Managing Supply Chain Risks in Complex Federal Information Systems

Lawmakers are questioning if the recent cyberattacks on government entities constitute an act of war. According to lawmakers, the recent cybersecurity breach was so large, it will take time before authorities can truly assess the full repercussions.

“There are as many as 18,000 individual entities, both private and government, that have been compromised here and that had the defective software. So that has to be fully vetted,” Congressman Stephen Lynch (D-Mass.) said on Friday. “So that will take some time.”

The ‘SolarWinds’ software hack, which has widely been attributed to Russia, compromised several departments. This included the Treasury, Homeland Security and portions of the Pentagon.

“America’s got the greatest technology in the world, including in this area,” National Economic Council Director Larry Kudlow stated. “So, we’ll have to double back and try to cover tracks and see how to prevent it.”

Federal agencies run complex information systems and networks to support their missions. Their supply chain infrastructure is the integrated set of components (hardware, software and processes) comprising of the environment in which a system is developed or manufactured, tested, deployed, maintained, and retired/decommissioned. This article attempts to recommend on how to manage Supply Chain Risks in Complex Federal Information Systems in the future.

Supply Chain Risks

Supply chain risks may include insertion of counterfeits, unauthorized production, tampering, theft, insertion of malicious software and hardware, as well as poor manufacturing and development practices in supply chain. These risks are realized when threats in the supply chain exploit existing vulnerabilities.

Supply Chain Risk Management (SCRM) encompasses activities in the system development life cycle, including research and development (R&D), design, manufacturing, acquisition, delivery, integration, operations, and disposal/retirement of an organization’s hardware and software products and services, and lies at the intersection of security, integrity, resilience, and quality.

• Security provides the confidentiality and availability of information that describes or traverses the supply chain contained in products and services, as well as information about the parties participating in the supply chain; Organizations must implement an appropriate and tailored set of baseline information security & Privacy controls; They must establish internal checks and balances to assure compliance with security and quality requirements.
• Integrity focuses on ensuring that the products or services in the supply chain are genuine, unaltered, and that the products and services will perform according to acquirer specifications and without additional unwanted functionality. Organizations must implement consistent, well-documented, repeatable processes for system engineering, security practices, and acquisition; They must establish a supplier management program including, for example, guidelines for purchasing directly from qualified original equipment manufacturers (OEMs) or their authorized distributors and resellers.
• Resilience focuses on ensuring that supply chain will provide required products and services under stress or failure. Organizations must establish consistent, well-documented, repeatable processes for determining impact levels; They must use risk assessment processes such as criticality analysis, threat analysis, and vulnerability analysis, after the impact levels have been defined; They must implement a tested and repeatable contingency plan that integrates supply chain risk considerations to ensure the integrity and reliability of the supply chain. In spite of this, there is a dire need for a robust incident management program to successfully identify, respond to, and mitigate security incidents.
• Quality focuses on reducing vulnerabilities that may limit the intended function of a component, lead to component failure, or provide opportunities for exploitation. Organizations must implement a quality and reliability program that includes quality assurance and quality control process and practices;

Steps to Manage Supply Chain Risks…

Establish an organization governance structure that incorporates risk assessment & management process into the organizational policies; Establish RACI charts for all stakeholders in the organization; Ensure that adequate resources are allocated to information security and SCRM to ensure proper implementation of guidance and controls;

Review and strengthen your internal organization security posture guided by NIST 800-171; 800-53 publications

• Access Control: Limit information system access to authorized users, processes acting on behalf of authorized users, or devices and to the types of transactions and functions that authorized users are permitted to exercise.
• Audit & Accountability: Create, protect, and retain information system audit records, needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and ensure that the actions of individual information system users can be uniquely traced to those users.
• Awareness & Training: Ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems; and they are adequately trained to carry out their assigned information security-related duties and responsibilities.
• Configuration Management: Establish and maintain baseline configurations and inventories of organizational information systems throughout the respective SDLCs; Establish and enforce security configuration settings for components employed in organizational information systems.
• Identification & Authentication: Identify information system users & processes, and verify the identities of those users & processes, as a prerequisite to allowing access to the systems.
• Incident Response: Establish an operational incident handling capability for systems for adequate preparation, detection, analysis, containment, recovery, and user response activities; and for adequate tracking, documenting, and reporting incidents to appropriate authorities.
• Maintenance: Perform periodic and timely maintenance on organizational information systems and institute effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
• Media Protection: Protect information system media, both paper and digital; & limit access to information on system media only to authorized users; and also sanitize or destroy information system media before disposal or release for reuse.
• Personnel Security: Ensure that individuals occupying positions of responsibility within organizations are trustworthy and meet established security criteria; Ensure that organizational information and systems are protected during and after personnel actions such as terminations and transfers; Employ formal sanctions for personnel failing to comply with security policies and procedures.
• Physical & Environment Protection: Limit physical access to information systems, equipment, and operating environments only to authorized individuals; Protect the physical plant and support infrastructure; Protect information systems against environmental hazards; and provide appropriate environmental controls in facilities.
• Recovery: Establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the continuity of operations in emergency.
• Risk Management: Assess & manage the risk to organizational operations, assets, and individuals periodically, and the associated processing, storage, or transmission of organizational information.
• Security Assessment & Authorization: Assess the security controls in organizational information systems periodically to determine efficacy; Develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities; Continuously monitor security controls to ensure efficacy.
• Situation Awareness: Develop, document, periodically update, and implement security plans for organizational information systems that describe the security controls in place or planned and the rules of behavior for individuals accessing the information systems.
• System & Communications Protection: Monitor, control, and protect organizational communications at the external boundaries and key internal boundaries of the information systems; and promote effective information security within organizational information systems with sound architectural designs and systems engineering principles.
• System & Information Integrity: Identify, report, and correct information and information system flaws in a timely manner; Protect systems from malicious code, monitor system security alerts/advisories and take remedial actions.

