CISA task force releases top 190 Supply Chain Security Threats

The Cybersecurity and Infrastructure Security Agency (CISA), a sub-agency within the Department of Homeland Security (DHS), recently released a report providing recommendations on combatting emerging threats to the federal technology supply chain. The report is a summation of the work conducted by the agency’s Information and Communications Technology Supply Chain Risk Management Task Force, which has operated for the past year. The report comes hot on the heels of recent DoD policy changes mandating contractors formalize approaches to supply chain risk.

The task force behind the report is comprised of a mixture of federal and industry expertise. Interos contributed to the task force as one twenty participating organizations whose expertise was credited with helping meet the “fundamental challenge of securing the ICT supply chain, an important homeland and national security priority.”

Their guidance coincides with the DOD’s mandate to incorporate supply chain risk management in RFP responses, and the release of a cyber security maturity standard. The report articulates that there are significant policy and organizational barriers preventing effective information sharing regarding bad actors and other supply chain threats. These include:

  • Product-based risks like counterfeit goods, device impersonation, and malicious code insertion
  • Organizational risks like insider threats or physical harm to people and products within the supply chain

The report also articulates risks that are unique to SCRM, specifically highlighting a lack of uniformity around delivery mechanisms for information. The report articulates that actionable intelligence regarding supply chain risk often contains sensitive information that is difficult to legally disseminate.

Threat Inventory

Another working group with the task force focused on leveraging National Institute of Standards and Technology (NIST) risk management methodologies to analyze identified threats and create a threat inventory, creating 9 threat categories. They are:

  1. Counterfeit Parts
  2. Cybersecurity
  3. Internal Security Operations and Controls
  4. Compromise of System Development Life Cycle (SDLC) Processes and Tools
  5. Insider Threat
  6. Inherited Risk (Extended Supply Chain)
  7. Economic
  8. Legal
  9. External End-to-End Supply Chain

190 Supply Chain Threats

The report further identified 190 specific supply chain threats which have yet to made public due to their highly sensitive nature. The task force further outlined 40 scenarios aligned to the 9 threat categories. John Miller, co-chairman of the task force stated that “In building out those scenarios, several categories were considered by the group, including the interplay of particular vulnerabilities in that context: business impacts, potential business mitigation strategies and controls,” Miller said. “It was a very contextual analysis for each of them” according to an interview with the Federal News Network. The task force also created a draft report including analysis of differing approached to supply chain assurance alongside examples of existing supply assurance programs.

Additionally, the report highlights proposed evaluation criteria for creating lists of Qualified Bidders and Manufacturers (QBL/QML) that factor in supply chain risk. The factors include:

  • Amount an entity spends on a covered article
  • Market conditions of the covered article
  • Importance of the covered article to the goal/mission
  • Frequency of known attacks to or through the covered article or its supply chain
  • Probability of threat or the likelihood of an attack to the supply chain.
  • Level of Control over the Manufacturing and Distribution of the covered article.
  • Volume of known vulnerabilities in the covered article or in common configuration(s) of the covered article
  • Ease of compromise/vulnerability of the covered article
  • Existence of standards applicable to the covered article (NIST, ISO, etc.)
  • Existence of policy mechanisms applicable to the covered article
  • Liability if the covered article is compromised

The report highlights both the importance of, and inherent challenges to, supply chain risk management activities. Federal agencies and their contractors need comprehensive solutions to manage the risk in their digital and physical supply chains. The best way to mange this risk is by leveraging intelligent technologies that can effectively and securely ingest and communicate relevant supply chain risk information in a manner that’s timely enough to enable decisive action.

DoD makes supply chain risk management required for contractors

The Department of Defense issued a corrected class deviation 2018-O0020 which immediately “removes the sunset date at DFARS 239.7300(b) and changes the statutory citations in DFARS subpart 239.73 from section 806 Pub. L. 111-383 to 10 U.S.C. 2339a.” The changes mark the increasing importance of managing supply chain risk for DoD contractors who supply “covered item[s] of supply” and “covered systems.”

Ok, what?

Before we get into these incredibly important changes, it’s worth knowing what a “covered item” is per the DFARS. The recently published deviation defines them as “an item of information technology that is purchased for inclusion in a covered system and the loss of integrity of which could result in a supply chain risk for a covered system.”

Ok…so what’s a covered system?

The definition’s a bit long, but it includes any system involved in military or intelligence activities beyond administrative and business applications. Basically, any IT or telecommunications system that’s critical to national defense aka the U.S.’s most-sensitive technology.

What’s changed about these systems?

The government is now evaluating supply chain risk on any contractor or entity working on or interested in working on these systems. That makes this a huge deal to basically everyone in the defense contracting industry.

Supply chain risk sounds kind of vague. 

