U.S. Federal Government and Supply Chain Security

Supply chain risk can be accidental or malicious, but regardless of intent, compromise of a critical asset can be catastrophic. It is not possible to build every technology solution in-house, so the Federal Government must rely upon its suppliers for myriad solutions deep within its infrastructure. But how can the U.S. Federal Government ensure effective cybersecurity supply chain risk management (C-SCRM)?

The U.S. Government initiatives for cybersecurity supply chain risk management (C-SCRM) - from EO 14028 to NIST initiatives, such as NIST SP 800-161r1 to guidelines in FIPS 201-3 - can help Civilian Agencies and Service Branches address supply chain risk, with more work underway. This includes continuing discussion around SBOM, FISMA, and other topics related to safeguarding the federal software supply chain within the House Subcommittee on Cybersecurity, IT, and Government Innovation.

How Claroty can help

Claroty helps mitigate supply chain risks by:

• Identifying all assets connected to your OT network for further security risk assessment

• Automatically correlating all critical assets against the latest common vulnerabilities and exposures (CVEs) and other cybersecurity weaknesses

• Continually assessing risks in your network

• Delivering secure-yet-frictionless remote access to these networks for internal and third-party users, and

• Other steps as outlined below

Some specific steps you can take to manage supply chain risk

Supply chain cyber risk is complicated and spans the entire lifecycle of a product—design, manufacturing, distribution, deployment, maintenance, and disposal. The more protracted and complex the life cycle, the more opportunities for threat actors to exploit the product by targeting less secure elements in the chain. And because supply chains are often global and span multiple tiers of suppliers, the responsibility of security doesn't rest with a single organization. Each tier must address risk accordingly in order to minimize threats to the software supply chain.

That's why, when creating business continuity plans, Agencies and Service Branches need to look beyond their own organizations to also consider the security measures their immediate suppliers have in place and how they, in turn, manage and mitigate risk with their extended network of suppliers – including primes and subcontractors and their tools. These seven steps can help:

1. Communication and assessment: Managing this critical risk starts with determining internal responsibility for procurement and verifying a partner's process security. This requires legal teams to be involved, in addition to technology and operational leaders across functions and geographies. Decision makers need threat intelligence related to supply chain attacks to make informed decisions about risks to the federal organization and operations. Secure procurement and data protection must be wrapped in effective communication with partners and internal stakeholders.

2. Detailed visibility of all connected assets, including cyber-physical systems: Consider a dedicated cybersecurity solution that secures CPS of connected organizations. Claroty provides unmatched visibility and protection, continuously monitoring and detecting threats across  OT, BMS/BCS, xIoT, and healthcare (IoMT). Simplifying management and enabling collaboration between IT and OT teams, Claroty can provide visibility to your organization's existing security network, and all access points with your supply chain partners, extending this visibility across all of your key parties.

3. Threat Intelligence and alerting vigilance: Keep up to date with the latest intelligence on emerging threats and triage new alerts including CISA advisories from the U.S. and its Five Eyes partners.

4. Strengthened cybersecurity coalitions: Given the current focus on supply chain, even the most senior leaders have become attuned to operational concerns and are more aware of why the right cyber defense and processes are essential for ensuring availability, reliability, and safety. As a security leader, seize the moment to garner cross-functional buy-in for supporting present and future cybersecurity initiatives.

5. Collaboration across the supply chain: Your supply chain is an integral part of your operations, mission-critical or otherwise. As such, it needs to be an integrated part of your security ecosystem and protected with the same level of defense. You can set benchmarks and share reports and insights into vulnerabilities and hygiene risk with your supply chain partners.

6. Secure software development: If you are going to use third-party software components, it's crucial to carefully analyze the code to identify and understand any potential vulnerabilities present. By formally integrating security best practices into your software development process, vendors and developers can substantially reduce supply chain risk.

7. Software bill of materials (SBOM): One specific aspect of secure software development to uphold is the practice of keeping an SBOM, which is a detailed record of all components used to build a given piece of software. More information is available from the NTIA website on SBOM.  

Supply chain attacks are not new, but they have been on the rise. Claroty recognizes the need to enable supply chain assurance. We can help the U.S. Federal government more effectively and efficiently assess, manage, and mitigate risk across your cybersecurity supply chain.