Supply chain security is something the federal government should be good at, right? After all, they know how to secure borders, to secure ‘lines of communication’ and buildings.

Isn’t it just a matter of the three G’s: guns, gates and guards; or of ships, planes and soldiers? Not really.

Why is supply chain security so different from IT?

So why is supply chain security so different for information technology (IT)? There are several reasons.

First of all, for IT there is a global economy at work here.  Nearly all IT firms work a supply chain that is made up of hardware components manufactured around the world and then assembled into a final product in yet another country prior to being shipped and delivered to the end user.

And somewhere in that chain, a set of instructions, whether it is firmware, bios or software, is also installed.  Staying with the hardware form factor of this chain, we can already see that you can have problems inserted into the chain in many places.

For the software form factor, you are dealing with an intangible form in that you do not necessarily ‘ship’ the code from one location to another in a physical form.  But much like the hardware side of the equation, many elements of the code are built by teams around the world.

The key element is knowing who is checking in code and what the review process is.  Working with the IT Sector Coordinating Council, I know that many in the federal government have not had the experience of understanding that software is different from hardware, even with the same vendors they have dealt with for years.  It is simply a different experience and not in the usual frame of reference.  If you have not discussed this with one of your vendors, I would suggest that is something you should consider doing and one that a vendor would welcome.

Is this an impossible task?

I mean, if the supply chain is so far flung and so varied, is there any modicum of control?  After all, we have read reports of a major IT vendor working through the courts to take over a domain inhabited by ‘hackers’ who were inserting pirated and counterfeit software replete with malware installed into the supply chain.

Yes, you can have control of you supply chain but it takes planning and instituting a process to gain that control.  Much like a program to secure borders, convoys, or sea lines of communication, you must understand what you are protecting, that it has a series of access points that are monitored and that you have inserted quality assurance points to verify your goods.

Some of these points are under your direct control.  You own the chain and you are assuring your supply.  However, others produce the larger portion of what you are bringing in per your specifications.  Here you need to extend the boundaries of your supply chain by setting up indirect controls through other means.  Your suppliers now become part of your supply chain and you should make it part of your contracting so that you are assured they understand specifically what you require in that chain.

The contracting officer is as responsible for as much of the security of your supply chain as the IT security manager is in assuring you are protected.  But in the case of the contracting officer, he is using the contract as a means to enroll the supplier in that assurance all the way back to not only manufacturing, but also the components with their vendors and then back to the design of that product.

For a federal department or agency, you are looking for a supplier and vendor to contractually demonstrate that the chain is secure, the components are secure, as well as the design is architecturally designed to be secure.  With all of that work, you are asking for qualitative reviews and certifications that the acquired software, hardware or appliance is meeting the full range of supply chain assurance to meet your risk profile.

You can see from this simple outline that there is more to securing a supply chain than adding the three G’s.  It is about establishing a relationship with your suppliers and vendors; learning how they bring software together or assemble an appliance; and knowing they are standing behind their product with a score of their suppliers as well.  You have to know your risk tolerance and what you are trying to provide as a service in order to know the level of protection you need of your supply chain.

And you need to understand that everything in information technology has connectivity and is doing something with or to data and that, at the end of the day, we are all looking to the data to record or change an intended outcome.

More from Government

The Biden Administration’s 2023 Cybersecurity Strategy

4 min read - The Biden Administration recently introduced a new national cybersecurity strategy, expected to aggressively address an increasingly complex and dangerous threat landscape. Improving cybersecurity may not be the top priority for the Biden Administration, but it is an issue that the White House has been focused on since the earliest days of President Biden’s tenure. For example, in May 2021, Biden issued an executive order that emphasized sharing information about threats and modernizing cybersecurity across the federal government. In 2022, President…

4 min read

What’s Going Into NIST’s New Digital Identity Guidelines?

4 min read - One of this year’s biggest positive cybersecurity events comes from the National Institute of Standards and Technology (NIST). For the first time since 2017, NIST is updating its digital identity guidelines. These new guidelines will help set the course for best practices in handling digital identity for organizations across all sectors. What is Digital Identity? To grasp the update’s importance, it helps to understand the role of digital identity in an organization’s security posture. In its 2017 guidelines, NIST defines…

4 min read

Who Will Be the Next National Cyber Director?

4 min read - After Congress approved his nomination in 2021, Chris Inglis served as the first-ever National Cyber Director for the White House. Now, he plans to retire. So who’s next? As of this writing in January of 2023, there remains uncertainty around who will fill the role. However, the frontrunner is Kemba Walden, Acting Director of the National Cyber Director’s office. Walden is a former Microsoft executive who joined the National Cyber Director’s office in May. Before her appointment, Walden was the…

4 min read

How Much is the U.S. Investing in Cyber (And is it Enough)?

3 min read - It’s no secret that cyberattacks in the U.S. are increasing in frequency and sophistication. Since cyber crime impacts millions of businesses and individuals, many look to the government to see what it’s doing to anticipate, prevent and deal with these crimes. To gain perspective on what’s happening in this area, the U.S. government’s budget and spending plans for cyber is a great place to start. This article will explore how much the government is spending, where that money is going…

3 min read