In May, President Donald Trump signed an executive order “giving the federal government the power to block U.S. companies from buying foreign-made telecommunications equipment deemed a national security risk,” reported The Verge.
While the order does not name or target a single company, it was widely seen as a move to block China-based Huawei, which some U.S. lawmakers deemed a security threat (something the company has long denied).
Although some experts say the order won’t actually improve U.S. cybersecurity, the order underscored the importance of IT supply chain security and made it front-page news.
Just as state and local governments can and should look to the federal government for guidance on cybersecurity best practices in general, they can also turn to the feds for resources on IT supply chain best practices. The National Institute of Standards and Technology’s cybersecurity framework was updated last year to include an entire section on supply chain risk management.
NIST’s framework offers state and local agencies some clear best practices on managing and mitigating IT supply chain risks, which can include “the insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the cyber supply chain,” NIST notes.
How to Set Up a Cyber Supply Chain Risk Management Process
Supply chains are wide-ranging — and in today’s world, global. “The factors that allow for low-cost, interoperability, rapid innovation, a variety of product features, and other benefits, also increase the risk of a compromise to the cyber supply chain, which may result in risks to the end user,” according to NIST.
It starts at the sourcing of products and services, the NIST framework explains, “and extend from the design, development, manufacturing, processing, handling, and delivery of products and services to the end user.” Given how complex and interconnected supply chains are, it’s critical for public sector agencies to ensure their supply chains are secure.
As the framework notes, cyber supply chain risk management, or SCRM, involves technology suppliers and buyers, as well as nontechnology suppliers and buyers. Tech suppliers include those that provide include traditional IT, industrial control systems, cyber-physical systems and Internet of Things devices.
Cyber SCRM may involve many different activities, ranging from determining cybersecurity requirements for suppliers to creating such requirement contracts, communicating to suppliers how those cybersecurity requirements will be verified and making sure those requirements are validated.
If agencies go down this route, they should identify, prioritize and assess their suppliers and third-party partners of information systems, components and services by using a cyber supply chain risk assessment process. Essentially, agencies need to figure out which suppliers pose the largest risks.
After that, NIST recommends agencies structure their contracts with suppliers and third-party partners to include “appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.”
Agencies should also routinely assess suppliers via “audits, test results, or other forms of evaluations” to ensure they are holding up their end of the bargain on their contracts.
As with all cybersecurity risks, agencies should move on from the idea that their supply chains will be breached. They should do all they can to mitigate those risks and remember security does not start or end once they receive technology products.