Recently, there’s been an increased awareness of the security vulnerabilities that can impact government agencies through their network of suppliers, vendors and partners, more commonly known as the supply chain. When security discussions focus on the risks presented by insider threats, or attacks targeting the critical infrastructure of the government, the supply chain opens up a highly potent threat vector because it is so large and complex.
So how can government agencies mount an effective defense against this threat?
Jim McConnell, Corporate Security Management leader at Verizon, shared some highly effective strategies that his team has developed to combat threats to the supply chain. “As a complex and decentralized organization, we have a lot in common with federal agencies and our experience in securing our supply chain and working with our customers might prove valuable to our public sector counterparts,” he shared.
Though the idea of a strong supply chain risk management (SCRM) program sounds intimidating, there are good practices to cover different elements of a digital supply chain. For example: SCRM scoping exercises, contract structures, technology security, shipping and receiving, installation, onsite verification & validation, and network monitoring are a few components of supply chain security that need to be accounted for. “By assessing the variety of SCRM elements, an organization can assess risk for each area and limit the threats and increasing overall security for an organization or agency,” said Jim.
Within an SCRM program there are a series of subfactors that agency security leaders need to consider. For example, the rubric of technology security and services covers the subsections, like financial review, influence of foreign ownership or citizenship, the validation of security compliance, managed services, subcontracting, outsourcing, and offshoring. Insight from each of these sub-categories provides a strong view into the security posture of where technology and services are coming from and enables a better understanding of the scope and opportunities within an organization’s digital supply chain. “Even if a product is manufactured by or services provided by an organization associated with a strategic ally of the United States, vulnerabilities and threats can still exist and still require a tiered level of ongoing security and compliance verification, before, during and after delivery,” said Jim.
The same deep dive to gather knowledge, define terms, and understand connections, should be replicated across the other parts of the SCRM program. For example, an agency’s implementation of an integrity team conducting a post-installation verification and validation including by not limited to, penetration testing and traffic analysis to watch for any anomalous behavior. “Obviously if certain security and compliance anomalies are observed then the equipment or service needs to be mitigated within the timeframe related to the criticality, sensitivity, and mission purpose,” shared Jim. “But, if all testing results are green, this new equipment or service can be passed to the regular security and compliance review cycle (i.e. pen testing) and as always security event monitoring of the technology or service traffic by a SOC monitoring team.”
With the recent leak of documents discussing the threats being waged by global actors against U.S. federal agencies, its supply chain, its contractors, and subcontractors to obtain national security secrets has made this often-overlooked area of security more important than ever. “It’s time that we had a clear understanding of the threat environment and appreciate how interconnected it is with the digital supply chain,” said Jim. “Once we have this more comprehensive picture of one’s supply chain, we can pool our skills and resources and work together. With this foundation in place we will be in a better position to mitigate the mission security battles and better protect mission-critical assets.”
Ready to download the whitepaper? Click here.