September 17, 2012 By Peter Allor 3 min read

Supply chain security is something the federal government should be good at, right? After all, they know how to secure borders, to secure ‘lines of communication’ and buildings.

Isn’t it just a matter of the three G’s: guns, gates and guards; or of ships, planes and soldiers? Not really.

Why is supply chain security so different from IT?

So why is supply chain security so different for information technology (IT)? There are several reasons.

First of all, for IT there is a global economy at work here.  Nearly all IT firms work a supply chain that is made up of hardware components manufactured around the world and then assembled into a final product in yet another country prior to being shipped and delivered to the end user.

And somewhere in that chain, a set of instructions, whether it is firmware, bios or software, is also installed.  Staying with the hardware form factor of this chain, we can already see that you can have problems inserted into the chain in many places.

For the software form factor, you are dealing with an intangible form in that you do not necessarily ‘ship’ the code from one location to another in a physical form.  But much like the hardware side of the equation, many elements of the code are built by teams around the world.

The key element is knowing who is checking in code and what the review process is.  Working with the IT Sector Coordinating Council, I know that many in the federal government have not had the experience of understanding that software is different from hardware, even with the same vendors they have dealt with for years.  It is simply a different experience and not in the usual frame of reference.  If you have not discussed this with one of your vendors, I would suggest that is something you should consider doing and one that a vendor would welcome.

Is this an impossible task?

I mean, if the supply chain is so far flung and so varied, is there any modicum of control?  After all, we have read reports of a major IT vendor working through the courts to take over a domain inhabited by ‘hackers’ who were inserting pirated and counterfeit software replete with malware installed into the supply chain.

Yes, you can have control of you supply chain but it takes planning and instituting a process to gain that control.  Much like a program to secure borders, convoys, or sea lines of communication, you must understand what you are protecting, that it has a series of access points that are monitored and that you have inserted quality assurance points to verify your goods.

Some of these points are under your direct control.  You own the chain and you are assuring your supply.  However, others produce the larger portion of what you are bringing in per your specifications.  Here you need to extend the boundaries of your supply chain by setting up indirect controls through other means.  Your suppliers now become part of your supply chain and you should make it part of your contracting so that you are assured they understand specifically what you require in that chain.

The contracting officer is as responsible for as much of the security of your supply chain as the IT security manager is in assuring you are protected.  But in the case of the contracting officer, he is using the contract as a means to enroll the supplier in that assurance all the way back to not only manufacturing, but also the components with their vendors and then back to the design of that product.

For a federal department or agency, you are looking for a supplier and vendor to contractually demonstrate that the chain is secure, the components are secure, as well as the design is architecturally designed to be secure.  With all of that work, you are asking for qualitative reviews and certifications that the acquired software, hardware or appliance is meeting the full range of supply chain assurance to meet your risk profile.

You can see from this simple outline that there is more to securing a supply chain than adding the three G’s.  It is about establishing a relationship with your suppliers and vendors; learning how they bring software together or assemble an appliance; and knowing they are standing behind their product with a score of their suppliers as well.  You have to know your risk tolerance and what you are trying to provide as a service in order to know the level of protection you need of your supply chain.

And you need to understand that everything in information technology has connectivity and is doing something with or to data and that, at the end of the day, we are all looking to the data to record or change an intended outcome.

More from Government

Government cybersecurity in 2025: Former Principal Deputy National Cyber Director weighs in

4 min read - As 2024 comes to an end, it’s time to look ahead to the state of public cybersecurity in 2025.The good news is this: Cybersecurity will be an ongoing concern for the government regardless of the party in power, as many current cybersecurity initiatives are bipartisan. But what will government cybersecurity look like in 2025?Will the country be better off than they are today? What are the positive signs that could signal a good year for national cybersecurity? And what threats should…

CIRCIA feedback update: Critical infrastructure providers weigh in on NPRM

3 min read - In 2022, the Cyber Incident for Reporting Critical Infrastructure Act (CIRCIA) went into effect. According to Secretary of Homeland Security Alejandro N. Mayorkas, "CIRCIA enhances our ability to spot trends, render assistance to victims of cyber incidents and quickly share information with other potential victims, driving cyber risk reduction across all critical infrastructure sectors."While the law itself is on the books, the reporting requirements for covered entities won't come into force until CISA completes its rulemaking process. As part of…

Important details about CIRCIA ransomware reporting

4 min read - In March 2022, the Biden Administration signed into law the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (CIRCIA). This landmark legislation tasks the Cybersecurity and Infrastructure Security Agency (CISA) to develop and implement regulations requiring covered entities to report covered cyber incidents and ransomware payments.The CIRCIA incident reports are meant to enable CISA to:Rapidly deploy resources and render assistance to victims suffering attacksAnalyze incoming reporting across sectors to spot trendsQuickly share information with network defenders to warn other…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today