Key Message: Organizations must manage operational risks that arise when depending on external parties to support your organization’s high value services.
Executive Summary
“One caveat of outsourcing is that you can outsource business functions, but you cannot outsource the risk and responsibility to a third party. These must be borne by the organization that asks the population to trust they will do the right thing with their data.” [1]
In this podcast, Matt Butkovic, the Technical Manager of CERT’s Cybersecurity Assurance Team, and John Haller, a member of Matt’s team, discuss approaches for more effectively managing supply chain risks, focusing on risks arising from “external entities that provide, sustain, or operate Information and Communications Technology (ICT) to support your organization.” [2] This is sometimes referred to as third party or external dependency risk.
Definitions
Supply chain risk management (SCRM), with respect to Information and Communications Technology (ICT), typically refers to the integrity of hardware and software provided by third parties. It includes such issues as counterfeit assets and those that have been maliciously tampered with.
In the financial sector, SCRM deals with managing and controlling the risks when relying on suppliers for services such as data hosting, data processing, and telecommunications.
CERT takes a broader and more holistic view and treats SCRM as the management of all external dependencies – any situation where an organization has a critical service that relies on third parties and other outside entities to provide information and communications technologies.
CriticalitySCRM is becoming increasing critical due to the following:
In today’s business climate, almost every organization relies on others (partners, suppliers, vendors, subcontractors) to provide service. One common example in the ICT space is the move to cloud service providers.
Business relationships change quickly and keeping up with cybersecurity requirements, in particular, and managing the risks associated with these can be very challenging.
The objective of this January 2015 event was to examine SCRM with key stakeholders in the public and private sectors, particularly those supporting U.S. critical infrastructures as well as those in the DoD.
The desired outcome was to exchange ideas, share best practices, and learn about important challenges. Terry Halvorsen, the acting DoD CIO, was the keynote speaker.
The morning sessions addressed SCRM at the executive and governance levels. The afternoon sessions included more detailed discussions on how organizations are managing problems and approaches that CERT is developing to address these problems.
The event confirmed that this is a pressing issue for all participating organizations.
CERT Plans
CERT is planning a series of activities to address this topic including webinars, blog posts, and podcasts. Areas of focus include:
SLAs allow participating parties to document their requirements and expectations for a specific service. That said, organizations cannot outsource risk but they can indemnify themselves and transfer/share risk.
Often organizations do not understand their exposure when entering into a third party relationship, they don’t include adequate protections, and they don’t monitor the performance of the service provider.
Organizations are often surprised to discover that the onus is on them, for example, to report lapses in service and cybersecurity incidents. One of the presentations given at the Symposium, titled “Cyber SLAs: Practice and Limitations in ‘Outsourcing Risk’,” provides guidance on how to construct smart SLAs and effectively manage the supplier relationship with respect to cybersecurity.
Some of the topics to include in an SLA are as follows:
It is critical to develop the SLA as an engineered solution to a set of documented, agreed-to requirements. But what about negotiating with the big cloud service providers such as Amazon? Their stock SLAs and contracts typically leave the consumer in a disadvantaged position but they are sometimes willing to negotiate on important topics such as:
A second Symposium presentation titled “Methods and Tools for External Dependencies Management” discussed an assessment method for managing supply chain risks as well as a companion analysis tool.
The EDM assessment is a derivative of the U.S. Department of Homeland Security (DHS) Cyber Resilience Review (CRR) to help critical infrastructure organizations assess their cybersecurity capabilities in 10 domains. Over the past 4 years, DHS and SEI representatives have conducted CRRs with over 400 critical infrastructure organizations.
The EDM assessment covers 3 domains:
The EDM assessment is a 4-hour, in-person assessment, available as a pilot at this time, and fully funded by DHS. Participating organizations incur no cost other than staff time. All EDM assessment results are considered Protected Critical Infrastructure Information (PCII), remain with the participating organization, and are not subject to the U.S. Freedom of Information Act (FOIA).
Assessment results allow organizations to better understand their current state with respect to managing risks resulting from external dependencies and to identify targeted improvements.
External Dependency Analysis Method
This Excel-based method examines a particular set of suppliers that support a specific service. Often organizations do not know what services rely on what suppliers. The method:
The results of the analysis method include graphics showing the service/supplier relationships and an impact ranking of each dependency. The intent is to allow decision makers to better track these dependencies and make smarter investment decisions when selecting security risk mitigation actions.
The assessment and analysis methods are intended to be usable, affordable, and lightweight.
The DHS CRR and the EDM methods described above have been primarily developed and used with U.S. critical infrastructure organizations in the private sector. Given their cyber resilience foundations, these methods also address needs and are usable in a defense environment.
Critical services for a financial institution may include clearing and settlement, mortgage financing, and money transfers. In a military organization, critical services may include anti-submarine warfare and ground transportation of military assets.
In each case, these are mission critical services supported by information and communications technologies (as well as electricity and transportation). So when it comes to cybersecurity and cyber resilience, the needs are the same.
Increasingly, commercial providers of IT services are entering into large scale relationships with DoD organizations to provide, for example, cloud services. This convergence and integration require us, as a using community, to have a common set of practices for managing supply chain risk particularly with respect to ICT and cybersecurity.
CERT is actively seeking opportunities to pilot these methods with DoD organizations.
Resources[1] Verizon 2012 Data Breach Investigations Report
CERT Supply Chain Risk Management (SCRM) Symposium: Addressing Government and Private Sector Challenges, January 2015.
[2] Butkovic, Matthew. “Cyber SLAs: Practice and Limitations in ‘Outsourcing Risk’,” CERT SCRM Symposium, January 2015.
Gaiser, Ross & Haller, John. “Methods and Tools for External Dependencies Management,” CERT SCRM Symposium, January 2015.Lessons in External Dependency and Supply Chain Risk Management webcast
NIST Special Publication 800-161. Supply Chain Risk Management Practices for Federal Information Systems and Organizations, April 2015.
Supply Chain and External Dependencies Risk blog, January 2015
U.S. Department of Homeland Security Cyber Resilience Review and companion CERT podcast
CERT Resilience Management Model