During the final week of National Supply Chain Integrity Month, the Cybersecurity and Infrastructure Agency is emphasizing the importance of Information and Communication Technologies (ICT) supply chain risk management. As the use of Information and Communication Technologies continues to accelerate and expand, so does the attack surface for adversaries seeking to steal, compromise or alter, and destroy sensitive information. In the final week of National Supply Chain Integrity Month, CISA is reminding everyone that strengthening your organizations ICT supply chains requires an ongoing, unified effort between government and industry. To this end, CISA is providing two resources to help organizations and their staff get started, including a new one released jointly with the National Institute of Standards and Technology (NIST): ICT Supply Chain Risk Management (SCRM) Essentials.
Like cybersecurity, managing risks to Information and Communication Technologies supply chains cannot be done in silos, fragmented among specific individuals or departments responsible for a piece of an organization's risks. CISA's SCRM Essentials is a guide for leaders and staff that empower all personnel to own their role in implementing organizational SCRM practices with six actionable steps, including:
2. Manage the security and compliance - Document the set of policies and procedures that address security, integrity, resilience and quality. Ensure they are based on industry standards and best practices on how to conduct supply chain risk management, such as those from the National Institute of Standards and Technology.
3. Assess the components - Build a list of the information and communications technology (ICT) components (e.g., hardware, software, services) that your organization procures to enable your business. Know which internal systems are relied upon for critical information or functions, and which systems have remote access capability that must be protected to prevent unauthorized access.
4. Know the supply chain and suppliers - Identify your suppliers and, when possible, the suppliers' sources. In today's world of increased outsourcing, it is important to understand your upstream suppliers as part of the larger supply chain ecosystem.
5. Verify assurance of third parties - Verify that your suppliers maintain an adequate security culture and supply chain risk management program to appropriately address the risks that concern your organization. Establish the protocols your organization will use to assess the supply chain practices of your suppliers
6. Evaluate your SCRM program - Determine the frequency with which you will review your SCRM program, incorporate feedback, and make changes to your risk management program. This may also include auditing suppliers against practices and protocols established by your organization.
With technologies and software constantly changing or being updated, security measures must keep up. Recent software compromises and other security incidents have revealed how actions by malicious actors stealthily deploying compromised software can go undetected by end-users and system administrators, who believe the software is performing necessary actions. The reality is that supply chain attacks can be difficult to detect and protect against because there are many ways threat actors can attack networks and because vulnerabilities may be introduced during any phase of a product's life cycle.
[Design, Development & Production, Distribution, Acquisition and Deployment, Maintenance, and Disposal]
CISA's Defending Against Software Supply Chain Attacks provides an overview of software supply chain risks and recommendations on how software customers and vendors can use the NIST Cyber Supply Chain Risk Management (C-SCRM) Framework and the Secure Software Development Framework (SSDF) to identify, assess, and mitigate software supply chain risks.