The Federal Government relies on a global ecosystem of vendors for modern IT supply chains. This complex web, while essential for efficient operations, also introduces significant security risks. However, significant disruptions in recent years – from the COVID-19 pandemic to political uncertainties and increasing cybersecurity threats – have highlighted the importance of verifying the integrity and security of hardware and software sourced through this interconnected global web. Recognizing the crucial role of a resilient cyber supply chain in safeguarding national interests, the U.S. federal government is working tirelessly to strengthen supply chain security, mitigate risks, and protect the country’s vital assets including public trust.
Securing the IT supply chain requires engagement and a nuanced understanding of risk management. It requires stakeholders across government agencies, private sector contractors, vendors, industry associations, cybersecurity agencies, and international partners. In this intricate landscape, stakeholders must navigate a complex web of regulations, standards, and initiatives aimed at ensuring the resilience and reliability of the IT supply chain to avoid breaches that could damage or disrupt operations.
For government agencies responsible for over 345 million citizens, a compromised supply chain can lead to devastating impacts like theft of sensitive private information, downtime of essential government services, and irreparable damage to public trust and national security. This POV highlights the urgency for proactive measures to secure the supply chain and prevent future attacks, protect national security, maintain economic stability, and, most importantly, secure citizen’s sensitive data.
Critical challenges in securing the IT supply chain for the U.S. federal government
The federal government allocates approximately $665 billion annually to procure goods and services from outside contractors, engaging a vast network of vendors and subcontractors with critical infrastructure and sensitive data, creating a highly vulnerable cyber supply chain. The complexity of IT supply chains, with components sourced from various regions and countries, complicates the task of ensuring their integrity. The rapid growth of data generation adds another layer of complexity. By 2025, data generated and stored by humans is expected to reach 175 zettabytes[i], encompassing everything from streaming media to healthcare Government operations will interact with this data through IoT devices, many of which may lack security, increasing cyberattack risks. Securing the government’s supply chain is crucial, as third-party vendors can introduce vulnerabilities. Ensuring software integrity is essential to prevent attacks, block malicious actors, and improve visibility into government supply chains for comprehensive risk assessment and protection of critical government functions.
In the 2020 SolarWinds incident, the company’s Orion platform was a victim of a supply chain attack that affected thousands of systems and customers on a global scale. What followed was nothing short of a digital storm, involving approximately 18,000 SolarWinds customer networks, systems, and data, government agencies, and several major corporations – including government organizations like Homeland Security, State, Commerce, and Treasury, along with significant private companies like FireEye, Microsoft, Intel, Cisco, and Deloitte. The aftermath of the hack indicated that U.S. businesses and government agencies spent $100 billion to contain and fix the damage from the attack. |
The 2020 SolarWinds breach serves as a stark reminder of the need for robust defenses against supply chain attacks. The aftermath indicated that U.S. businesses and government agencies incurred $100 billion in damages from cyber attack. According to the Cybersecurity and Infrastructure Security (CISA) Agency at the Department of Homeland Security, 18,000 public and private sector customers of SolarWinds’ Orion product, including ten federal agencies,[ii] were affected in the cyber-attack.
The challenges in supply chain security are getting increasingly complex due to the evolving threat landscape, resource constraints, and the need to balance effective policies with innovation. Insider threats from internal sources and supply chain partners are difficult to detect, while legacy IT systems remain vulnerable. Collaboration among government agencies, the private sector, and international allies is crucial to address these supply chain security challenges and safeguard national security and sensitive data.
The Federal Acquisition Security Council (FASC) and other interagency task forces have been actively working to mitigate these risks by enhancing IT supply chain security. In collaboration with the Cybersecurity and Infrastructure Security Agency (CISA), the ICT Supply Chain Risk Management Task Force brings together industry leaders and government representatives to address vulnerabilities and implement strategies to strengthen supply chain resilience. Their efforts focus on promoting transparency, improving information sharing, and developing best practices to safeguard critical infrastructure and sensitive information.
“The HBOM Framework offers a consistent and repeatable way for vendors and purchasers to communicate about hardware components, enabling effective risk assessment and mitigation in the supply chain,” said CISA National Risk Management Center Assistant Director and ICT SCRM Task Force Co-Chair Mona Harrington in prepared remarks[iii]
To improve IT supply chain security, robust measures must be implemented to increase visibility, promote collaboration, and stay informed about emerging threats. Some of these measures include enhancing security requirements for federal contractors, leveraging advanced technology to monitor risks, and establishing secure procurement practices.
- Integrate advanced analytics and monitoring tools to provide real-time insights into supply chain activities, enabling early detection of vulnerabilities.
- Establish clear communication channels and partnerships between government agencies, private sector entities, and international allies is crucial for sharing threat intelligence and coordinating responses.
- Adopt standardized frameworks and best practices, such as the implementation of zero-trust architectures and multi-factor authentication, which can significantly reduce the risk of unauthorized access and supply chain attacks.
