To secure the government’s IT ecosystem, agencies must better understand their tech, the vendors who built it, and those companies’ suppliers.
The government can make significant progress in securing its IT supply chain by following a few basic procurement practices, but most agencies have yet to adopt them, according to federal security experts.
While government leaders have recently given a lot of attention to the supply chain security threats posed by foreign vendors, officials must devote equal energy to reforming their acquisition policies so they put those warnings to good use, experts said. Those efforts require an in-depth understanding of both the government’s IT infrastructure and the countless firms in its vendor pool, they said, but today that remains a challenge for most agencies.
“Supply chain [security] is where we were with cyber[security] maybe 15, 20 years ago,” Michele Iversen, director of risk assessment and operational integration at the Defense Department, said during a panel at the recent Fifth Domain’s CyberCon event. “We really don’t really have the visibility that we need to know where the threats are and what’s actually happening.”