Following the SolarWinds attack in December of 2020, regulators have been pushing for stricter supply chain risk management (SCRM) practices across federal organizations, beginning with a list of recommendations from the Government Accountability Office (GAO). But since the publication of this list, it has become clear that agencies are struggling to comply in a timely way.
In response, the White House issued an executive order in May which requires all government agencies to tighten up their software supply chain, and it couldn’t have come at a better time. Supply chain attacks have increased at an alarming rate, rising by 42% in the first quarter of 2021 and 19% in Q2.
Soon, the National Institute of Standards and Technology (NIST) will release new SCRM regulations affecting cleared contractors and facility security officers (FSOs). In advance, we will revisit the topic of supply chain risk, how it threatens cleared organizations, and how you can defend against it.
What is Supply Chain Risk?
Each cleared organization depends on hundreds of third-party software vendors to achieve their mission, from tax planning and productivity tools to advanced enterprise and security suites. The software supply chain encompasses web servers and databases, cloud applications and software firewalls.
During a software supply chain attack, malicious actors compromise one of your third-party vendors to reach your systems and data. Even in organizations with world-class cybersecurity, a single vulnerability in the software supply chain can be the weak link in a chain that leads to data breaches, ransomware attacks and worse.
To compromise organizations through third-party software, attackers employ a variety of techniques from malware infection and brute force attacks to social engineering and exploitation of vulnerable configurations. In some cases, attackers can harm an organization by simply rendering software inoperable, leading to service failure and loss of protection.
Impact of Supply Chain Attacks
By now, the impact of the SolarWinds attack is well-understood, exposing data from 9 federal agencies and at least 18,000 other organizations. Other supply chain attacks include NotPetya, which compromised power plants, financial institutions and public transportation infrastructure through fake updates to a popular accounting tool in 2017. In July of this year, IT solutions provider Kaseya was compromised in a scheme that hit 800 – 1500 of its customers with ransomware.
In general, there is nothing malicious actors can accomplish through a direct cyberattack which they cannot also accomplish through a supply chain attack. In fact, the software supply chain makes it easier for attackers to compromise highly secure organizations like government agencies, big tech companies and federal contractors.
The possibility of stolen intellectual property (IP), personally identifiable information (PII) and classified or controlled unclassified information (CUI) makes supply chain attacks a special concern for FSOs and other security officers. Other potential risks include:
- Expensive ransom payouts
- Espionage against organization and personnel
- Disruption of mission operations
- Critical infrastructure sabotage
- Compromised national security
In 2021, legislation that addresses supply chain risk is ramping up. The GAO first warned of supply chain vulnerabilities in 2012. It did so again in 2018, and – following the SolarWinds attack in December – it followed up with 145 security recommendations to 23 organizations, aimed at preventing a similar attack in the near future.
But five months later, in May, the GAO issued a report showing that “none of 23 reviewed agencies had fully adopted identified practices to reduce supply chain risks”. Consequently, the White House issued Executive Order (EO) 14028 in the same month, titled ‘Executive Order on Improving the Nation’s Cybersecurity’.
As a consequence of EO 14028, government agencies are directed to implement better software supply chain protection. Furthermore, NIST is required to release new SCRM guidelines in November of this year with further guidelines in May of 2022. But while federal organizations await these guidelines, they must do everything they can do to prepare and defend themselves in the meantime.
How to Protect Your Organization
In a past blog post, we made SCRM recommendations based on the NIST risk management framework (RMF) and special publication (SP) 800-161. Many of these recommendations remain effective – for instance, ensuring business integrity, avoiding end-of-life (EOL) products and diversifying your vendor portfolio are still good ways to reduce supply chain risk.
However, upcoming NIST legislations will likely follow in the footsteps of the GAO recommendations made in December of last year, which ware based on six “foundational processes” that we will explain and summarize here. First, the term “
- Establish executive oversight – a C-level officer or group of C-level officers should be responsible for overseeing SCRM activities; the chief information security officer (CISO) chief security officer (CSO) are good fits.
- Develop an agency-wide strategy – just like organizations have high-level cybersecurity strategy encompassing all agencies, departments and personnel, they should develop one for SCRM.
- Establish a process to conduct agency-wide assessments – from time to time organizations should review their vendor and Information, Communications and Technology (ICT) portfolio for security concerns.
- Establish a process for review of potential vendors – before adopting a new product or service, organizations should evaluate the vendor for trustworthiness and good security practices.
- Develop SCRM requirements for suppliers – determine the minimum standard for data encryption, authentication and other security controls for each product.
- Develop organizational procedures to detect bad ICT – in time, even secure products can be compromised, or organizations may acquire a counterfeit version of real software. Develop a method to detect such cases during an agency-wide review.
For the fuller context behind these recommendations, see the GAO’s full report: Federal Agencies Need to Take Urgent Action to Manage Supply Chain Risks.
Your Enterprise Security Partner
To keep their organizations safe, FSOs and other security officers must stay informed on emerging threats. Today, the intersection between facility security and advanced cyber actors is expanding with every year: cyber threats drive insider threats, while supply chain risks threaten cleared personnel and sensitive information.
MathCraft’s Enterprise Security Suite is always updated for compliance with the latest federal security legislation, with modules to manage insider threats, continuous evaluation (CE), foreign travel and much more. Through our blog and quarterly newsletter, we keep our customers informed on the state of the industry and help them to achieve their mission.
Contact us today for a free demo!