Sure, but that’s because it’s both incredibly broad and incredibly important. The govt has helpfully defined it as “the risk that an adversary may sabotage, maliciously introduce unwarranted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function , use, or operation of such a system.”

Ok, so what’s changing immediately?

The biggest, most immediate change will be to all solicitations that fall under the governance of the DFARS, which means any work being contracted out by the DoD. The government specifically states that the provision will be included “in all solicitations…for the acquisition of commercial items, for information technology, whether acquired as a service or as a supply, that is a covered system or is in support of a covered system…” The provision also states that “in order to manage supply chain risk…the Government may consider information, public and non-public, including all-source intelligence, relating to an offeror and its supply chain.”

So, the Government is now assessing me on this?

Yes! Supply chain risk and security measures are now, explicitly and mandatorily, part of their evaluation criteria on any bid to work on a covered system. The government is also imbuing itself with the authority to consider any and all information it can find as part of that assessment. That means that if you’re failing to provide information or evidence of your attempt to mitigate supply chain risk, the government will check for you. And any action they take to limit the disclosure of information is explicitly not “subject to review in a bid protest.”

But how do I do that?

There’s only one solution that enables you to fully assess supply chain risk, to provide the government with full evidence of your ability to limit sabotage, maliciously introduced unwanted function, and subversion of the design, integrity manufacturing, production, etc.

Only one solution on the market today illuminates and fully maps the tiers and sub-tiers of your suppliers to fully uncover any unknown companies or countries involvement. Only one platform provides continuous monitoring of all these factors with near-real-time alerts, enabling you to know about a supply chain risk as soon as it’s introduced.

Interos.

Interos, with AI technology, ingests over 85,000 dynamic and changing aggregated data sources and currently monitors the ripple effect of over 225 million events across more than 15 million suppliers for our customers every month. The data is run through our proprietary algorithms to provide up to date visualizations of your ecosystem, risk health scores for your suppliers and insights tailored to each user and company.

Government Agencies already use Interos to:

  • Maps the tiers and sub-tiers of your suppliers to uncover unknown company and country involvement
  • Assess and monitor the risk of existing suppliers and their supply chains
  • Provides Health Scores for each business
  • Delivers 24×7 near real-time continuous global monitoring

The DoD has spoken. Are you listening?

What’s your supply chain security program level?

Photo by Jirsak from Getty Images Pro

Businesses love a good process assessment. You can’t shake a proverbial stick without hitting an ISO, CMMI, or Six Sigma seal. There’s good reason for this too: common standards provide an easy verification of an organization’s efficiency, maturity, and long-term stability. Of course, there’s no guarantees but standardization is provably helpful. For example, a study of the defense contracting industry found that organizations with a high maturity level spend about half the time on software defect testing as their less-mature competitors.

A recent SANS whitepaper co-sponsored by Interos articulates the various stages of maturity for a supply chain security program. The levels or patterns articulated below reflect the various possible stages of a company’s supply chain security program, and postulates where they might go next.

Stage 1 – Greenfield: The organization lacks concrete processes and policies for supply chain management and has little-to-no overarching strategy. Frequently organizations have policy mandates supply chain security processes but lack any actual implementation. This includes organizations with formalized supply chain management practices that fail to incorporate security leadership,

Stage 2 – Reactive: The organization has not integrated their security group into supply chain or procurement processes, but they routinely catch third-party vulnerabilities through standard security activities like vulnerability scanning, penetration testing, etc.

Stage 3 – Evaluation Participant: Most organizations acknowledge that granting third-party organizations direct access to their IT systems and networks is a massive security risk. An organization in this development stage has incorporated security considerations into their vendor evaluation process. However, once the vendor is approved the security group is no longer tasked with continuously monitoring vendor activity, or the security group lacks the capacity to continuously assess vendor security posture.

Stage 4 – Continuous Risk Monitoring and Evaluation: In this stage, an organization has fully integrated their security team into the vendor evaluation and due diligence process. The security team has tools in place to monitor, assess, and mitigate potential threats from suppliers. The organization has processes and policies in place that can scale alongside the organizations growing (or shrinking) supply chain.

Stage 5 – Stable Supply Chain Security Program: At this level of maturity the organization’s security program is both formalized and effective, at least at dealing with known security risks. However, their apparatus performs poorly when confronting unknown supply chain threats and is inefficient at continuously evaluating vendor security posture.

Stage 6 – Adaptive, Proactive, Supply Chain Security Program: The apex of supply chain security; a smooth process that thoroughly integrates the security and supply chain functions across the enterprise with minimal friction. At this stage the organization is capable of continuous vendor risk monitoring and can act both proactively and predictively, recognizing vendor risk not just from direct suppliers but from suppliers down to the nth tier.

