The federal government’s most visible effort in IT supply-chain security over the past two years has been to ban purchases of Huawei, Kaspersky and ZTE products by government agencies, in an effort to prevent cyber espionage by state-sponsored actors. That effort is well intentioned – but the intense focus on a small number of companies may have obscured wider threats to the federal government through its supply chain.
Consider that federal agencies buy products and services via massive government contracts awarded to prime contractors, which team with multiple subcontractors. All of these entities have their own supply chains and information systems, which are connected to tens or hundreds of product and service providers – often globally. A breach in one vendor’s supply chain – a routine software update that installs malware, a rogue component added during manufacturing, a worm siphoning data – could affect not only the vendor’s operations, but also the operations of its business partners and its customers.
While no government supplier is immune from attack, the largest contractors have robust global supply chain security programs that span their own operations, as well as their suppliers and partners. Many other contractors, however, have not invested adequate funds and expertise in monitoring and securing their supply chains.
Resellers may be the weakest link. Many don’t have adequate resources; some don’t understand the threat universe and its implications. In some cases, the reseller is two guys in a garage who may lack necessary knowledge of both procurement regulations and security vulnerabilities; the barrier of entry to the federal market is low. Regardless of company size, the reseller channel is the last mile in federal supply chains, connecting original equipment manufacturers (OEMs) to end-user customers: agencies and individuals. Any compromise of a reseller’s supply chain is certain to be magnified.
Some contractors may have a false sense of security, believing that compliance with the Trade Agreements Act (TAA) protects them from supply chain risks, because the TAA requires contractors to provide agencies with products that are manufactured or “substantially transformed” in the United States or a TAA-designated country. TAA compliance isn’t enough, though, because it doesn’t eliminate the possibility that a product or component could be tampered with during its journey along the supply chain.
In addition, resellers face significant economic pressure. Lowest price technically acceptable (LPTA) contract awards often drive poor behavior, creating the temptation and economic incentive for resellers to obtain products from less reputable or tainted sources that don’t meet federal guidelines or sell without original equipment manufacturer (OEM) authorization. In some cases, authorized resellers will mix counterfeit products with genuine articles.
Bad actors are familiar with these gaps in security and eager to exploit them. They know that targeting the reseller channel is one of the simplest and easiest ways to disrupt the supply chain. Once they find a gap, a global network of potential exploits unfolds.
Improving federal IT supply chain security is shared, public-private responsibility. Many efforts are underway to understand the scope of the problem and define both guidance and requirements for purchasing agencies and their vendors.
Government agencies and industry are collaborating to secure federal supply chains through the Cybersecurity and Infrastructure Security Agency (CISA) Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force. Last fall, the task force published a report outlining its activities, spanning information sharing, threat evaluation, vendor qualification and procurement policy. According to CISA, the threat evaluation working group identified approximately 190 threats facing agencies today. In December, the task force announced it would create a new working group to develop SCRM frameworks and best practices around supplier risk, product lifecycle management, cybersecurity, and more.
The goal of the new working group “is to empower stakeholders across the ICT ecosystem to make risk-informed decisions that increase trust across their supply chains,” said Bob Kolasky, SCRM Task Force co-chair and assistant director for CISA’s National Risk Management Center.
In addition:
- The Office of Management and Budget (OMB) is working toward reducing the number of existing large-scale, agency-wide contracts to decrease the total number of suppliers and better manage the threat landscape
- A proposed federal rule that would implement Executive Order 13873 requires the Commerce Department secretary to evaluate individual telecommunications gear transactions using a “case-by-case, fact-specific approach” to determine which transactions might be blocked or altered because of undue risk to the United States
- The National Institute of Standards and Technology and the National Cybersecurity Center of Excellence are teaming on an effort to provide guidance that will help organizations verify that internal components of purchased computing devices are genuine and unaltered
These efforts can provide valuable parameters and guidance for both industry and government. Other, existing criteria are also important for federal agencies to consider when evaluating suppliers:
- Company ownership structure and sourcing methodologies
- Status as an authorized OEM reseller
- Possession of International Organization for Standardization (ISO) certifications
- Compliance with Office of Treasury Procurement Services (OTPS) requirements
- Possession of Cybersecurity Maturity Model Certification (CMMC)
Eventually, the federal community might consider creating reseller-specific ISO certifications to establish a standard level of security for the reseller channel.
The bottom line is that agencies need comprehensive assessments of their suppliers to understand the total risk. Training contracting officers and buyers to look beyond the Bill of Materials (BOM) and part number will be essential.
Industry can help by assessing their supply chains and those of their partners, participating in public-private efforts to improve supply chain security, and sharing information with government and industry. A free-flowing channel of information – about bad actors, repeat offenders, breaches, and best practices – would be a game-changer for all involved. Federal IT providers are hyper-competitive and typically don’t like to share intelligence. But the threats to the federal IT supply chain are so extensive and so potentially severe that we must move beyond self-interest to embrace our collective responsibility.
