Criminal disruptors look for the weakest point in your supply chain.* The government is only one entity among many that utilizes an extensive supply chain to help complete its daily functions. In this case, a supply chain refers to the network of third-party vendors, companies, or sub-contractors that provide support to projects that the government cannot complete solely on its own. While this is necessary, it is nearly impossible to ensure that cybersecurity protocols are equally secure across all levels of a supply chain. For the government, this could result in vulnerabilities at all levels. The risks of a supply chain can include less secure third-party vendors that provide access into the larger company's system or the added risk of giving more individuals access to sensitive data.
In an attempt to mitigate the dangers associated with these vulnerabilities, legislation has been passed to ensure that government contractors working on sensitive issues are improving their cyber hygiene. In December 2017, all federal subcontractors had to ensure that they were complying with the Defense Federal Acquisition Regulation Supplement (DFARS) 252.204.7012: Safeguarding Covered Defense Information and Cyber Incident Reporting, which outlines the specific rules and definitions of classified defense information, and the proper ways it should be handled. However, according to a study of over 12,000 federal contractors conducted by BitSight, many federal contractors are still not meeting adequate levels of cybersecurity.
During a discussion at the Brookings Institution on February 14, Jeanette Manfra announced the launch of a Department of Homeland Security (DHS) internal supply chain initiative that will attempt to improve the cybersecurity posture across the entire supply chain of the federal government. Manfra is the current Assistant Secretary for the Office of Cybersecurity and Communications at the National Protection and Programs Directorate. The initiative will allot staff to analyze the entire supply chain, determine where cybersecurity is lacking, and provide suggested improvements to individual agencies. Although the initiative does not currently have an end date, it is said that DHS will be leveraging the National Institute for Standards and Technology (NIST) where applicable.
This type of initiative is particularly important due to the number of cyber attacks that occur through sub-contractors, both in the federal government and private sector. For example, the 2013 Target Breach has been attributed to a third party vendor of the company. Around the same time as that breach, U.S. Transportation Command was hacked through one of their sub-contractors. These types of attacks are relatively common because smaller companies on the supply chain generally do not have the same kind of cybersecurity protocols in place as their larger associates. Since they do business together, the smaller companies would have access to the larger associates' networks, providing hackers with a way in. Finding the gaps in supply chain cybersecurity and increasing the cyber hygiene requirements of contractors working with sensitive information are both critical to preventing cyber threats. NIST has many resources that help companies improve their cyber hygiene. If your business utilizes third party vendors or is part of a larger supply chain, you can find some of NIST's cyber best practices here.