Airmen of the 21st Communication Squadron work on several computers at once during the Windows 10 rollout project at Peterson Air Force Base, Colo., March 22, 2017.

Aug 14 2019

Best Practices for IT Supply Chain Security in the Public Sector

State and local government agencies should look to NIST for guidance.

IT supply chain security has been a topic of conversation for a while now, especially in regard to the federal government. 

In May, President Donald Trump signed an executive order “giving the federal government the power to block U.S. companies from buying foreign-made telecommunications equipment deemed a national security risk,” reported The Verge

While the order does not name or target a single company, it was widely seen as a move to block China-based Huawei, which some U.S. lawmakers deemed a security threat (something the company has long denied). 

Although some experts say the order won’t actually improve U.S. cybersecurity, the order underscored the importance of IT supply chain security and made it front-page news

Just as state and local governments can and should look to the federal government for guidance on cybersecurity best practices in general, they can also turn to the feds for resources on IT supply chain best practices. The National Institute of Standards and Technology’s cybersecurity framework was updated last year to include an entire section on supply chain risk management. 

NIST’s framework offers state and local agencies some clear best practices on managing and mitigating IT supply chain risks, which can include “the insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in the cyber supply chain,” NIST notes. 

CDW Cybersecurity Insight Report

How to Set Up a Cyber Supply Chain Risk Management Process

Supply chains are wide-ranging — and in today’s world, global. “The factors that allow for low-cost, interoperability, rapid innovation, a variety of product features, and other benefits, also increase the risk of a compromise to the cyber supply chain, which may result in risks to the end user,” according to NIST. 

It starts at the sourcing of products and services, the NIST framework explains, “and extend from the design, development, manufacturing, processing, handling, and delivery of products and services to the end user.” Given how complex and interconnected supply chains are, it’s critical for public sector agencies to ensure their supply chains are secure

As the framework notes, cyber supply chain risk management, or SCRM, involves technology suppliers and buyers, as well as nontechnology suppliers and buyers. Tech suppliers include those that provide include traditional IT, industrial control systems, cyber-physical systems and Internet of Things devices. 

Cyber SCRM may involve many different activities, ranging from determining cybersecurity requirements for suppliers to creating such requirement contracts, communicating to suppliers how those cybersecurity requirements will be verified and making sure those requirements are validated. 

If agencies go down this route, they should identify, prioritize and assess their suppliers and third-party partners of information systems, components and services by using a cyber supply chain risk assessment process. Essentially, agencies need to figure out which suppliers pose the largest risks. 

After that, NIST recommends agencies structure their contracts with suppliers and third-party partners to include “appropriate measures designed to meet the objectives of an organization’s cybersecurity program and Cyber Supply Chain Risk Management Plan.”

Agencies should also routinely assess suppliers via “audits, test results, or other forms of evaluations” to ensure they are holding up their end of the bargain on their contracts. 

As with all cybersecurity risks, agencies should move on from the idea that their supply chains will be breached. They should do all they can to mitigate those risks and remember security does not start or end once they receive technology products.

This article is part of StateTech's CITizen blog series. Please join the discussion on Twitter by using the #StateLocalIT hashtag.


U.S. Air Force photo by Steve Kotecki

Become an Insider

Unlock white papers, personalized recommendations and other premium content for an in-depth look at evolving IT