Supply chain risks go far beyond fake parts

Concern over the government's IT supply chain typically have centered on issues like counterfeit parts or defective materials. But there's a "soft underbelly" to supply chain vulnerabilities, and it is becoming more critical as agencies increasingly purchase managed services often delivered via software. Officials warn that this risk is especially acute in critical infrastructure, where there is growing and interconnected reliance on cyber.

Cloud services, software as a service and service-oriented architecture allow the government to get out of businesses that are not core competencies. But they also allow agencies to believe they are handing over security responsibilities to outside providers, according to Joe Jarzombek, director for software assurance within the Department of Homeland Security's Office of Cyber Security and Communications.

"If you don't think we were paying attention to software security when we were actually purchasing software, what's the likelihood you're going to be paying attention when you're procuring it in services?" Jarzombek asked at a May 8 industry event in Arlington, Va. "Not only have we taken our hands off the steering wheel, in most instances agencies have taken their eyes off the road."

A complex, global IT supply chain, uncertainties over security responsibilities and a problem that is new enough to lack well-established guidelines all make it difficult for agency managers to get supply chain security right.

"It’s a very nascent discipline – where we are in the [information and communications technology] supply chain area now is where we were in the logistics supply chain 15 years ago," said Jon Boyens, senior advisor for information security at the National Institute of Standards and Technology. "If anybody claims to be a supply chain expert in ICT, that's a red flag."

The problem requires a unique collaboration, particularly when it comes to securing critical infrastructure in the digital era, Jarzombek noted.

"You look at the nation's critical infrastructure, and everyone relies on it...but the government does not own or operate it. Therein lies the collaboration needs," Jarzombek said. "But it's not just about the physical critical infrastructure, the power plants, the manufacturing capabilities; that's just what you see. Our cyber infrastructure is what runs it and enables it and controls it, and if you peel back the layers of the onion, you see how much software is a high-risk component for our nation's critical infrastructure."

Efforts to mitigate the problem are underway, however.

For one, there are the evolving guidelines and standards the government is issuing on a regular basis, including those from NIST. The agency updated its interagency report 7622 last year to boil down recommendations. Special publication 800-53 revision 4, released April 30, also includes supply chain references. Both publications are part of ongoing NIST efforts in supply chain security, Boyens noted.

"We're trying to find what's feasible, what's cost effective, what's practical. From a government perspective, we could blue-sky...but it ultimately comes down to how much does it cost, and how secure does it make me?" Boyens said. "This is a gap area that needs to be filled. Hopefully five to 10 years from now....we won't be talking about supply chain; hopefully it will be integrated into standard security."

To get there, guidelines are important, Jarzombek said, but it's also about going above and beyond what the government recommends and doing what is right for a specific organization and its distinct requirements.

An early step is understanding the risk management responsibilities – and it may not be the same kind of risk management that other areas require, he pointed out. It also is important to know how to write security requirements into contracts and to institute program protection planning.

In March 2013, DHS developed an updated software assurance competency model to help assess software security, offer relevant guidance, and aid in software security training, professional development, certification and licensing. The agency also has created a series of software assurance pocket guides focused on acquisition and outsourcing, security development and lifecycle support, Jarzombek noted. Both efforts are parts of comprehensive protection planning, but cannot stand alone.

"The point is we have to do more; we have to understand what's happening in supply chain," he said. Simply following government-issued guidelines is "like padlocking a screen door."