Supply chain security is something the federal government should be good at, right? After all, they know how to secure borders, to secure ‘lines of communication’ and buildings.
Isn’t it just a matter of the three G’s: guns, gates and guards; or of ships, planes and soldiers? Not really.
Why is supply chain security so different from IT?
So why is supply chain security so different for information technology (IT)? There are several reasons.
First of all, for IT there is a global economy at work here. Nearly all IT firms work a supply chain that is made up of hardware components manufactured around the world and then assembled into a final product in yet another country prior to being shipped and delivered to the end user.
And somewhere in that chain, a set of instructions, whether it is firmware, bios or software, is also installed. Staying with the hardware form factor of this chain, we can already see that you can have problems inserted into the chain in many places.
For the software form factor, you are dealing with an intangible form in that you do not necessarily ‘ship’ the code from one location to another in a physical form. But much like the hardware side of the equation, many elements of the code are built by teams around the world.
The key element is knowing who is checking in code and what the review process is. Working with the IT Sector Coordinating Council, I know that many in the federal government have not had the experience of understanding that software is different from hardware, even with the same vendors they have dealt with for years. It is simply a different experience and not in the usual frame of reference. If you have not discussed this with one of your vendors, I would suggest that is something you should consider doing and one that a vendor would welcome.
Is this an impossible task?
I mean, if the supply chain is so far flung and so varied, is there any modicum of control? After all, we have read reports of a major IT vendor working through the courts to take over a domain inhabited by ‘hackers’ who were inserting pirated and counterfeit software replete with malware installed into the supply chain.
Yes, you can have control of you supply chain but it takes planning and instituting a process to gain that control. Much like a program to secure borders, convoys, or sea lines of communication, you must understand what you are protecting, that it has a series of access points that are monitored and that you have inserted quality assurance points to verify your goods.
Some of these points are under your direct control. You own the chain and you are assuring your supply. However, others produce the larger portion of what you are bringing in per your specifications. Here you need to extend the boundaries of your supply chain by setting up indirect controls through other means. Your suppliers now become part of your supply chain and you should make it part of your contracting so that you are assured they understand specifically what you require in that chain.
The contracting officer is as responsible for as much of the security of your supply chain as the IT security manager is in assuring you are protected. But in the case of the contracting officer, he is using the contract as a means to enroll the supplier in that assurance all the way back to not only manufacturing, but also the components with their vendors and then back to the design of that product.
For a federal department or agency, you are looking for a supplier and vendor to contractually demonstrate that the chain is secure, the components are secure, as well as the design is architecturally designed to be secure. With all of that work, you are asking for qualitative reviews and certifications that the acquired software, hardware or appliance is meeting the full range of supply chain assurance to meet your risk profile.
You can see from this simple outline that there is more to securing a supply chain than adding the three G’s. It is about establishing a relationship with your suppliers and vendors; learning how they bring software together or assemble an appliance; and knowing they are standing behind their product with a score of their suppliers as well. You have to know your risk tolerance and what you are trying to provide as a service in order to know the level of protection you need of your supply chain.
And you need to understand that everything in information technology has connectivity and is doing something with or to data and that, at the end of the day, we are all looking to the data to record or change an intended outcome.