Over the past few years, the attack surface has drastically changed for agencies. From mobile devices to solutions added to agency networks by outside providers, there are simply more ways for agencies to be infiltrated by bad actors. Supply chain attacks occur when attackers penetrate the system through outside providers. With the amount of sensitive data providers have access to through services, this has become one of the most prominent issues facing agency security today.
The National Institute of Standards and Technology (NIST) suggests two principles to improve supply chain security: to develop your defenses based on the principle your systems will be breached and to understand cybersecurity is never just a technology problem, it’s a people, processes, and knowledge problem. Jay Gazlay, Technical Strategist for the Cybersecurity and Infrastructure Security Agency in the Department of Homeland Security, Robert Morgus, Senior Director at U.S. Cyberspace Solarium Commission, and Tim Brown, Chief Information Security Officer and Vice President of Security, SolarWinds, expanded on the risks of supply chain attacks in a recent webinar and provided the following meaningful insights on how agencies can keep pace with today’s expanding threats.
For example, agencies need to ensure both their vendors and their own agency have shared cybersecurity standards in place and regularly reassess them. By doing so, agencies can find vulnerabilities and quickly patch the issues. Brown emphasized the importance for agencies to gauge their security and evaluate their supply chain risk. In following NIST’s guidance on supply chain risk management, agencies can use approved FedRAMP and FISMA compliant products and solutions. Additionally, through questionnaires and testing vendors, agencies can establish standards and models for their services.
Further, when agencies assess their supply chain risks, they must ask themselves how much risk they’re comfortable assuming. Morgus argued the deciding factor is the agency’s level of maturity. He explained a less mature agency will use commercial software with less robust internal capabilities, because it’s a safer option. Whereas a more mature agency confident in their abilities might select to build their own software instead of partnering with a third-party vendor.
Additionally, while a fully secured supply chain may seem impossible, there are ways to implement change to create added security. For Gazlay, a more secure supply chain will “require a concentrated effort on behalf of industry partners and the federal government” to diminish supply chain risks. It may take years to gather information to lay a foundation and create policy before agencies can fully understand the risks of the supply chain.
The likelihood of a supply chain attack on an agency is growing. Agencies must figure out ways to manage the growing attacks surface, and vendors must secure their services and quickly patch vulnerabilities when issues arise. By working together, agencies and vendors will be able to successfully integrate software and defend against attackers.
To learn more about supply chain risk management, click here.