From shortages of basic supplies to widely impactful security breaches, the cascading effects of an issue within a supply chain have touched nearly every citizen. However, a 2020 report found that most major agencies had not implemented supply chain security practices due to a lack of federal guidance. Since these findings, the U.S. government has been making a concerted effort to better understand supply chain weaknesses and shore them up.
The 2018 National Cyber Strategy (NCS) had a key objective of improving Federal management of the supply chain. This included the integration of supply chain risk management into the procurement and use of IT. Following the NCS, the SECURE Technology Act was passed which established a Federal Acquisition Security Council (FASC) and provided executive agencies with authorities related to mitigating supply chain risks in the procurement of IT. Supply chain continues to be a key element in Biden administration cyber guidance with research and management programs being set up across government.
- The Cybersecurity and Infrastructure Security Agency (CISA) is building out a new supply chain risk management office to help agencies, industry and other partners act on the existing (and future) cybersecurity regulations, guidance, and policies. This office will help create secure supply chain management programs in line with laws and executive orders.
- The National Institute of Standards and Technology (NIST) published cyber supply chain guidance to help agencies manage potential IT malware risks. NIST is also developing a scorecard to help understand and manage supply chain risk.
- The Defense Advanced Research Projects Agency (DARPA) is taking a close look at the business systems used across government to manage defense workflows – solutions from companies including SAP, Oracle, Workday, IBM, and Salesforce – to identify logic faults and vulnerabilities.
- The President’s Council of Advisors on Science and Technology (PCAST) launched a working group focused on creating an infrastructure that is cyber-resilient for U.S. digital networks. This group will look at how best to assess the ways systems function together and separately, what investment is needed to maintain resiliency, and how to approach corresponding standards design.
- The government is also looking at how a Software Bill of Materials, or SBOM, can better secure IT systems. The idea is that today’s software includes copies of code from many different places and it is critical to know what all of the “ingredients” in a piece of software are. If one piece of code is found to be vulnerable, agencies need visibility into where it may reside on their systems. The cybersecurity executive order included the inclusion of a SBOM for all software vendors as a future goal.
GovWhitePapers and GovEvents have a host of resources that provide best practices and policy insights into supply chain security and resilience.
- SBOM Challenges and Opportunities (white paper) – Learn why and how creating an SBOM is critical to secure software development, improve supply chain transparency, and manage open-source software components.
- Supply Chain Resilience – Agencies Are Taking Steps to Expand Diplomatic Engagement and Coordinate with International Partners (white paper) – As part of the Government Accountability Office’s body of work on supply chain issues, this report describes Commerce, State, and U.S. Trade Representative’s diplomatic efforts to strengthen supply chains since the onset of the pandemic and the challenges of coordinating with allies and partners.
- Sharing Supply Chain Risk Information to Increase Resilience (white paper) – This report is the culmination of a multi-year effort by CISA’s Information and Communications Technology Supply Chain Risk Management Task Force to address the issues of sharing supply chain risk information (SCRI) between companies and government entities. The initial work defined a common framework for the bi-directional sharing of actionable SCRI between federal government and industry.
- Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations (white paper) – This publication provides guidance to organizations on identifying, assessing, and mitigating cybersecurity risks throughout the supply chain at all levels of their organizations. The paper integrates cybersecurity supply chain risk management (C-SCRM) into risk management activities by applying a multilevel, C-SCRM-specific approach.
- Securing the Software Supply Chain from Increasing Cyber Threats (May 24, 2023; webcast) – Securing the software supply chain is mission critical to the federal government. Agencies must ensure software is free of vulnerabilities while identifying and tracking third-party components through SBOMs. . Learn about emerging new threats and how industry and government are working together to protect the software supply chain by verifying provenance back to a trusted entity while simplifying and streamlining the security compliance process.
- Federal Acquisition Conference (June 22, 2023; Arlington, VA) – This conference will acquaint participants with real, practical ways in which government and industry partners can work together – creatively, expeditiously – to support federal missions and help agencies access much-needed capabilities and innovative solutions.
- Gartner Supply Chain Planning Summit (November 29-30, 2023; Phoenix, AZ) – Research-backed sessions will show how to deliver tangible outcomes in support of business objectives and transform the planning function from within while harnessing emerging technologies to realize the value of supply.
Check out GovWhitePapers and GovEvents for more insight into how our government is securing the supply chain.
