This article, prepared in conjunction with AFCEA’s Technology Committee, is the third in a series of three articles addressing supply chain considerations of software and hardware. The first article is titled Securing the Federal Software Supply Chain and the second is titled Securing the Hardware Supply Chain.
The advent of the digital era has seen a progressive escalation of cyber threats targeting supply chain systems.
Supply chain professionals historically have measured success primarily through cost reductions and increased operational efficiencies. Unfortunately, this method is no longer effective on its own. As supply chain networks become more interconnected, complex and globally distributed, opportunities for disruption to the supply chain by malicious actors grow exponentially. Emerging technologies are key to securing the supply chain, starting with 5G and using key encryption and application, automation and robots to ensure secure data transfer.
Government agencies are focused on improving the security of their supply chains, and many are deploying dedicated supply chain security teams to enable a more holistic view of the threat landscape. With improved monitoring across the supply chain, agencies can stay better informed as risks emerge.
A holistic approach also fuels deeper conversations between supply chain risk managers and stakeholders such as cybersecurity specialists, physical security teams and human resources. Increased collaboration and connectivity between these disciplines is critical. The definition of supply chain is ever-expanding, and an agency must think of all operations. Just because you are using a cloud vendor does not stop an organization from needing to map out the data flow, the infrastructure, the software bill of materials and all the dependencies within this holistic view.
Likewise, threat intelligence services can help groups stay informed of the latest attack trends and tactics. Many suppliers seek ways to share information and help protect industries against threats.
Zero-trust security quickly is becoming another new standard. Here, employees and partners are assigned only the access required to do their job. This limited access approach helps combat the increasing threat mechanisms and attack vectors. Employing a zero-trust approach can help enhance an agency’s information security risk management.
Agencies seek to align with supply chain security standards to protect assets. Certifications such as ISO 28000 and ISO 27001 or the use of the National Institute of Standards and Technology (NIST) Cybersecurity Framework and NIST AI Risk Management Framework can assure that groups are taking the right steps to prevent and quickly remediate breaches. External validation and finely tuned internal controls can help confirm compliance and promote more effective certification efforts. Most manufacturing supply chains rely on automation using artificial intelligence (AI)/machine learning (ML), so ensuring the frameworks are deployed successfully is critical. By leveraging other model techniques, it is possible to establish a full chain of custody.
This takes us to the software bill of materials, or SBOM. As part of building stronger cybersecurity requirements, SBOM has emerged as key in software security and software supply chain risk management. An SBOM is a nested inventory, a list of ingredients that make up the software package, application and set of components. The SBOM work has advanced since 2018 as a collaborative community effort, driven by the National Telecommunications and Information Administration’s multistakeholder process.