Review and strengthen your external supply chain security posture

Protecting the Supply Chain - System & Services Acquisition: Employ sound DevSecOps processes across your partner ecosystem that incorporate information security considerations and protect the supply chain;

• Implement acquisition strategies, tools and methods to ensure the integrity and traceability of supply chain infrastructure and supply systems/components. Examples of tools and methods include obscuring the end-use of components from the supplier using blind or filtered buys. Other examples include incentive programs to system integrators, suppliers, or external services providers to ensure that they provide verification of integrity as well as traceability.
• Define and implement a supplier review program to analyze system integrator, supplier, and external services provider activities. Usually, an agreement is reached between the organization and system integrators, suppliers, and/or external services providers that guides the level of traceability and visibility achievable.
• Exercise due diligence in your assessments prior to selecting components used in your supply chain infrastructure. Ensure that all-source threat and vulnerability information includes any available foreign ownership and control (FOCI) data. Review this data periodically as mergers and acquisitions, if affecting a supplier, may impact both threat and vulnerability information.
• Limit exposure of operational and supply chain data that may be used by adversaries. Some examples include avoiding purchasing custom configurations or ensuring that a diverse set of suppliers is used to reduce the possibility of single point of failure or threat.
• Ensure that your supply chain infrastructure and information system are scoped as part of organizational operations security (OPSEC) requirements. Criticality, threat, and vulnerability analyses can provide inputs into OPSEC requirements to ensure that supply chain aspects are included for implementing requirements. Examples of unauthorized modifications include the deployment of a patch or an upgrade by a maintenance team prior to staging processes to verify impact of upgrade to operational environment. An example of a validation procedure may be the use of digital signature by an OEM to prove that the software delivered is from its originating source. When digital signatures are used for this purpose, the organization should ensure, when receiving such software, that the signed upgrade/download was not altered.
• Inter-organizational agreements with system integrators, suppliers, and external service providers should ensure that appropriate communications are established. You must leverage the criticality analysis to identify when such agreements are necessary. The communications should allow for early notifications of various supply chain-related events. Events may include: a. Compromises (both information system and supply chain); b. Changes or updates to roadmaps, new component development, updates to components, end-of-life decisions; c. The addition, replacement, and removal of system integrator personnel supporting organizational information system and supply chain infrastructure efforts; and d. Infrastructure changes within external service providers such as any new operating system rollout, hardware upgrades, or replacements due to field failures, or data store architecture shifts.
• Define and assess periodically the critical components such as inventory of any open-source software (OSS) components to ensure full traceability and to ensure a cross-reference and match to known trusted repositories - for your supply chain infrastructure and the information system. Mitigate supply chain risks through multisource supply, stockpiling of spare components for critical component end of life as a short-term fix prior to redesign, etc.
• Ensure that both the information system and the supply chain infrastructure are designed, developed, and implemented with explicitly defining the requirements to support confidentiality, integrity, and availability of supply chain information and building trust with system integrators, suppliers, and external service providers. The SCRM requirements must include a clear definition of supply chain disruptions, human errors, purposeful attacks, and other risks. Processes and procedures must be defined as part of the requirements activities to ensure that not only components of the supply chain infrastructure and the information system are predictably behaving, but that the processes and procedures also support the requirements for trustworthiness. Examples of areas of concern include any exchange of components from one supplier to another due to a lack of availability; switching resources from one program to another due to the system integrator’s internal needs; or the change in processing and storage platforms in an approved external service provider’s hosting environment.
• Ensure that actors participating in your supply chain infrastructure and information system are adequately identified and monitored for critical activities. Ensure that you collect evidence from your supply chain infrastructure assessment, document and integrate into the risk management process to provide inputs to criticality, threat, and vulnerability analyses and ensure that supply chain protections keep pace with the changes to the supply chain.

Component Authenticity - For systems in the architectural design process step, categorize component security for the system-level criticality that supports the confidentiality, integrity, or availability of the system and the mission it supports. Ensure that system integrators maintain a record of origin and history of all changes for systems and components under your control, thereby, demonstrating authenticity & traceability.

• As a part of your anti-counterfeit policy and procedures, ensure that the components acquired and used are authentic and have not been subject to tampering. In many circumstances, the most effective method to help ensure authenticity is to acquire needed components only from OEMs, their authorized resellers, or other trusted sources. However, limiting eligibility to these sources for all acquisitions may not be compatible with market availability, organizational needs, acquisition rules, socioeconomic procurement preferences, or principles of open competition.
• You must obtain assurances of the provider’s ability to verify, through documentation or other means, the integrity, security, and quality of the delivered components. Such assurances are especially important when acquiring obsolete, refurbished, or otherwise out-of-production components. If such assurances are not obtainable, you must create a risk response plan to address any additional risks to your mission or business operations.
• Counterfeits represent a major supply chain risk. Training personnel to recognize and manage counterfeits in the supply chain will help to improve the integrity and authenticity of your information systems and supply chain infrastructure.
• Component service and repair processes could also compromise your supply chain. You must manage associated risks and any replacements, updates, and revisions of hardware and software components within your supply chain infrastructure. You must also ensure that components can be disposed of without exposing your mission or operational information. Examples include a. Considering the transmission of sensitive data (mission, user, operational system) to unauthorized parties or unspecified parties during disposal activities; b. Monitoring and documenting the chain of custody through the destruction process; c. Training disposal service personnel to ensure accurate delivery of service against disposal policy and procedure;
• You must scan for counterfeit components within the information system and supply chain infrastructure. Examples of techniques include automated visual scanning for hardware and checking for digital signatures in software.