DHS, lawmakers doubling down on supply chain risk management

When it comes to cybersecurity, federal agencies and contractors aren’t always on the same page.

Four years after the National Institute of Standards and Technology released its cybersecurity framework, more than half of U.S. companies will implement the framework by 2020, according to a recent study by Gartner.

But the Department of Homeland Security still sees supply chain risks as a major cybersecurity hurdle, and earlier this year launched an internal supply chain initiative aimed at identifying some of the cyber defense gaps between the federal government and its contractors.

Jeanette Manfra, the assistant secretary for the office of cybersecurity and communications at the National Protection and Programs Directorate (NPPD), announced Wednesday that DHS launched the supply chain initiative earlier this year through an internal memo.

Advertisement

The initiative, she said, doubles down on DHS’ ongoing work on supply chain security by allocating staff to specifically focus on the issue.

“We need to have improved ability for DHS, GSA [and] the intel community to be in a position to help inform procurement decisions by the federal government agencies throughout the civilian government. We’re working on building those mechanisms and DHS’ role in pulling all of that altogether, and also working with industry experts to refine what are the supply chain risks that we should be concerned about,” Manfra told reporters Feb. 14 following a panel discussion at the Brookings Institution.

In a study of 12,000 federal contractors, the security rating company BitSight found many federal contractors have fallen behind their government customers when it comes to cybersecurity.

“A lot of people are not following best practices from NIST in protection … There are a lot of contractors that have browsers that are not updated, which means they’re vulnerable to attack,” Stephen Boyer, BitSight’s chief technology officer, said Thursday.

BitSight found in its report that more than one in five users within technology, defense and aerospace contractors use outdated web browsers that make them vulnerable to malware.

Rep. James Langevin (D-R.I.), who founded the Congressional Cybersecurity Caucus nearly a decade ago, said the federal supply chain threat is one of the least understood and most pernicious threats to cybersecurity.

“The increase in breaches stemming from third-party vendors highlights that it’s no longer enough to secure your own network from cyber intrusions. Of course, now you have to ensure that your vendors’ networks are protected as well,” Langevin said at Thursday’s BitSight-sponsored event.

As federal contractors continue to outsource parts and components to manufacturers across the world, Langevin said the network remains vulnerable to malicious actors, including foreign intelligence services and counterfeiters.

“We need to properly incentivize organizations to take a risk-based approach to cybersecurity, rather than having just a compliance-based mindset that encourages doing the bare minimum. ‘Just check the box’ is not going to get it done,” Langevin said.

For defense programs, like the F-35 Joint Strike Fighter, which has more than 1,300 suppliers from nine countries and 48 states, minimizing the opportunity for cyber attacks, he said, can be “extraordinarily difficult.”

Last year, the Defense Science Board reported that hackers had compromised the software of several programs, including the F-35, forcing Lockheed Martin and its subcontractors to rewrite the F-35’s software.

Langevin said broad adoption of risk management plans like the NIST cybersecurity framework is an encouraging first step in reducing supply chain risk.

“However, there’s still room to build on those frameworks by finding consistent ways to measure the effectiveness of security controls, providing a feedback loop on the return on security investment. Metrics here is what we really need to focus on,” he said.

Speaking more generally on the state of federal cybersecurity, Langevin called on agencies to look at automation tools to help empower the “woefully undersized” federal workforce cybersecurity workforce using force multipliers like automation.

“The talent pipeline is still too slow to keep up with the demand for these skill sets,” he said.