September 17, 2012 By Peter Allor 3 min read

Supply chain security is something the federal government should be good at, right? After all, they know how to secure borders, to secure ‘lines of communication’ and buildings.

Isn’t it just a matter of the three G’s: guns, gates and guards; or of ships, planes and soldiers? Not really.

Why is supply chain security so different from IT?

So why is supply chain security so different for information technology (IT)? There are several reasons.

First of all, for IT there is a global economy at work here.  Nearly all IT firms work a supply chain that is made up of hardware components manufactured around the world and then assembled into a final product in yet another country prior to being shipped and delivered to the end user.

And somewhere in that chain, a set of instructions, whether it is firmware, bios or software, is also installed.  Staying with the hardware form factor of this chain, we can already see that you can have problems inserted into the chain in many places.

For the software form factor, you are dealing with an intangible form in that you do not necessarily ‘ship’ the code from one location to another in a physical form.  But much like the hardware side of the equation, many elements of the code are built by teams around the world.

The key element is knowing who is checking in code and what the review process is.  Working with the IT Sector Coordinating Council, I know that many in the federal government have not had the experience of understanding that software is different from hardware, even with the same vendors they have dealt with for years.  It is simply a different experience and not in the usual frame of reference.  If you have not discussed this with one of your vendors, I would suggest that is something you should consider doing and one that a vendor would welcome.

Is this an impossible task?

I mean, if the supply chain is so far flung and so varied, is there any modicum of control?  After all, we have read reports of a major IT vendor working through the courts to take over a domain inhabited by ‘hackers’ who were inserting pirated and counterfeit software replete with malware installed into the supply chain.

Yes, you can have control of you supply chain but it takes planning and instituting a process to gain that control.  Much like a program to secure borders, convoys, or sea lines of communication, you must understand what you are protecting, that it has a series of access points that are monitored and that you have inserted quality assurance points to verify your goods.

Some of these points are under your direct control.  You own the chain and you are assuring your supply.  However, others produce the larger portion of what you are bringing in per your specifications.  Here you need to extend the boundaries of your supply chain by setting up indirect controls through other means.  Your suppliers now become part of your supply chain and you should make it part of your contracting so that you are assured they understand specifically what you require in that chain.

The contracting officer is as responsible for as much of the security of your supply chain as the IT security manager is in assuring you are protected.  But in the case of the contracting officer, he is using the contract as a means to enroll the supplier in that assurance all the way back to not only manufacturing, but also the components with their vendors and then back to the design of that product.

For a federal department or agency, you are looking for a supplier and vendor to contractually demonstrate that the chain is secure, the components are secure, as well as the design is architecturally designed to be secure.  With all of that work, you are asking for qualitative reviews and certifications that the acquired software, hardware or appliance is meeting the full range of supply chain assurance to meet your risk profile.

You can see from this simple outline that there is more to securing a supply chain than adding the three G’s.  It is about establishing a relationship with your suppliers and vendors; learning how they bring software together or assemble an appliance; and knowing they are standing behind their product with a score of their suppliers as well.  You have to know your risk tolerance and what you are trying to provide as a service in order to know the level of protection you need of your supply chain.

And you need to understand that everything in information technology has connectivity and is doing something with or to data and that, at the end of the day, we are all looking to the data to record or change an intended outcome.

More from Government

Unpacking the NIST cybersecurity framework 2.0

4 min read - The NIST cybersecurity framework (CSF) helps organizations improve risk management using common language that focuses on business drivers to enhance cybersecurity.NIST CSF 1.0 was released in February 2014, and version 1.1 in April 2018. In February 2024, NIST released its newest CSF iteration: 2.0. The journey to CSF 2.0 began with a request for information (RFI) in February 2022. Over the next two years, NIST engaged the cybersecurity community through analysis, workshops, comments and draft revision to refine existing standards…

Updated SBOM guidance: A new era for software transparency?

3 min read - The cost of cyberattacks on software supply chains is a growing problem, with the average data breach costing $4.45 million in 2023. Since President Biden’s 2021 executive order, software bills of materials (SBOMs) have become a cornerstone in protecting supply chains.In December 2023, the National Security Agency (NSA) published new guidance to help organizations incorporate SBOMs and combat the threat of supply chain attacks.Let’s look at how things have developed since Biden’s 2021 order and what these updates mean for…

Roundup: Federal action that shaped cybersecurity in 2023

3 min read - As 2023 draws to a close, it’s time to look back on our top five federal cyber stories of the year: a compilation of pivotal moments and key developments that have significantly shaped the landscape of cybersecurity at the federal level.These stories highlight the challenges federal agencies faced in securing digital infrastructure in the past year and explore the evolving nature of cyber threats, as well as the innovative responses required to address them.New White House cybersecurity strategyThe White House’s…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today