The Cybersecurity and Infrastructure Security Agency (CISA) plans to release a training program to help Federal agencies better understand and operationalize cyber supply chain risk management (C-SCRM), CISA’s C-SCRM Project Management Office Lead said today.
Shon Lyublanovits explained during FCW’s June 27 Supply Chain Workshop that CISA plans to help agencies, industry, and other partners operationalize and better understand supply chain security requirements through a new training initiative that will be released in the new fiscal year beginning in October.
“We want to really focus on operationalizing … to help businesses and industry partners understand some of the expectations that are going to be coming,” Lyublanovits said. “Another piece of that that we’re super proud of is that we have a training initiative. Again, how do I operationalize SCRM? What does that mean to me?”
“What sort of training could I utilize to increase my knowledge in my skills side of the space,” she continued, adding, “So, we’re working on a four-tiered approach to increase proficiency in these areas.”
The C-SCRM lead said that CISA isn’t ready to release the training initiative yet, but that “the first part – module one – is about 80 percent baked, so we do expect to have some information coming out about that soon.”
Lyublanovits said CISA plans to release a pilot training program first for a “few select agencies” to test it out and give feedback so CISA can ensure it has a really good product.
“We most certainly will work to have some announcements come out the beginning of this fiscal year – so as early as October – about this new community that we’re building and hoping to expand,” she said.
The agency’s C-SCRM Project Management Office is almost one year old to date, having been launched last July. Lyublanovits said over the last 11 months her team has spent time hearing from agencies to understand what was critical, what was important to them, and what their challenges were.
Having heard agencies’ struggles over the past year, Lyublanovits unveiled several new initiatives her team will establish in the coming months to help the government put supply chain security guidance and policies into practice.
Lyublanovits emphasized the idea that CISA should serve as a “lighthouse” – a place where agencies and industry partners can go to get real information on operationalizing C-SCRM.
The CISA official also said today that agencies should be on the lookout for a C-SCRM information hub where they can go in and access best practice guides, templates, and different information assets on supply chain security. Lyublanovits said that industry will be able to access this resource as well.
“We want to be able to take some of the things coming from NIST and actually create practical checklists or guides to help with some of the compliance issues coming out around C-SCRM,” she said.
Lyublanovits stated that this resource will be available next calendar year.
“Another big piece of this puzzle is information sharing in general,” Lyublanovits said. “How do you raise people’s awareness to the point where they understand the information?”
The C-SCRM lead revealed that CISA will also be launching a community of interest forum next fiscal year that will involve different subsets of government. There will be a Federal government track, a state, local, Tribal, and territorial track, and an industry track.
“We can actually come in and talk about the operational aspects of C-SCRM,” Lyublanovits explained. “It’s time for us to move away from thinking more strategically to otherwise take some of those things that I’ve been asked to do and give me that one through five steps to actually move forward and do things in this space.”
