score may have already replaced your company’s credit score as a requirement to transact.

For many companies, the process of becoming compliant can take six to nine months or more, underscoring the imperative of starting now. It won’t be enough to say you’ve improved security or even to have a senior executive self-attest to it. In order to meet contract requirements, companies need to prove their compliance, and that requires documentation and security monitoring. If all of this sounds foreign to you, spend some time reading up on digital trust.

3. Tough love: Vet your supply chain

As a contractor, you’re also responsible for verifying the security of those within your supply chain. That requires asking some pointed questions to determine if every vendor or supplier meets the standards—and making tough decisions to cut ties with those who don’t hold up or aren’t willing to invest in security. Many companies find a vendor screening process, often including some forms and a follow-up interview, allows them to cover all the bases from invoicing to security to personnel.

If you have subcontractors or vendors who are key to your delivery, you might decide to help them with their cybersecurity posture. That could mean technical or financial assistance to implement needed policies.

The government has made it easy to determine if cloud service offerings are compliant. If it’s FedRAMP® approved, you're good to go.

4. Decision point: Have you done enough?

Having oversight is a major theme in the GAO reports. Indeed, we’ve already seen a few cases where the Department of Justice has gotten involved to charge contractor companies that experienced a breach or attack because their security wasn’t up to standards under the False Claims Information Act. Some have even targeted the senior executives who attested to the security standards being met.

For OASIS+, the risk of noncompliance comes down to being removed from the contract, easily the largest in the last 20 years. No contractor or supplier can afford to lose the trust of customers, particularly one like the General Services Administration.

5. Get help where it counts: In your wallet

Few companies can afford to keep a cadre of cybersecurity professionals on the payroll. For the rest, consultants can make a world of difference, accelerating progress by using best practices and proven solutions to efficiently meet their cybersecurity requirements.

A strong security posture is its own reward, yet there will be readers who balk at having to spend thousands to comply.

In the latest IBM study (2022), the average cost of a data breach was $4.35 million, a figure that makes prevention sound downright affordable. There are plenty of other financial impacts to consider, too. The cost of cyber insurance doubled for companies that didn’t improve their cybersecurity stance in the past year, while those who did invest saw premiums drop. And the cost-saving for companies who have an incident response plan and regularly test it was estimated to be $2.66 million, the result of lower breach damages.

There's no upside to skipping out on security throughout your supply chain. We had the unique experience, during the COVID pandemic, of witnessing first-hand how important these links are, and how one disruption can cascade into a major crisis. Even worse than being unable to get our hands on toilet paper, baby formula, or masks, we saw the rolling impact of security disruptions within a supply chain, like Solar Winds (2020), Microsoft (2021), and WannaCry (2017). 

The GAO points out that it made over 4,000 recommendations to Federal agencies to address cybersecurity shortcomings stretching back to 1997. As of December 2022, over 880 of these had not been fully implemented, including 134 designated as priority recommendations. Now they’re asking contractors to lead the way, bringing their entire supply chains into a modern cybersecurity era. Without every company down the line helping to make security a real, national priority, we’ll be looking at a mirage instead of an oasis.

Edward Tuorinsky, managing principal of DTS, a government and commercial consultant business, brings more than two decades of experience in management consulting and information technology services.