The Contracting Education Academy

Contracting Academy Logo
You are here: Home / Archives for supply chain

By

Is Congress in the dark on supply chain risk?

Top senators on the Senate Homeland Security Committee have warned the Office of Management and Budget that IT professionals in Congress and the federal judiciary may not be getting all the supply chain risk information they need to secure their computer systems and networks as they make acquisitions.

The senators wrote to OMB Director Mick Mulvaney ″urging” the Federal Acquisition Security Council (FASC) to develop a strategic plan for sharing supply chain security information with Congress and the judiciary. The letter is signed by Chairman Ron Johnson, R-Wisc.; Ranking Member Gary Peters, D-Mich.; Sen. Tom Cotton, R-Ark.; and Sen. Ron Wyden, D-Ore.

The FASC is responsible for increasing information sharing within the federal government regarding supply chain risk and creating guidelines and practices for risk management. The FASC distributes the intelligence community’s supply change risk management (SCRM) threat analysis to federal civilian agencies making acquisitions decisions. But the senators said that the information from FASC is not reaching the other two branches of government and supply chain solutions that work for executive agencies don’t necessarily work for the “whole of government.”

Keep reading this article at: https://www.fifthdomain.com/civilian/omb/2019/10/11/is-congress-in-the-dark-on-supply-chain-risk/

By

How to manage risk along the federal government supply chain

Even the most sophisticated federal agencies have found it difficult to effectively measure and evaluate the cyber risk of their contractor base.

The U.S. federal government relies on an ever-expanding supply chain of tens of thousands of contractors and subcontractors to provide critical services, hold and maintain sensitive data, and perform key functions. While this supply chain is essential to agencies’ fundamental operations, it also increases the number of access point nefarious actors have to their systems and data and, consequently, puts agencies and sensitive data at greater risk.

Even the most sophisticated federal agencies have found it difficult to effectively measure and evaluate the cyber risk of their contractor base. For example, the Navy recently released a report that highlighted growing concerns around supply chain cybersecurity, noting that the federal supply chain has been “compromised in ways and to an extent yet to be fully understood.” In a July 2019 report on the security of its contractors, the Defense Department Inspector General was blunt: The department “does not know the amount of DoD information managed by contractors and cannot determine whether contractors are protecting unclassified DoD information from unauthorized disclosure.”

In fact, data suggests that contractors are not meeting agency expectations for security. Recent BitSight research found that the average security performance rating across all federal agencies was at least 15 points higher than the mean security performance rating of any contractor sector. In other words, there is a significant security performance gap between federal agencies and their supply chain partners.

The time has come for agencies to prioritize this critical risk in their cybersecurity programs. There are steps agencies can take to more effectively measure, monitor and manage this challenge.

Keep reading this article at: https://www.nextgov.com/ideas/2019/08/how-manage-risk-along-federal-government-supply-chain/159401/

By

People are key to securing the defense-industrial supply chain

Infiltrating the defense supply chain is one of the most insidious means by which attackers can compromise our nation’s communications and weapons systems. Successfully targeting a single component of the defense industrial base can cause a ripple effect that can significantly impact everything from data centers to war fighters in theater.

The Department of Defense’s new “Deliver Uncompromised” security initiative is designed to tackle this problem at its root cause: third-party suppliers. In essence, the DoD is requiring its suppliers to bake security into their applications from the beginning of the production process. A “good enough” approach that just clears the bar for minimal security criteria is no longer good enough. Security must be ingrained in the very fabric of the entire production process.

Security starts with people

The process starts with people. They are responsible for ensuring that the solutions that comprise the supply chain work as designed and are inherently secure. They work closely with highly sensitive and proprietary information that is attractive to enterprising hackers. They are the first line of defense.

Unfortunately, those same factors make people the most attractive attack vector. When a malicious actor wants to gain access to a component or system, it’s often easier to just steal someone’s credentials than it is to try and find their way around a firewall. Obtaining a simple password is often enough to gain access to a critical system that can then be compromised, or information that can be exploited.

