The number of cyberattacks increased globally over the last 12 months due to the shift towards remote operations throughout the COVID-19 pandemic. Not only have businesses and organizations come under increasing attack, but so have national governments, including that of the United States. One prominent example was the Sunburst attack, where hackers compromised the security software of SolarWinds, a federal cybersecurity contractor. While this attack shone a spotlight on the importance of federal supply chain risk management, there has long been recognition that the supply chain represents a ‘soft underbelly’ for the US government from a cybersecurity perspective.
The Sunburst cybersecurity attack saw 18,000 customers install updates of SolarWinds software that left them vulnerable to hackers, including Fortune 500 companies, the DoD, the Department of Homeland Security, and the Treasury. This breach illustrates a clear, critical need to improve and enhance cybersecurity, cyber resilience, and the overall security of the supply chain for the United States government.
Under the new Biden presidency, SCRM has been a key consideration from the outset. Less than a month into the new administration, the White House released Executive Order, titled ‘America’s Supply Chains’, which called for a comprehensive review of US supply chains to identify vulnerabilities and risks to help organizations manage any potential threats or future disruptions. This focused on six primary sectors: agriculture, communications and information technology, defense, energy and power, public health, and transportation.
Subsequently, in May 2021, the Biden administration published another cybersecurity-focused Executive Order, entitled ‘Improving the Nation’s Cybersecurity’. It outlined that the US government seeks to address the growing SCRM challenge by improving the security of software sold to the government, as well as seeking to maximize the early detection of cybersecurity vulnerabilities and incidents on federal networks. While it's critical to address cybersecurity practices and risk management from the top-down, it takes a collaborative approach to SCRM. So, this latest EO outlines key cybersecurity objectives and issues a call to arms across government, academia and the cybersecurity industry.
The May 2021 Executive Order has also introduced several strategies to modernize and strengthen cybersecurity defenses, including:
- Moving towards secure cloud-based services and a zero-trust architecture
- Creating cybersecurity event log requirements for federal departments and agencies
- Implementing multi-factor authentication and encryption
- Establishing a Cybersecurity Safety Review Board
- Creating a standardized playbook and set of definitions for cyber incident response by federal departments and agencies
- Improving information-sharing between the US government and the private sector
Government, academia, and industry – referred to by Dr. Ron Ross as the “essential partnership” – must continue to work together to deliver the EO’s outcomes and achieve common goals and objectives. Indeed, collaboration is foundational to this success and will be required to defeat today’s threats, which are well-funded and orchestrated by nation states.
For its part, the National Institute of Standards and Technology (NIST) is continuing to develop and enhance security controls and requirements for the federal supply chain. For example, in February 2021, NIST released its Special Publication 800-172 which builds upon NIST SP 800-171 and applies to federal contractors that handle Controlled Unclassified Information (CUI) on their networks. With 33 enhanced requirements, NIST SP 800-172 is timely and provides the foundation for multi-dimensional cyber defense within contractors’ IT networks. It aims to protect the confidentiality, integrity, and security of CUI in non-federal systems and organizations that are associated with critical government programs or high-value federal assets. Risk Management Frameworks (RMFs), including the Cybersecurity Maturity Model Certification (CMMC) that was officially introduced in January 2020 for the DoD supply chain, incorporates NIST SP 800-171 and much of NIST SP 800-172.
The human element will remain vital to ensuring that these cyber hygiene standards, and the accurate assessment of the federal supply chain’s compliance with them, are correctly applied and monitored in support of SCRM. However, automation of these security and compliance assessments remains key – especially as our adversaries are leveraging such technology against us. As humans, we simply cannot do this alone. Using intelligent technology can help to secure organizations by identifying vulnerabilities at an early stage to help mitigate risk and ensure ongoing compliance/ATO. This is where tools such as Titania Nipper prove critical by accurately discovering vulnerabilities in firewalls, switches, and routers while providing exact fixes when issues are identified.
For more discussion on this watch our on-demand panel discussion on the importance of cybersecurity standards in advancing supply chain risk management.
- Dr. Ron Ross, NIST fellow, and principal architect of the NIST Risk Management Framework
- John Weiler, Co-Founder, IT Acquisition Advisory Council, SCRM CoE, and Information Technology Management, Solution Engineering and Architecture expert
- Phil Lewis, CEO of Titania
- Matt Malarkey, Co-chair of the CMMC CoE Supply Chain Working Group
Government, academia, and industry – referred to by Dr. Ron Ross as the “essential partnership” – must continue to work together to deliver the EO’s outcomes and achieve common goals and objectives.
Indeed, collaboration is foundational to this success and will be required to defeat today’s threats, which are well-funded and orchestrated by nation states.