Light Dark
September 17, 2012 By Peter Allor 3 min read
Government

Supply chain security is something the federal government should be good at, right? After all, they know how to secure borders, to secure ‘lines of communication’ and buildings.

Isn’t it just a matter of the three G’s: guns, gates and guards; or of ships, planes and soldiers? Not really.

Why is supply chain security so different from IT?

So why is supply chain security so different for information technology (IT)? There are several reasons.

First of all, for IT there is a global economy at work here.  Nearly all IT firms work a supply chain that is made up of hardware components manufactured around the world and then assembled into a final product in yet another country prior to being shipped and delivered to the end user.

And somewhere in that chain, a set of instructions, whether it is firmware, bios or software, is also installed.  Staying with the hardware form factor of this chain, we can already see that you can have problems inserted into the chain in many places.

For the software form factor, you are dealing with an intangible form in that you do not necessarily ‘ship’ the code from one location to another in a physical form.  But much like the hardware side of the equation, many elements of the code are built by teams around the world.

The key element is knowing who is checking in code and what the review process is.  Working with the IT Sector Coordinating Council, I know that many in the federal government have not had the experience of understanding that software is different from hardware, even with the same vendors they have dealt with for years.  It is simply a different experience and not in the usual frame of reference.  If you have not discussed this with one of your vendors, I would suggest that is something you should consider doing and one that a vendor would welcome.

Is this an impossible task?

I mean, if the supply chain is so far flung and so varied, is there any modicum of control?  After all, we have read reports of a major IT vendor working through the courts to take over a domain inhabited by ‘hackers’ who were inserting pirated and counterfeit software replete with malware installed into the supply chain.

Yes, you can have control of you supply chain but it takes planning and instituting a process to gain that control.  Much like a program to secure borders, convoys, or sea lines of communication, you must understand what you are protecting, that it has a series of access points that are monitored and that you have inserted quality assurance points to verify your goods.

Some of these points are under your direct control.  You own the chain and you are assuring your supply.  However, others produce the larger portion of what you are bringing in per your specifications.  Here you need to extend the boundaries of your supply chain by setting up indirect controls through other means.  Your suppliers now become part of your supply chain and you should make it part of your contracting so that you are assured they understand specifically what you require in that chain.

The contracting officer is as responsible for as much of the security of your supply chain as the IT security manager is in assuring you are protected.  But in the case of the contracting officer, he is using the contract as a means to enroll the supplier in that assurance all the way back to not only manufacturing, but also the components with their vendors and then back to the design of that product.

For a federal department or agency, you are looking for a supplier and vendor to contractually demonstrate that the chain is secure, the components are secure, as well as the design is architecturally designed to be secure.  With all of that work, you are asking for qualitative reviews and certifications that the acquired software, hardware or appliance is meeting the full range of supply chain assurance to meet your risk profile.

You can see from this simple outline that there is more to securing a supply chain than adding the three G’s.  It is about establishing a relationship with your suppliers and vendors; learning how they bring software together or assemble an appliance; and knowing they are standing behind their product with a score of their suppliers as well.  You have to know your risk tolerance and what you are trying to provide as a service in order to know the level of protection you need of your supply chain.

And you need to understand that everything in information technology has connectivity and is doing something with or to data and that, at the end of the day, we are all looking to the data to record or change an intended outcome.

 |  | 
Peter Allor
Federal Security Strategist, IBM Security

More from Government
October 17, 2023

Cyber experts applaud the new White House cybersecurity plan

4 min read - First, there was a strategy. Now, there’s a plan. The Biden Administration recently released its plan for implementing the highly anticipated national cybersecurity strategy published in March. The new National Cybersecurity Strategy Implementation Plan (NCSIP) lays out specific deadlines and responsibilities for the White House’s vision for cybersecurity. The plan is being managed by the White House’s Office of the National Cyber Director (ONCD). Cybersecurity experts have applauded the Administration’s plan as well as the new implementation calendar. For example,…

September 19, 2023

How the FBI Fights Back Against Worldwide Cyberattacks

5 min read - In the worldwide battle against malicious cyberattacks, there is no organization more central to the fight than the Federal Bureau of Investigation (FBI). And recent years have proven that the bureau still has some surprises up its sleeve. In early May, the U.S. Department of Justice announced the conclusion of a U.S. government operation called MEDUSA. The operation disrupted a global peer-to-peer network of computers compromised by malware called Snake. Attributed to a unit of the Russian government Security Service,…

September 18, 2023

How NIST Cybersecurity Framework 2.0 Tackles Risk Management

4 min read - The NIST Cybersecurity Framework 2.0 (CSF) is moving into its final stages before its 2024 implementation. After the public discussion period to inform decisions for the framework closed in May, it’s time to learn more about what to expect from the changes to the guidelines. The updated CSF is being aligned with the Biden Administration’s National Cybersecurity Strategy, according to Cherilyn Pascoe, senior technology policy advisor with NIST, at the 2023 RSA Conference. This sets up the new CSF to…

Topic updates

 Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today
© 2024 IBM Contact Privacy Terms of use Accessibility Cookie Preferences
Sponsored by si-icon-eightbarfeature