With supply chains that span multiple continents, often involving dozens of companies and products, regulation of cyber controls for public-sector IT contractors isn’t a straightforward task. Pair this with the fact that cybercriminals and foreign intelligence agencies have increasingly honed their capacities to infiltrate and compromise organizations, and you have a unique security landscape that governments have yet to satisfyingly address.
At the federal level, the U.S. has worked hard to establish certification standards like the governmentwide Federal Risk and Authorization Management Program (FedRAMP), which was created to assess and authorize cloud service providers working with federal agencies. At the same time, organizations like the National Institute of Standards and Technology (NIST) and the Cybersecurity and Infrastructure Security Agency (CISA) have been deployed to continually assess risk and promote secure practices throughout the federal bureaucracy.
State and local governments, however, lag behind. While they are increasingly taking cues from federal agencies on supply chain risk awareness, the resources to act on that awareness are slim. Indeed, for smaller public agencies whose IT departments frequently find themselves deficient in funding and manpower, the idea of comprehensive supply chain audits is about as realistic as municipally funded moon landings.
“Certifying and evaluating suppliers is a huge undertaking and one that most states are not equipped to do,” said Dugan Petty, former Oregon CIO. “Not even the largest states have the capability to certify a supply chain or determine if hardware or software have malware built in,” he said.
This problem has been complicated somewhat by broader shifts in the public sector’s IT procurement process, said Steve Nichols, chief technology officer with the Georgia Technology Authority. As the CIO-as-broker model has come to replace the old owner/operator model, public agencies that previously procured and integrated all hardware or software themselves now frequently rely on the CIO to broker deals with system integrators. Integrators bring in whole suites of software from varied sources — increasing efficiency, but also the opportunity for intrusion.
“The software they [an integrator] bring or transfer might have a number of other third-party software packages already integrated into it (like a database or a Web server or an app server). Further, they might bring system or management software and hardware as part of that solution. All of those things are made and supported by other companies,” said Nichols.
Meredith Ward, director of research with NASCIO, said that data from her organization’s biannual cybersecurity survey shows there is some — though probably not enough — confidence in the security of government’s business partners.
“From this year’s study, we know that two-thirds of state CISOs are ‘somewhat confident’ that state information assets are protected from cyberthreats originating from business partners/vendors. However, one-quarter aren’t confident at all,” said Ward. “Some state CISOs have also cited that a lack of a third-party risk management program is a barrier their state faces to address cybersecurity challenges.”
Also adding to the problem is the rise in cloud procurement. While a useful resource for public agencies, cloud services often involve a number of different vendors in the same chain. Such vendors frequently have immense amounts of access to sensitive government data, making oversight of just how those vendors operate crucial.
“A SaaS solution might be built on top of a PaaS solution supported by another vendor and hosted in yet another vendor’s IaaS data center,” said Nichols, explaining that with all of these layered services and companies, the potential for proper oversight is difficult. Most worrying is the prospect of foreign intelligence agencies infiltrating supply chains to implant malware to conduct espionage and steal data.
Threats of this sort have been highly publicized in recent years. Huawei, the Chinese tech giant, has been in the headlines as an ongoing supply chain threat, but the problem hardly starts and stops with one company or nation-state. At the same time, NIST worries that “industrial spies/cybercriminals” are constantly on the hunt for opportunities to penetrate supply chains to gather information or exploit government data for financial gain. NIST also worries about the potential for organized crime groups to steal valuable government data, or terrorists to infiltrate systems to disable key services or wreak physical destruction through operational technology.
These threats, said Petty, can be especially vexing for state agencies because “no single authority” exists “that can take this on for the states. It has a complexity like other security issues because we have 50 different approaches all with individual state laws.”
Most of the solutions that do exist are some sort of auditing process, but these can be limited in scope and time consuming. In recent years, governments have frequently turned to certain certifications, such as a Statement on Standards of Attestation Engagement (SSAE-18 audit process), or even a FedRAMP certification — though these can be prohibitively expensive for vendors and can take up to a year to complete. More and more states are monitoring third-party access to their systems and data, said NASCIO’s Ward, requiring “some form of independent attestation” such as a SSAE-18 or a “Payment Card Industry Data Security Standard (PCI DSS), and the like.” To the degree that this is affordable, governments should do it.
At the same time, said Ward, there are a number of more basic precautions that NASCIO recommends agencies take to protect themselves, including: “perform background verification checks on select high-risk, third-party employees; monitor and control third-party access to state systems and data; perform random spot checks of third parties’ sites; [and] engage an independent third party to assess the third parties’ capabilities.”
Nichols, meanwhile, has come up with a unique solution to supply chain risk management after GTA had a run-in with a potentially compromised vendor.
“This came up a couple of years ago with a vendor who got flagged by the federal government,” said Nichols. “We had some of that vendor’s product in use in our environment and went through a small project to find where we were using it and replace it and take them off the state contract. We realized that it would be a lot easier to deal with procurement and contractual issues if we had a standard on the books,” he said.
To make sure such an incident was less likely to happen in the future, Nichols researched and drafted a policy for GTA that would allow them to disqualify a supplier or product using a supply chain framework, basing it on NIST SP 800-161, which outlines supply chain risk management practices for federal agencies. It is one of the few examples of a state government imposing some sort of internal regulation to help secure the overall supply chain.
Nichols’ policy, which became effective in April, may be a step in the right direction — and a good model for state agencies that want to cut down on supply chain risk. Georgia’s policy asks agencies to integrate supply chain risk management into their overall risk management frameworks, while also giving agency officials an enforcement mechanism with the authority to reject certain suppliers if they have been deemed a security threat.
“This gives us an additional tool for dealing with problematic suppliers during a procurement or if we need to remove them from a contract,” said Nichols.