But how do I know what stage my business is at?

Evaluating the maturity of your own enterprise, without the help of a formalized process or professional assessment team is naturally difficult. But the best way to assess the health of your supply chain security (and to improve that security) is by fully mapping your supply chain. Understanding who you’re doing businesses with, and who they’re doing business with, and so on down to the Nth tier is a crucial step in validating the security posture of your supply chain.

OK, but how do I do THAT?

The simplest, least-disruptive solution to mapping your supply chain is an automated tool. Traditional, manual solutions for supplier identification and tracking are adequate when initially introducing a supplier to your ecosystem. But these solutions are utterly incapable of tracking changes in that supplier’s security posture in anything approaching real-time. Which is a problem, as SANS researcher John Pescatore articulates in his whitepaper, to achieving high-level supply chain security maturity.

But I don’t have an automated tool!

You don’t have one yet. That’s where Interos comes in (a shameless plug, I know). But there’s a reason we’re bereft of shame here: our product solves this problem. Interos is the only AI-powered due supply chain assessment/risk management tool on the market (trust us we checked) and is designed to evaluate the security and overall health of your supply chain. Using the power of machine learning, clever engineering, and elbow grease Interos discovers, visualizes and assesses your suppliers and their supply chains, providing real-time scores across 5 health factors to deliver a continuous monitoring solution.

That means knowing exactly where you and your suppliers and their suppliers stand at all times, without pesky paperwork or pricey due diligence. Our platform ingests data from over 85,000 sources in near-real time. This enables organizations to maintain constant awareness of their supply chain security posture with minimal effort. No time wasted forming discovery committees, eating bad sandwiches at catered meetings, or figuring out implementation costs. Just sign up for Interos and watch the insights roll in!

Learn more about the importance of maintaining supply chain security by reading the SANS Institute’s recent whitepaper on the subject and at Interos.ai.

The modern due diligence problem

Photo by designer491 from Getty Images Pro

Due diligence is an essential function of major modern business transactions. Fundamentally, businesses need to know who they’re buying from or just who they’re buying. But in an era of growing supply chain complexity, where companies rely on hundreds or even thousands of suppliers, the task of performing due diligence has correspondingly increased in difficulty.

Traditional, manual processes for assessing potential vendors and business partners are costly and often ponderous. Teams of analysts can scarcely keep pace with the preponderance of relevant available data. Typically, due diligence means assessing a partner for things like capacity, resiliency, and the following factors:

Quality – Are you sure you’re receiving what you’ve paid for? Businesses typically rely on their suppliers to accurately self-report on the authenticity of their products. Furthermore, U.S. customs only inspects about 3% – 5% of cargo shipments for counterfeit products. Companies need to know if their end-product contains what it’s supposed to, particularly if they’re selling to a government agency, where counterfeit parts (particularly those of possibly foreign origin) represent a threat to national security.

Ethical Behavior – Both consumers and regulatory agencies have demonstrated increased concern over possible unethical behavior in businesses supply chains. According to a recent survey, 76% of Americans will not buy from a company that they believe to be unethical. Similarly, the EU recently issued a warning to Thailand threatening to bar Thai seafood from the EU unless the country took steps to end the trafficking of migrant workers within the nation’s robust seafood industry. No matter how you look at it, procuring from organizations with ethical liabilities can affect your bottom line from both reputational damages, and the expense associated with discovering and signing a replacement supplier.

Security – Admitting a business you lack total awareness of into your supply chain is a security risk. A 2018 study found that 59% of organizations have fallen victim to breaches caused by a supplier. Growing use of technologies that offer new avenues for cyber-attacks, like Internet of Things (IoT) devices, mean that potential vulnerabilities are only growing. Knowing if a supplier has been hit before that attack has a chance to affect your business could mean a great cost-savings.

Financial Stability – A supplier is only as valuable as they are consistent, and their financial health directly correlates with their ability to deliver promised goods or services. Suppose a 3rd tier supplier suddenly runs out of the capital necessary to run their enterprise. No matter how far down the chain they are, your operational continuity is still at risk.

These aren’t the only benefits to due diligence. A 2016 study conducted by the Columbia School of International and Public Affairs found that proper due diligence confers a host of other benefits, such as:

  • Increased total shareholder returns. Companies that consistently measure responsible business activities outperformed peers on the FTSE 350 when it came to total shareholder returns by 3.3% – 7.7% annually
  • Reduced Legal costs. Businesses legal costs range from 3% – 10% of annual revenues.
  • Lower Turnover. Organizations that are thought to be committed to Corporate Social Responsibility (CSR) are better at attracting and retaining employees, reducing the costs associated with high turnover (training, recruitment, etc.)

