The supply chain evaluation needs to be a shared responsibility across an agency and not just the focus of the information security team. Unfortunately, many shared responsibilities at agencies end up becoming collections of inaction. Inaction by other teams does not mean that information security can’t take the critical steps required to ensure a more secure supply chain. The focus of this article is to discuss just that, what is the approach for information security teams to secure the supply chain efficiently.

The Executive Order on Improving the Nation’s Cybersecurity, released on May 12, 2021, has a section focused on the security of the software supply chain. Let’s expand the scope of the supply chain to include a broader range of areas that information security should be reviewing. For this article, we’ll define the scope of the supply chain into three categories:

• Suppliers (vendors, system integrators, product re-sellers)
• Products (hardware, software, solutions)
• Services (service-oriented architectures, cloud-based services)

Why is everyone concerned about supply chain risks? It’s something that agencies and organizations have not tracked or managed very well. As the cybersecurity threat landscape grows, attacks on the supply chain are increasingly lucrative targets due to a more significant number of potential targets with a single exploit. Threat actors with bad intentions are just like everyone else in business, looking for a better margin. Threat actors with good intentions also are a concern for the supply chain, such as a developer error in the software lifecycle or a third party accidentally disseminating sensitive information. Threat actors with good intentions are just like everyone else; mistakes happen, no one is perfect.

Suppliers play an essential aspect in the supply chain and include vendors, systems integrators, and product re-sellers. Suppliers are the staff that is performing some of the critical services at your agency. These staff could have access to your most sensitive data, have elevated access across your enterprise, and are responsible for ensuring the continuity of mission-critical services for the agency. Below are examples of risks related to suppliers:

• Staff with elevated access and the wrong skill set for the task mistakenly sent out highly sensitive data to a third party.
• A private company that handles an agency’s most critical systems and services was hit with ransomware, exposing the agency to potential risk.

Products include hardware, software, and various solutions scattered through an agency’s enterprise. These products hold agency-sensitive data, are given elevated access, and run agency critical missions’ services. Below are examples of risks related to products:

• A security product that has elevated access through the agency’s network was exploited and sent sensitive data and documents to foreign entities.
• An agency-developed web-based solution that utilizes 3rd party JavaScript libraries was modified to include cryptojacking exploits causing crypto mining services to run on an agency’s hardware and infrastructure.

]Services, mainly provided by external entities, are becoming a prominent part of agencies’ IT roadmap, including service-oriented architecture and cloud-based services. These services contain agency-sensitive data, unknown elevated access to anonymous staff, and are leveraged to run critical operations of the agencies.

• An agency utilizes an approved cloud provider along with its IaaS and PaaS offerings. A cloud vulnerability was not correctly identified and not secured by the agency, allowing sensitive data to be accessible to many threat actors.
• An agency uses an external web service that has been identified as secure to share data with other agencies. An underlying method of the web service did not have authentication rules applied, and threat actors exfiltrated data.

Ideally, there is an active working group or initiative within the agency or organization that focuses on supply chain needs and includes the information security team in the discussion. As with many shared responsibilities at agencies, the results are not always practical (i.e., the current state of asset inventory and management, the cornerstone required for information security, typically lacks what is needed). Information security teams should identify attainable methods to better manage information security risks regarding the supply chain, regardless of whether an official program is implemented. For information security teams to make accurate and risk-based decisions regarding the supply chain, a repeatable process and methodology needs to be implemented.

Below are the main parts of a supply chain methodology that the information security team can leverage:

1. Discovery and management of inventory for suppliers, products, and services
2. Actions to take on inventory collected such as business feedback, intelligence, assessments, etc.
3. Creation and management of information security policies, standards, and procedures for supply chain
4. Interaction with supporting actors to review data points and implement policies
5. Assessing risk throughout the pre-contract, during-contract, and post-contract performance
6. Utilizing the output from the process to make informed decisions and reduce risk

The diagram below provides the flow of the process and how the parts work together.

For the information security team to manage this process efficiently with low overhead, the following factors need to be asked and taken into consideration:

1. What is the scope of the agency’s supply chain inventory?
2. How will we evaluate the risk from the supply chain inventory?
3. Who on the information security team will be responsible for the effort?
4. When will the agency assess the risk of inventory, and how often?
5. Where will this process be performed and managed (from a technology perspective)?

Even if an agency might not have a complete supply chain management team or workgroup established, it is the responsibility of the information security to reduce the supply chain risk from a cyber perspective. Three main areas of focus should be suppliers, products, and services, and with the release of the Executive Order on Improving the Nation’s Cybersecurity, products would be a good start to implementing the process defined above. A large and cumbersome process with new technology purchases is not needed to do the basics of supply chain management. Below are potential next steps to help on the supply chain management journey from a cybersecurity perspective.

1. Identify assets using existing tools and scripts to automate the collection of inventory frequently
2. Create a set of rules per asset type to automate the categorization (type of asset) and criticality (based on data sensitivity, access/permissions, and mission importance)
3. Define a risk assessment methodology to measure risk of your supply chain