Government agencies are under siege from ransomware and incredibly sophisticated cybersecurity threats, such as the 2020 SolarWinds supply chain attack. To help fight back, lawmakers are introducing steps to broaden defenses through non-traditional approaches. The Supply Chain Security Training Act (SCSTA) bill, recently passed in the U.S. Senate, would extend cyber responsibilities to federal employees with supply chain risk management responsibilities, like program managers and procurement professionals.
This is a much-needed step. SCSTA directs the General Services Administration (GSA) to develop a training program for federal employees that will help them identify and reduce agencies’ supply chain risks. Extending security responsibilities in this way is practical and necessary to widen the resource pool for tackling cyber risks, particularly given the shortage of people with hard technical skills who are battling supply chain threats. At this point, everyone needs to stay vigilant and not expect security to be someone else’s responsibility.
While SCSTA would obligate another element among current job training requirements, it is vital – even for non-technical employees – to understand the security angles of technologies they are acquiring. Focusing on specific vendor practices for both physical and digital supply chains will drive a thorough assessment of cybersecurity across a vendor’s entire process, sub-supplier requirements, and risk mitigation policies.
To get started, agencies can frame the discussion around a few simple but strategic questions: what are the supply chain security risks in what you’re offering me? In what ways could your product be compromised? How could the product be installed or integrated incorrectly that might cause or increase cyber risk? Then drill down into specifics. Here are some ideas of what to probe:
For physical systems:
- Production. Ask about steps taken to ensure that the vendor’s bill of materials for the supply chain includes known, trusted entities who prove they adhere to stated security procedures. That can include steps like physically checking products through high visibility scanning, to make sure that there was no unauthorized substitution of components and comparing the exact build kit against scrap analysis. The ongoing global supply chain issues have exacerbated production problems that can lead to acquisition of gray-market components which can make it much easier for an adversary to introduce counterfeit or maliciously modified parts.
- Critical software. While downloading has become the predominant software delivery method, the most secure way to deliver software is still on physical media. For systems that will be deployed in highly sensitive missions, vendors should provide both disks and independently supplied validation codes to verify that the software meets a specific signature and profile. If those don’t match, it’s an indication to not move forward.
- Delivery. Packaging should be verifiably tamper-resistant, such as with tamper-evident tape on all seams. Vendors should minimize the length of time a package is in transport – that means it has less time to be compromised. If deliveries are delayed, ask why to see if there is an associated risk. Once shipments are received, verify that any devices contained within also have tamper defenses, and that those are not compromised.
For software applications:
- Vendor verification. Vendors should be able to verify how they secure their software so that it is not altered along the chain of command. Find out if any entity or manufacturer has access to the entire build. If so, what steps are taken to validate the full build’s integrity? This includes using an isolated build and test environment that requires multi factor authentication to access and requires multi-tunnel VPNs for remote access. Source code should never be released outside of the isolated environment and all packages (open-source or otherwise) imported into the isolated environment must be verified.
- Assess the source of the download. Given that most software is downloaded, risk is created if the source code is compromised then proliferated through an organization – such as what happened to SolarWinds in 2020. Where is the download platform housed? Who has access to it? Be able to independently check where any validation codes come from to verify that they are authentic and as expected.
Even with elevated training, it can be complicated for program managers and procurement professionals to interpret vendor input for particularly technical situations. Consulting with internal cyber experts can help when vetting a vendor’s response. Still, in the face of supply chain shortages that are already straining the acquisition process, and the growing number of cyber threats, these roles will certainly get harder.
SCSTA represents a big task. Yet taking such steps is vital in the modern threat environment. Cybersecurity is not an endpoint, it is a journey. Legislation like the SCSTA is a call to action for strengthening layers of national cyber defenses with the resources we already have. More people understanding the risks, asking the right questions, and knowing what to look for, will go a long way in making agency systems – and the country – more secure.