The federal government’s most visible effort in IT supply-chain security over the past two years has been to ban purchases of Huawei, Kaspersky and ZTE products by government agencies, in an effort to prevent cyber espionage by state-sponsored actors. That effort is well intentioned – but the intense focus on a small number of companies may have obscured wider threats to the federal government through its supply chain.
Consider that federal agencies buy products and services via massive government contracts awarded to prime contractors, which team with multiple subcontractors. All of these entities have their own supply chains and information systems, which are connected to tens or hundreds of product and service providers – often globally. A breach in one vendor’s supply chain – a routine software update that installs malware, a rogue component added during manufacturing, a worm siphoning data – could affect not only the vendor’s operations, but also the operations of its business partners and its customers.
While no government supplier is immune from attack, the largest contractors have robust global supply chain security programs that span their own operations, as well as their suppliers and partners. Many other contractors, however, have not invested adequate funds and expertise in monitoring and securing their supply chains.
The National Institute of Standards and Technology and the National Cybersecurity Center of Excellence are teaming on an effort to provide guidance that will help organizations verify that internal components of purchased computing devices are genuine and unaltered.
Read more at: Homeland Security Today