What you need to know about supply chain risks and your business

As technology advances, supply chain risk management challenges are going well beyond the world of producing physical products such as IT hardware. While ISO-based standards provide clear guidance on supply chain management in the private sector, federal government suppliers must think more broadly.

To become a trusted supplier to the federal government, vendors must understand supply chain risk management trends affecting manufacturing. This article takes an end-to-end approach to supply chain risk management, also called SCRM, examining technology trends, emerging threat vectors, and what vendors new to the federal government must keep in mind to mitigate supply chain risk.

Technology evolution and globalization

As technology has continually evolved from hardware to software, it has introduced new aspects of supply chain management. While software innovation offers new capabilities, it also brings vulnerabilities that are more easily exploited than with hardware. That exploitation introduces supply chain risks (more on this later).

Of course, hardware is still a significant part of infrastructure, including government services. Most hardware is built for a long lifecycle, and once deployed this legacy technology is not likely to be unseated, because of the capex costs tied to its original implementation.

With globalization, the main hardware risk comes through offshore contractors and suppliers. The widespread acceptance of globalization makes it harder to be certain of the integrity of your hardware supply chain.

What’s more, as software attack vectors become more sophisticated, they are also likely to be adapted to hardware. The installed hardware base is large, and therefore attractive to bad actors. The evolution of technology may provide a false sense of security that existing hardware is not susceptible to new forms of supply chain risk.

For federal government agencies, where data security is paramount, vendors will encounter more stringent compliance requirements than in the private sector. The supply chain must be protected to ensure product quality, and to protect against the ever-evolving onslaught of cybersecurity threats.

Shift towards software

With cloud replacing traditional hardware infrastructures, and software becoming more cloud-based, SCRM needs to shift focus from tracking physical components to the programming code used in cloud-based applications.

Cloud service providers all have some form of shared responsibility model for security, in which users are still responsible for securing their individual applications and services; the CSPs are responsible for the security of their infrastructure and the code used in their services.

Without tightly controlling the supply chain, malicious code could be introduced into cloud services. Most software applications, whether cloud-based or not, utilize significant open source code. A strong product development lifecycle ensures that open source code in a CSP’s infrastructure or cloud service offerings will be handled securely.

To that end, there are two best practices to apply to meet security responsibilities in the cloud:

• Establish a technology import process that allows software to be imported in a trusted manner, and to be used securely in products and service applications. Discovery and inspection processes must deliver a baseline understanding of what the technology is doing, how it is structured, and its level of maturity. Architecture review, code analysis and a security design review are also recommended. These factors would feed into a risk assessment of potential threats, including known vulnerabilities. Only if these threats are deemed acceptable would a piece of technology be pulled into an application or service released to the market.
• Securely manage risk in software and cloud-based applications with a software bill of materials (BOM). The BOM should outline all components feeding into a software application. Using this documentation, CSPs can list the tools used in their application development – as well as any third-party components. Both the IT and R&D departments therefore can apply software patches and updates more efficiently and effectively.

The four main classes of supply chain threat

With government agency purchases becoming more software-based, associated threats can be harder to recognize. This is particularly true of cloud-based software solutions, where communication channels are truly borderless and information can flow seamlessly from anywhere in the world.

A comprehensive approach to SCRM addresses four classes of threats:

Intentional Threats. These are deliberate actions, intending to be malicious or to gain an unfair competitive advantage. Competitors may inject malware or viruses to undermine your product or to attack your end customer. Prohibited or pirated software may be used to keep production costs down. Black market or counterfeit components may also be used instead of OEM to cut costs and time to market.

Unintentional Threats. These are poor quality control practices or events beyond the vendor’s control. Enforcement of quality standards may be lax. Information with outside contractors may be unclear or incomplete. Human error around data security may make the supply chain vulnerable to future cyberattacks. Poor work conditions could disrupt network operations and throw the process into chaos.

Internal Threats. These may be either intentional or unintentional. Disgruntled or turncoat workers may undermine your production from the inside. The same is true of careless workers, through human error or lack of awareness of data security practices. Weak policies and procedures to control access and grant privileges for sensitive data.

External Threats. These deliberate, well-targeted threats come from outside your organization. Downstream supply chain partners may try to steal IP to disrupt production, often prompted by competitors. Individual hackers may find a vulnerability in your supply chain, which could lead to malware, phishing, fraud, extortion, ID theft, and more. You may even be exploited by state-sponsored actors on behalf of hostile governments.

SCRM means balancing cost and supply chain vulnerabilities

The wide range of supply chain vulnerabilities described here adds up to a risk profile that goes well beyond conventional hardware manufacturing. As production of software and software-based hardware becomes more decentralized, the supply chain becomes more complex and convoluted.

Globalization may create cost benefits for vendors, but creates an interconnected ecosystem where supply chain threats can be almost impossible to detect or control. Vendors, therefore, must apply SCRM best practices, balancing the benefits of globalized software production with the attendant risks caused in developing a federal business practice.

In becoming a trusted supplier to federal government agencies, vendors must align with the requirements in NIST’s Cybersecurity Framework. More specifically, for IT decision-makers, vendors need to follow NIST’s Cyber Supply Chain Risk Management processes (https://csrc.nist.gov/Projects/cyber-supply-chain-risk-management). This will help mitigate risk pertaining to data security applications.

Compliance with long-standing ISO certifications does not translate into airtight security with federal government agencies. An end-to-end approach to SCRM will be needed to succeed in this sector going forward.