Shows & Panels
- The 2014 Big Picture on Cyber Security
- AFCEA Answers
- Ask the CIO
- Connected Government
- Consolidating Mission-critical Systems
- Constituent Servicing
- Continuous Monitoring: Tools and Techniques for Trustworthy Government IT
- The Data Privacy Imperative: Safeguarding Sensitive Data
- Eliminating the Pitfalls: Steps to Virtualization in Government
- Federal Executive Forum
- Federal Tech Talk
- Government Cloud Brokerage: Who, What, When, Where, Why?
- Government Mobility
- Mission-critical Apps in the Cloud
- Mobile Device Management
- The Modern Federal Threat Landscape
- The Path from Legacy Systems
- Understanding the Intersection of Customer Service and Security in the Cloud
Shows & Panels
Lawmakers push DoD, Energy for answers on IT supply chain security
Wednesday - 3/28/2012, 5:21am EDT
"IT supply chain related threats can be introduced in the manufacturing, assembly and distribution of hardware, software and services," said Greg Wilshusen, the director of security issues for the Government Accountability Office, Tuesday during a hearing before the House Energy and Commerce Subcommittee on Oversight and Investigations. "These threats include the insertion of harmful or malicious software and hardware, installation of counterfeit items, disruption in the production or distribution of critical products, reliance on unqualified or malicious service providers and installation of hardware or software containing unintended vulnerabilities."
Greg Wilshusen, director of security issues, GAO
Wilshusen said DoD is the most advanced, but the other three are just in the beginning stages of their efforts.
"Three of the agencies had not fully addressed federal guidelines," he said. "These guidelines recommend agencies for their high impact systems define supply chain protection measures, develop procedures for implementing them and monitor their effectiveness. Energy and Homeland Security have not yet taken these steps. While Justice has defined supply chain protection measures, including a foreign ownership control and influence review, it has not yet developed implementing procedures or monitoring capabilities."
That worries committee lawmakers.
"I was troubled to find the GAO concluded that DoE had not developed clear policies or defined what security measured are needed to protect against supply chain threats," said Rep. Cliff Stearns (R-Fla.), chairman of the subcommittee. "There appears to be no integrated response among the federal IT enterprise to address the supply chain risk. Agencies are left to their own devices to address this risky and complex threat. I find this very troubling."
Pentagon expanding pilot program
DoD, on the other hand, has been trying to address the security of its supply chain for at least four years. Former Defense Deputy Secretary William Lynn mandated supply chain risk management pilots in 2009 and 2010, and full implementation by 2016 for all national security systems.
"DoD is currently incorporating lessons learned during the piloting phase into permanent policy and practice," said Mitchell Komaroff, the director of Trusted Mission Systems and Networks within the Office of the DoD Chief Information Officer. "First the Defense Intelligence Agency mission to support DoD acquisition with supply chain threat analysis has been made permanent in DoD policy. To date, the DIA has performed approximately 520 analyses for DoD acquisition programs."
The Pentagon also is requiring programs to integrate criticality analysis, use of supply chain threat information, supply chain risk management key practices and hardware and software assurance into program protection.
Mitchell Komaroff, director, Trusted Mission Systems and Networks, Office of Chief Information Officer, DoD
Lawmakers now want to apply similar rules for civilian agencies. The Cybersecurity Act of 2012 would require agencies to make sure they buy genuine products from vendors with a secure supply chain.
The Obama administration also is focusing on securing the supply chain. DHS released a national strategy to secure the supply chain in January.
Wilshusen said the biggest threats all agencies face are introduction or insertion of malicious code and the integration of counterfeit items in systems.
A Commerce Department survey of 387 defense industrial base companies in 2010 found 39 percent of them said they encountered counterfeit electronics during a four-year period, and the number of incidents increased 140 percent between 2005 and 2008 to more than 9,000 in 2008 from 3,800 items in 2005.
Another report by GAO released this week found counterfeit parts were rampant in the DoD supply chain. Of the 16 parts requested by auditors from DoD suppliers, none were legitimate.
Komaroff said DoD's strategy for achieving trustworthy systems in the face of supply chain risks includes four principles:
- Prioritize scare resources based on mission criticality
- Planning for comprehensive program protection by identifying critical components and protecting them from supply chain risk informed by all-source intelligence.
- Improving DoD's ability to detect and respond to vulnerabilities in programmable logical elements
- Partnering with industry
"The difficulty of mounting and defending against supply chain exploitation focuses supply chain risk management on sensitive, mission-critical systems," Komaroff said. "Accordingly, DoD policy levies additional risk management policies and processes on national security systems. Supply chain risk management represents a sea change in the acquisition process. It requires new institutional relationships between the acquisition and intelligence communities, and the application of operational security to processes that historically we have sought to make transparent. It also requires engineering and test and evaluation capabilities that still the subject of ongoing research."
DoD also led the development of a new policy by the Committee on National Security Systems. The CNSS 505 adopts concepts, lessons learned and strategy elements from the DoD's supply chain risk management (SCRM) strategy and issuances, including elements of the incremental approach to implementing SCRM.
Within the first year after the policy is issued, agencies are to develop an initial SCRM capability, and within six years of the issuance's publication's, agencies are to have developed a full-scale SCRM capability to protect their national security systems. This model has been successful in the DoD, and through lessons learned has set the stage for a successful implementation by interagency.
DoE just getting started
Energy also is trying to address the supply chain risks through the acquisition process.
Gil Vega, the DoE chief information security officer, said his office is developing a supply chain cybersecurity policy.
Gil Vega, chief information security officer, DoE
Vega added his office has issued architecture frameworks that tell business and system owners to account for supply chain risk as part of their overall risk assessment process.
He added Energy also is working closely with its suppliers. A new strategy development effort just got underway this month.
"Some of our vendors have programs to vet their supply chains and some do not," Vega said in response to questions from Rep. Phil Gingrey (R-Ga.). "We are embarking on the process of developing explicit direction to our IT purchasers across the department to do exactly that."
Despite all this concern and effort, neither Vega nor Komaroff said they could point to a cyber problem directly related to the supply chain.
Komaroff said supply chain risk is difficult to discern. Even with weaknesses in a product, he said they can be explained either by a security related defect or failure to close engineering-type back doors.