Attacks and disruptions to complex supply chains for information and communications technology (ICT) and services are increasingly gaining attention. Recent incidents, such as the Target breach, the HAVEX series of attacks on the energy infrastructure, and the recently disclosed series of intrusions affecting DoD TRANSCOM contractors, highlight supply chain risk management as a cross-cutting cybersecurity problem. This risk management problem goes by different names, for example, Supply Chain Risk Management (SCRM) or Risk Management for Third Party Relationships. The common challenge, however, is having confidence in the security practices and processes of entities on which an organization relies, when the relationship with those entities may be, at best, an arms-length agreement. This blog post highlights supply chain risks faced by the Department of Defense (DoD), federal civilian agencies, and industry; argues that these problems are more alike than different across these sectors; and introduces practices to help organizations better manage these risks.

Protecting Key Assets

In the past, when government or business invested in a piece of machinery, appliance, or service, it could more or less expect the item to function as advertised. Checks and balances (such as licenses, warranties, regulations, legal recourse, and supplier reputation) reasonably ensured against defects or service failures. Unfortunately, such controls seem increasingly inadequate when applied to global supply chains for the complex information and communications technology--and technology-based services--that underpin critical capabilities in most organizations, especially in mission- and safety-critical operations in the US government and DoD.

Concerns about supply chain risk management in ICT include the possibility that counterfeit or maliciously tainted hardware and software might be used by an acquiring organization to its detriment. Also, organizations often face uncertain risks because of their dependence on external entities for the ongoing use and sustainment of ICT--the so-called service supply chain (Please see Supply Chain Risk Management Practices for Federal Systems and Organizations from the National Institute of Standards & Technology NIST 800-161 section 1.4, page 3 for a discussion and definition of ICT services as part of the SCRM).

Supply chain risk concerns can often seem "special" or specific to a particular industry or sector. For example, healthcare institutions must ensure that business associates with whom they share private health information will protect that information. Similarly, the defense sector has concerns about verifying the trustworthiness of subcontractors with which they may share sensitive weapons system information.

In each case, however, the essential problem is the same. The organization has key assets--financial account information, private health information, or defense systems information-- that must be protected for the organization to be successful. When the organization relies on a supply chain, it is forced to depend on processes, capabilities, and actions outside its direct control for that protection.

External dependencies can range from contracts with cloud-service providers for data storage, to reliance on public infrastructure. As part of its work on critical infrastructure cybersecurity, researchers in the SEI's CERT Division seek to help organizations by providing common ways to assess and improve external dependency management across the entire lifecycle of external entity relationships. The lifecycle includes selecting suppliers and vendors and conducting initial risk assessments, managing ongoing relationships, and planning and conducting the incident response activities needed if the organization experiences a disruption involving the external entity.

Different critical infrastructure and government sectors refer to the risk of depending on external entities to support key services by different names. The DoD frequently uses the term supply chain risk management to refer to concerns about the integrity of hardware and software, while the financial community is facing increasing scrutiny over "third-party risk." CERT researchers advocate "external dependency management" as a broad term for management activities to control the risks of these relationships.

The Realities of Managing Suppliers and Dependency Risk

Managing dependence on external entities is challenging because it is hard to verify the trustworthiness of suppliers' security practices and processes across arm's-length relationships. Typically, the most basic step taken to control risk involves the codification of security requirements into contracts and other formal agreements. However, contracts can be of limited use because of uncertainty around contractual duties, the difficulty of proving breach involving complex ICT systems, or the rate of technological change. Organizations may also simply not have an ability to really negotiate security requirements, or it may be unrealistic to expect a particular vendor to meet a very high level of cybersecurity.

Other approaches often used to mitigate this problem are simply ineffective in certain threat environments. For example, asking a vendor to complete a checklist is often unsatisfactory because either this activity does not capture the context of the particular relationship, or it only captures the state of affairs at one point in time. By contrast, building a strong relationship from the earliest stages of the supplier lifecycle can help to build communication essential to managing dependency risk. Trust can be built over time to improve communications, recognizing that suppliers' business and resource constraints drive their actions.

A sometimes overlooked--but very basic--challenge involves gathering information and establishing trusted communication with suppliers. Financial services companies, for example, are often connected to a wide array of suppliers needed for payments, clearing and settlement, data processing, communications and so on. The resource demands of managing multiple suppliers across organizational boundaries can be daunting. Organizations should start by having a good process to identify and prioritize the critical few external entities. Having identified and prioritized dependencies, the next section of this post will explore the development of requirements for those entities.

Building External Dependencies Management Practices

Establishing requirements for external entities (See also, Office of the Comptroller of the Currency Guidance on Risk Management Lifecycle.) is a foundational, essential aspect of managing dependency risk. Requirements are largely driven by the need to protect and sustain assets used to support high-value services. Requirements may also support regulations or corporate policy. For example, HIPAA requires the protection of health information, a requirement that specifically extends to business associates as defined under the law. The criticality of the service and the importance of the supplier to that service drive the requirement, for example protecting information or ensuring continuous availability. Requirements provide the basis for prioritizing and managing external entity relationships.

Of course, well-defined requirements will not change the degree to which the organization can control suppliers or drive their behavior. When organizations have little meaningful control over third parties, they must employ practices and strategies that can be controlled internally. Management practices may be characterized into three categories:

• internal practices that can be executed and directly controlled by an organization, such as using multiple vendors, limiting the type of information external suppliers are allowed to process, or accounting for the external dependency as part of response planning
• external practices that the organization requires the supplier to perform such as encrypting data, monitoring network access, or testing of business continuity plans
• cooperative activities that organizations can do in collaboration with suppliers such as conducting joint assessments of controls or the sharing cyber-threat data

Wrapping Up and Looking Ahead

In the face of increasingly sophisticated and frequent cybersecurity attacks, organizations can use a mix of internal, external and cooperative controls to help manage risks and meet requirements. Often, as trust evolves with suppliers over time, it is possible to refine the mix of supplier management strategies and build collaborative approaches to managing risks. In the case of public and shared suppliers, the use of cooperative risk management strategies can be one of the most effective means of managing risk. The DoD-Defense Industrial Base Collaborative Information Sharing Environment (DCISE) is one example of how this is currently being done, as is the Department of Homeland Security's National Cybersecurity Communications and Integration Center. It has become increasingly evident that increased collaboration including the sharing of information is needed to help organizations protect critical resources. For many organizations, relationships with partners and other outside entities are the predominant way they learn about incidents, rather than internal technical monitoring.

External dependency management is more similar than different across the public and private organizations that underpin Americans' security and economy. Organizations need opportunities to improve their capability and learn from one another. For these reasons, CERT is sponsoring a Supply Chain Risk Management Symposium on January 15, 2015 in Arlington, Va.

Additional Resources

View the webinar Lessons in External Dependency and Supply Chain Risk Management featuring CERT researchers John Haller and Matthew Butkovic.