The Cybersecurity and Infrastructure Security Agency’s (CISA) new Cyber Supply Chain Risk Management (C-SCRM) Office is in the process of developing training and maturity models for Federal agencies, with an eye of releasing these resources in the new fiscal year (FY) to begin on Oct. 1.
The C-SCRM Office – which just marked its one-year anniversary in July – is led by Shon Lyublanovits, who detailed that the office’s strategy and governance team is looking to FY 2024 to release a C-SCRM maturity model.
“One of the things that we are working on in FY 24 is developing a maturity model,” Lyublanovits said during Federal News Network’s Cyber Leaders Exchange 2023 on Sept. 13. “So what we want to do is actually put some framing, some levels around different maturation in supply chain, so that way we can go in and say if an agency is at zero, do we want to get them to a one or a two based on their mission and function area? And in order to get to level two, we want to put together these four or five things.”
The C-SCRM maturity model will have metrics and key performance indicators for supply chain risk programs.
“Being able to articulate not only the fact that we need to do it, but what value will it bring to the agencies? What goals am I helping to accomplish by actually doing this work?” she said. “Putting a little bit of framing and structure around that is important for us as we move forward.”
The new CISA office has also been focused on developing C-SCRM training for Federal employees.
Lyublanovits said her team is developing the training, to include courses ranging from basic SCRM skills through expert-level instruction. Specifically, the training program will consist of four badges: Steward, Champion, Resilience, and Maestro – spelling out SCRM.
“We didn’t have this pathway that allowed us to mature from foundational knowledge to that subject matter trainer expertise, and so armor – which is advancing cyber risk management through operational resilience – really allows us to take a lay person,” Lyublanovits said.
“I always use the analogy that a janitor needs basic C-SCRM knowledge, taking that person straight out of college and saying, let me give you sort of the principles of what C-SCRM is, and allowing a person to continue to gain additional knowledge from the steward to the champion to the resilience badge and to the maestro,” she said.
CISA will pilot its basic, steward-level C-SCRM training with multiple agencies starting in the 2024 calendar year.
“We’ve had a few select agencies that we’re going to have come in and pilot it – tell us where there are opportunities for us to improve right before we do a broader release,” Lyublanovits said.
Lyublanovits noted that the end goal of the training program is to eventually get it out to not only the Federal workforce, but also the state, local, Tribal, and territorial organizations as well as schools “so that we’ve got a strong workforce coming into the Federal government, understanding what supply chain is, but actually being able to start to do some work into that.”
“C-SCRM is not a one-and-done thing. We must continually look at and reevaluate our posture, and we’ve got to treat it like insurance,” Lyublanovits said. “Insurance is one of those things where we’re paying on it every month or every quarter that we don’t necessarily see the value of until something happens.”
“We’ve got to look at the point where C-SCRM is our insurance for how well we’re able to operate as a nation,” Lyublanovits concluded. “I’d like to see us really make it a priority – a top priority – not because a SolarWinds happens, not because we found out about a vendor, but because it’s part of our day-to-day processes.”