Keep reading article at: https://www.fifthdomain.com/opinion/2019/05/13/people-are-key-to-securing-the-defense-industrial-supply-chain/

By

Why the Navy is giving agencies, industry a much-needed wake-up call on supply chain risks

On page 6 of the Navy’s recent report about its cyber readiness, there is a jaw-dropping confession: “The systems the U.S. relies upon to mobilize, deploy and sustain forces have been extensively targeted by potential adversaries, and compromised to such extent that their reliability is questionable.”

Bill Evanina, director of the National Counterintelligence and Security Center in the Office of the Director of National Intelligence, wants that single sentence in the 80-page report to sink in for a second.

“The Navy’s report on their resilience and reliability is that watershed moment not only for the Department of Defense but for all agencies in the federal government, and I would even proffer in the private sector, to have an honest, internal look at their systems, their data, their capabilities and their protection mechanisms and where they have vulnerabilities and how the threats are manifested in their organizations,” Evanina said after speaking at the Intelligence and National Security Alliance (INSA) event on supply chain management in Arlington, Virginia, on April 1. “I think all agencies should take a hard look and say, ‘What can we do that is similar to this to look at our own processes and protection models?’”

The Navy report serves as a call to arms around the challenges every agency faces from systems under attack to attempts to steal information from its industrial base.

“The DON’s dependency upon the defense industrial base (DIB) presents another large and lucrative source of exploitation for those looking to diminish U.S. military advantage. Key DIB companies, primes, and their suppliers, have been breached and their IP stolen and exploited,” the report states. “These critical supply chains have been compromised in ways and to an extent yet to be fully understood.”

Keep reading article at: https://federalnewsnetwork.com/acquisition/2019/04/navy-giving-agencies-industry-much-needed-wake-up-call-on-supply-chain-risks/

By

Senate Armed Services Subcommittee on Cybersecurity holds hearing to discuss responsibilities of the industrial base

On March 26, 2019, the Senate Armed Services’ Subcommittee on Cybersecurity held a hearing to receive testimony assessing how the Department of Defense’s (DoD) cybersecurity policies and regulations have affected the Defense Industrial Base (DIB).

To gain a better understanding of the DIB’s cybersecurity concerns, the Subcommittee invited William LaPlante, Senior Vice President and General Manager of MITRE’s National Security Sector; John Luddy, Vice President For National Security Policy at the Aerospace Industries Association; Christopher Peters, Chief Executive Officer of the Lucrum Group; and Michael MacKay, the Chief Technology Officer of Progeny Systems Corporation.

In their opening remarks, the Chairman of the Subcommittee, Senator Mike Rounds (R-SD), and Ranking Member, Senator Joe Manchin (D-WV), acknowledged industry concerns about the DoD’s lack of clarity and disparate implementation of cybersecurity regulations, such as guidance relating to DFARS 252.204-7012 (DFARS Cyber Rule or Rule) and National Institute of Standards and Technology (NIST) Special Publication (SP) 800-171.

Senator Rounds stated that he “expects [DoD] to come up with measured policies to make improvements in [cybersecurity]” and he “hope[s] DoD takes seriously the concerns of the DIB.”  He further noted that DoD “cannot simply apply increasingly stringent cybersecurity requirements on its contractors” and that “doing so without subsidy or assistance is unlikely to particularly improve cybersecurity [for] the DIB” and would likely drive the most innovative small businesses out of the supply chain.  Senator Rounds called for putting a program in place to ensure the best possible protections for contractors regardless of size and referred to the “Achilles heel” of this issue as the desire to use a large number of small contractors while still needing to protect sensitive government information.  Later in the hearing, Senator Manchin expressed great concern over the cyber incidents experienced by DoD contractors and urged the witnesses to “tell [the Subcommittee] what you need . . . [the Subcommittee] is here to fix it and you’re here to tell us what’s broken.”

Keep reading this article at: https://www.insidegovernmentcontracts.com/2019/03/senate-armed-services-subcommittee-on-cybersecurity-holds-hearing-to-discuss-the-responsibilities-of-the-defense-industrial-base/

Contracting Academy Logo
75 Fifth Street, NW, Suite 300
Atlanta, GA 30308
info@ContractingAcademy.gatech.edu
Phone: 404-894-6109
Fax: 404-410-6885

RSS Twitter