When government agencies begin a discussion on cybersecurity, the focus usually turns to insider threats and malicious attacks, but other risks could compromise security – 190 supply chain risks to be exact. The Cybersecurity and Infrastructure Security Agency recently released a list of recommendations for agencies to follow to secure their tech supply chain.
The report offers agencies 11 factors that should be considered to determine whether a vendor is safe to use, saying federal agencies should only purchase equipment from “original manufacturers or their authorized resellers.”
Recently, DoorDash experienced a supply chain-based data breach that compromised the information of over 4.9 million customers. Similar attacks that affect physical addresses, names, and email addresses could be targeted at government agencies.
“The DoorDash breach highlights the inherent risks in trusting your supply chain partners. It’s critical not only to hold suppliers accountable for meeting minimum data security standards, but also to require transparency and disclosure when incidents occur,” said Mark Orlando, CTO of Cyber Protection Solutions, Raytheon Intelligence, Information and Services.
With breaches becoming a more frequent occurrence, it’s important for agency leaders to take stock of their supply chain partners and vet them for security risks. “This breach is just one more example of how little control end users have over their data once they give it to a vendor or service provider. In the new app economy, vendors routinely outsource business functions in ways that aren’t obvious (or even visible at all) to the end-user,” said Orlando. “Obviously there is much more work to be done to enforce minimum standards for safeguarding payment data and other sensitive personal information.”
CISA officials say the report contains different supply chain threats that can’t be released due to “its sensitive nature.” However, the report does identify multiple supply chain risks that agencies could face today – a valuable resource for leaders that need to evaluate their security hygiene.