Federal Agencies Struggle With Protecting IT Supply Chain
"The use of acquisition and procurement processes by organizations early in the system development life cycle provides an important vehicle to protect the supply chain," said Jon Boyens, senior advisor for information security at NIST. "Organizations use the acquisition and procurement step to require supply chain entities to implement necessary safeguards and countermeasures to protect information systems, including system components and services, prior to taking delivery."
Managers of information technology systems in both the private and public sectors have had their hands full dealing with security breaches that come from hackers invading IT systems. Increasingly, however, IT systems are becoming vulnerable from another channel -- the actual supply chain sources of both hardware equipment and software programs.
Federal agencies are just as vulnerable as commercial enterprises to supply chain security breaches, and perhaps are even more sensitive to such vulnerabilities given the nature of government information involving everything from taxpayer data to national security data.
"Reliance on a global supply chain introduces multiple risks to federal information systems," the General Accountability Office said in March report that examined supply chain risks at four agencies dealing with national security issues.
"The exploitation of information technology products and services through the global supply chain is an emerging threat that could degrade the confidentiality, integrity, and availability of critical and sensitive agency networks and data," GAO said.
"Federal agency information systems are increasingly at risk of both intentional and unintentional supply chain compromise due to the growing sophistication of information and communications technologies and the growing speed and scale of a complex, distributed global supply chain," the National Institute of Standards (NIST) said in a recent draft guidance document covering all federal agencies.
Federal Situation 'Troubling'
As the potential for supply chain breaches has increased, federal agencies are struggling to deal with vulnerabilities.
"Federal departments and agencies currently have neither a consistent nor comprehensive way of understanding the often opaque processes and practices used to create and deliver hardware and software products and services that are contracted out, especially beyond the prime contractor," said NIST.
"Clearly defined security measures with comprehensive implementing procedures are necessary and vital to the protection of federal IT," said Rep. Cliff Stearns, R-Fla., at a March 27 hearing on the GAO report.
"There appears to be no integrated response amongst the federal IT enterprise to address supply chain risks," Stearns said. "Agencies are left to their own devices to address this risky and complex threat. I find this troubling."
GAO found that four national security-related departments -- the Departments of Energy, Homeland Security, Justice, and Defense -- have acknowledged these threats. However, Energy and Homeland Security have not yet defined IT supply chain protection measures and are not in a position to implement procedures or monitoring capabilities to verify compliance with -- or the effectiveness of -- any such measures.
The Justice Department has identified supply chain protection measures, but has not developed procedures for implementing or monitoring compliance with a supply chain protection program.
Until comprehensive policies, procedures and monitoring capabilities are developed, documented and implemented, it is more likely that these departments will rely on security measures that are inadequate, ineffective, or inefficient to manage emergent information technology supply chain risks, GAO concluded.
In contrast, GAO found that the Defense Department has made greater progress through its incremental approach to supply chain risk management. The department has defined supply chain protection measures and adopted procedures for implementing and monitoring them.
"We found that the Defense Department took a more holistic approach and included the contracting and acquisition process, the user program people, and the IT staff in addressing supply chain risk," Gregory Wilshusen, director of information security issues at GAO, told CRM Buyer.
Energy and Homeland Security should develop a policy that defines which security measures should be employed to protect against supply chain threats; adopt implementation procedures; and then monitor compliance and effectiveness of the policy, GAO urged.
The Justice Department needs to concentrate on the last two recommendations, GAO said.
Vendor Connections Essential
One reason for the deficiencies is that supply chain vulnerabilities haven't appeared as risky as the hacker phenomenon.
"This is still a relatively emerging threat situation which is evidenced by several recent update publications from NIST on this issue," Wilshusen said.
Also, government agencies are encouraged to use commercial off-the-shelf technologies (COTS) rather than customized products, and are thus exposed to vulnerabilities. In addition to security issues, supply chain risks include counterfeiting and normal quality control standards, Wilshusen noted.
While federal agencies need to improve both the risk analysis and remedies for breaches, suppliers themselves will need to participate in developing solutions to the threat.
"It's clear that the agencies can't do this by themselves. Collaboration in some manner is necessary, including contracting and other forms," Wilshusen said.
NIST takes a comprehensive approach to the supply chain security issue. NIST's guidance provides several recommendations for agencies, including the use of consistent, repeatable security processes; providing adequate resources and funding; and incorporating a robust supply chain incident-management program.
NIST also advised federal agencies to develop contingency plans that involve multiple supply chains and to actively manage suppliers through contracts and service level agreements (SLAs).
Acquisition Process Is Critical
Still, end users are limited as to how far back they can realistically go in monitoring the supply chain. That makes the procurement-and-contracting process a critical step.
"The use of acquisition and procurement processes by organizations early in the system development life cycle provides an important vehicle to protect the supply chain," Jon Boyens, senior advisor for information security at NIST, told CRM Buyer.
"Organizations use the acquisition and procurement step to require supply chain entities to implement necessary safeguards and countermeasures to protect information systems, including system components and services, prior to taking delivery," he said.
One potential forum for collaboration among federal agencies and the commercial sector is through The Open Group, a consortium of business and government organizations involved in setting IT standards, including a supply chain security protocol.
At the March 27 Congressional hearing, the group revealed it had just released best practices guidance similar to the NIST supply chain effort.
The Open Group's Trusted Technology Provider Standard (O-TTPS) "provides organizational commercial best practices that, when properly adhered to, will enhance the security of the global supply chain and the integrity of COTS information and communication technology products," David Lounsbury, chief technology officer for The Open Group, said at the hearing.
"We have cooperated with NIST, and we will continue to work with that agency and others to harmonize these approaches to supply chain security," Lounsbury told CRM Buyer.
"We work closely with suppliers of IT components, as well as users such as governments. One objective we have is to address this collaboratively rather than on a piecemeal basis," he said.
NIST is hoping to generate more feedback from commercial firms and federal officials in response to the draft guidance, "Notional Supply Chain Risk Management Practices for Federal Information Systems." The deadline for comment is May 11, 2012.