The Cybersecurity and Infrastructure Security Agency has developed the following essential steps in building an effective supply chain management (SCRM) practice:
- Identify the people: Build a team of representatives from various roles and functions of the company (e.g., cybersecurity, information technology, physical security, procurement/acquisition, legal, logistics, marketing, and product development). Ensure personnel at all levels are well-trained in the security procedures of their role or function.
- Manage the security and compliance: Document the set of policies and procedures that address security, integrity, resilience, and quality. Ensure they are based on industry standards and best practices on how to conduct SCRM such as those from the National Institute of Standards and Technology (NIST).
- Assess the components: Build a list of ICT components (e.g., hardware, software, and services) that your organization procures to enable your business. Know which internal systems are relied upon for critical information or functions, and which systems have remote access capability that must be protected to prevent unauthorized access.
- Know the supply chain and suppliers: Identify your suppliers and, when possible, the suppliers’ sources. In today’s world of increased outsourcing, it is important to understand your upstream suppliers as part of the larger supply chain ecosystem.
- Verify assurance of third-parties: Verify that your suppliers maintain an adequate security culture and SCRM program to appropriately address the risks that concern your organization. Establish the protocols your organization will use to assess the supply chain practices of your suppliers.
- Evaluate your SCRM program: Determine the frequency with which to review your SCRM program, incorporate feedback, and make changes to your risk management program.
National Counterintelligence and Security Center: Reduce Threats to Key U.S. Supply Chains
The National Counterintelligence Strategy of the United States 2020-2022 strategic objective for supply chain security is to: “Reduce threats to key U.S. supply chains to prevent foreign attempts to compromise the integrity, trustworthiness, and authenticity of products and services purchased and integrated into the operations of the U.S. government, the Defense Industrial Base, and the private sector.
The increasing reliance on foreign-owned or controlled hardware, software, or services as well as the proliferation of networking technologies, including those associated with the Internet of Things, creates vulnerabilities in our nation’s supply chains. By exploiting these vulnerabilities, foreign adversaries could compromise the integrity, trustworthiness, and authenticity of products and services that underpin government and American industry, or even subvert and disrupt critical networks and systems, operations, products, and weapons platforms in a time of crisis. We must elevate the role of supply chain security in the acquisition process.
FFIEC Information Security Booklet, Supply Chain
The typical institution purchases a wide variety of hardware and software, which often is manufactured or developed internationally. In a supply chain attack, a threat source incorporates unidentified and harmful features into the purchased items before delivery. During the risk identification process, management should identify factors that may increase risk from supply chain attacks and respond with appropriate risk mitigations. An effective information security program seeks to limit the potential for harm through techniques tailored to specific acquisitions and services. Examples of techniques to mitigate the risk from such attacks include the following:
- Only making purchases through reputable sellers who demonstrate an ability to control their own supply chains.
- Purchasing hardware and software through third parties to shield the institution's identity.
- Reviewing hardware for anomalies.
- Using automated software testing and code reviews for software. Regularly reviewing the reliability of software and hardware items purchased through activity monitoring and evaluations by user groups.
Other Links and Resources:
CISA APTs Targeting IT Service Provider Customers