Continuous training and education for all stakeholders on the latest cyber threats and defensive strategies are also essential to maintaining a resilient and secure IT supply chain.
Trends in Federal IT Supply Chain Management for Enhanced Security
As digital transformation advances, supply chain security managers prioritize using advanced analytics to enhance visibility and flexibility. Essential investments in cybersecurity, a multi-factor authentication environment, and zero-trust architectures are also crucial factors.
According to McKinsey’s survey of 100+ supply chain leaders worldwide, only 45%[iv] of companies struggle with visibility into the earlier stages of their supply chain.
Here are some of the trends in the government acquisition process that have been implemented to improve supply chain safety:
- Standardization of Supply Chain: The Federal Acquisition Security Council (FASC) has been actively working to develop and implement standardized processes and procedures for sharing supply chain information. They have set up reporting mechanisms and guidelines for stakeholders when exchanging data. Additionally, they have encouraged federal agencies and suppliers to adopt secure communication protocols and encryption to protect shared information.
- Comprehensive Regulatory Framework: The federal government has integrated supply chain security provisions into regulations like the Federal Acquisition Regulation (FAR) and Defence Federal Acquisition Regulation Supplement (DFARS). These regulations require contractors to report cyber incidents promptly and protect sensitive supply chain data. Government agencies enforce compliance and conduct audits to ensure that rules are followed.
- Prevention of Supply Chain Attacks: The Federal Acquisition Supply Chain Security Act of 2018 established the Federal Acquisition Security Council (FASC) to oversee supply chain security. FASC has been developing and implementing policies and procedures to identify and mitigate supply chain risks. Additionally, agencies have implemented the recommendations of the Information and Communications Technology Supply Chain Risk Management Task Force, focusing on securing the ICT supply chain through proactive measures.
- Increased Oversight and Regulation: The government has increased oversight by requiring contractors and suppliers to develop supply chain risk management plans. These plans outline how they will identify, assess, and mitigate risks in their supply chains. To reduce vulnerabilities in the supply chain, specific foreign-made telecommunications equipment has also been banned.
- Collaboration and Information Sharing: Government agencies have actively promoted stakeholder collaboration and information sharing. This involves establishing forums, workshops, and information-sharing platforms to facilitate communication. Agencies like the CISA encourage private-sector participation in threat information sharing and coordination.
- Adoption of New Technologies for Automation: The government invests in modernizing supply chain processes. This includes implementing digital platforms to collect and analyze supply chain data, utilizing blockchain technology to enhance transparency and traceability, and applying artificial intelligence and machine learning to detect and mitigate real-time risks. Agencies have also encouraged contractors to adopt advanced security measures like encryption and multi-factor authentication.
Addressing Supply Chain Vulnerabilities – A Risk Management Approach
With the United States ranking among the top five in data breaches, the costs reached an estimated $9.44 million; the intersection of technological reliance and an evolving threat landscape demands a vigilant response. Incidents like the notable SolarWinds incident pose an urgency for comprehensive measures to protect the nation’s critical infrastructure against these sophisticated cyber threats.
As per the Government Accountability Office GAO-21-594T report[i], federal agencies coordinated actions to reduce risks; however, the risks associated with their Information and Communication Technology (ICT) supply chains still persists.
While agencies have started tackling the challenge, the incomplete implementation of essential practices and security gaps leaves vulnerabilities that malicious actors can exploit, posing potential threats to mission operations, individuals, and intellectual property.
The GAO report’s bar chart reveals the extent to which 23 civilian agencies have adopted foundational ICT Supply Chain Risk Management (SCRM) practices. It shows that all agencies have established a process for conducting agency-wide assessments of ICT supply chain risks. Most agencies have also fully implemented strategies for executive oversight, agency-wide ICT SCRM strategies, and detecting counterfeit products.
However, some areas still need improvement, such as conducting SCRM reviews of potential suppliers and developing ICT SCRM requirements for suppliers, where a few agencies have only partially implemented these practices.
Ensuring the security and integrity of the IT supply chain is crucial for protecting individual privacy and maintaining the operational continuity and national security of a government serving a vast population. Addressing these security challenges, innovative solutions like DX360°® Cyber-Supply Chain Risk Manager (C-SCRM) provide organizations with proactive measures to navigate and mitigate cyber risks. DX360°® C-SCRM offers real-time visibility, risk assessment, and treatment plan recommendations to enhance supply chain security.
By leveraging DX360°® C-SCRM, organizations can protect themselves within a network of stakeholders dedicated to supply chain security, even amidst evolving threats and coordination complexities. Continuous vigilance, supported by advanced tools like DX360°® C-SCRM, is essential for effectively securing the IT supply chain and preserving critical government functions.
Learn more about DX360°® Cyber-Supply Chain Risk Manager (C-SCRM) by requesting a personalized today: demo@netimpactstrategies.com