But how can you realize these benefits without paying the steep cost associated with hiring a traditional third-party risk assessor? Fully mapping your supply chain is an essential part of proactively addressing risk, but how do you contend with the sheer volume of available data?

Learn how by reading our upcoming whitepaper on the subject and at Interos.ai.

How the biggest brand in the world grapples with ethical sourcing

Traditionally, most businesses’ supply chain concerns revolve around concrete practicalities: availability, costs, vendor stability and other elements that directly impact the bottom line. However, in recent years growing consumer awareness and concern over the sourcing of products and services has increased business concern over a less traditional concern: ethics.

Now more than ever, people care about where their products come from and companies have been forced to address these concerns or face reputational damage and possibly regulatory punishment. According to the Ethical Investment Research Service (EIRS), a news article detailing a company’s exposure to an ethical concern can cause that company’s share price to fluctuate by between 0.5 and 3 percent. Public outcry, regulatory actions, and investor concern can all domino into costly production delays as suppliers scramble to secure more ethically sourced replacements. According to Abe Eshkenazi, CEO of the Association for Supply Chain Management (APICS), “supply chains that rely on items produced because of slave or child labor, for example, aren’t sustainable. The minute a company uncovers that its supply chain is compromised in this manner, it faces the possibility of a complete overhaul. That’s expensive and could create production delays.”

No business, no matter how successful, is immune to the scorching heat of consumer and regulatory ire over unethical sourcing, not even the Forbes-ranked most valuable brand in the world: Apple Inc. Even the smartphone titan has been forced to radically restructure its supply chain, in large part due to ethical concerns that prompted regulatory and consumer action. While the challenges Apple faces corporation are unique in scale, almost every business on the planet must reckon with the challenge of finding ethically and sustainably sourced components.

Foxconn & Labor Issues
For example, Foxconn, one of Apple’s chief manufacturers, has been the subject of a voluminous amount of negative press coverage due to lapses in ethical conduct. These include hiring underage interns (in direct violation of Chinese and international labor laws), financially penalizing employees for minor mistakes, and inhumane factory conditions. Foxconn’s grueling labor practices have stimulated strikes and factory brawls which have led to temporary plant closures and disruptions to Apple’s supply chain.

The negative press attention from Foxconn’s slipshod adherence to labor regulations also prompted Apple to dedicate additional resources to their “Supplier Responsibility Program,” which in 2018 conducted 1,049 supplier assessments in 45 countries. These supplier assessments have led to Apple severing business ties with over 20 major suppliers who have been found to be in violation of their Supplier Code of Conduct. One of the major infractions Apple has had to police in their supply chain is the use of debt-bonded labor (a dry and marginally more savory way of referring to indentured servitude) and supplier recruitment fees (exorbitant sums charged by recruiters to new hires). Apple took action in concert with local governments to force companies in its supply chain involved in these ethical violations to return $30 million in supplier recruitment fees to affected employees. Ultimately, the company was left with holes in its supply chain and its own considerable legal expenses.

Cobalt Rush
Megalithic corporations like Apple must also be wary of ethical concerns among their lower tier supplier. The tech company relies on cobalt for its operations—the 27th element is a necessary component of the lithium-ion batteries found in smartphones (and just about everything else) and presents numerous ethical concerns.

Over 60% of the world’s cobalt is produced in the Democratic Republic of Congo (DRC), much of it from artisanal and small-scale mining (ASM) operations that have come under fire from Human Rights organizations like Amnesty International for inhumane labor practices. This public outcry prompted Apple to terminate its relationship with ASM mining outfits in 2017. This was a costly move at the time given the skyrocketing demand for cobalt. The element has since fallen dramatically in price thanks to a surge in supply.

It’s worth noting that these challenges aren’t unique to Apple: every one of the major smartphone manufacturers contends with the same problems. The complexities of ethical supply chain policing are almost inconceivably vast for this industry, whose products involve numerous rare earth minerals that must be refined and separately manufactured across a web of hundreds of suppliers. But the core issue is one shared by almost any business: people, businesses, and governments care more than ever before about the optics of what they sell, and nobody wants even the appearance of unethical behavior clouding their image.

Apple’s CEO Tim Cook recently signed a statement alongside the CEOs of 191 of America’s largest companies as part of the Business Roundtable which further committed Apple and the other signatories to prioritizing “dealing fairly and ethically with [their] suppliers” over promoting shareholder value, a further indication that the pressure to ethically and responsibly source is not easing. That’s why maintaining awareness of your suppliers, and your suppliers’ suppliers, and your suppliers’ suppliers’ suppliers, is vital to operating as a business today. If it matters to the biggest brand on the planet, it matters to your business too.

Learn more about ethical sourcing, sustainability, and monitoring your supply chain at Interos.ai