We’ve written a lot about the dangers of supply chain attacks in recent articles.
But after so many successful attacks—including arguably the most significant supply chain attack of all time in 2021—is the U.S. any safer today than it was a few years ago?
The short answer is “not really.” While there have been several attempts to ramp up software supply chain legislation, so far, the most significant changes and additions have not been made.
However, two major initiatives are happening right now to address this problem.
Current Initiatives for Software Supply Chain Security
There have been several attempts in the past by organizations like NIST to set SCRM requirements for technology vendors that sell to federal agencies. Up to now, these attempts have lacked the ‘bite’ needed to compel significant changes to the security posture and practices of technology vendors.
In 2021, two significant initiatives began the process of mandating a higher standard of SCRM:
Executive Order 14028. President Biden’s EO is wide-ranging and sets new requirements for federal agencies and technology vendors that sell to them. The new regulations require:
- Federal agencies to move away from legacy infrastructure, adopt a Zero Trust cybersecurity strategy, and implement multi-factor authentication (MFA).
- Technology vendors who sell to the federal government to do more to secure their development environments, improve detection of vulnerabilities in their products, and publish a Software Bill of Materials (SBoM) that lists all open source software included in a product.
“An executive order can’t tell private companies how to operate, it can only tell agencies who they can buy from. From early 2022, agencies will only be able to buy from technology vendors that meet certain standards, which is a positive start. In the meantime, NIST has launched the National Initiative for Improving Cybersecurity in the Supply Chain, which focuses on working with the private sector to establish SCRM best practices for technology providers.”
— Jon Boyens, Deputy Chief of the Computer Security Division, NIST
The EO also establishes the Cyber Safety Review Board, which will investigate major cybersecurity incidents and report on changes to best practices, regulations, or organizations’ practices. Initially, the board will have no subpoena power, so cooperation by private organizations will be voluntary.
NIST SP 800-161. NIST is currently revamping its cybersecurity SCRM publication, which provides guidance for enterprises on “how to identify, assess, select, and implement risk management processes and mitigating controls across the enterprise to help manage cybersecurity risk in the supply chain.”
Additions to the publication guide federal agencies on assessing supply chain risk and where to find best practices to support the implementation of the controls set out by EO 14028.
Will These Initiatives Work?
While valuable, EO 14028 and the updated NIST SP 800-161 are insufficient to protect the U.S. from the dangers posed by sophisticated supply chain attacks against government agencies, critical infrastructure, and the private sector. This is for two principal reasons:
- There is still no imperative for technology vendors to improve SCRM unless they sell to the federal government.
- The legal requirements mandated by EO 14028 are not sufficient to protect the U.S. from the consequences of sophisticated supply chain threats.
The requirements prompt technology vendors to adhere to a minimum security standard if they sell to the federal government. This fails to protect the wider U.S. economy and is insufficient to protect federal agencies and critical infrastructure from supply chain threats like those we have already seen.
Further, both EO 14028 and NIST SP 800-161 continue to place the burden of ensuring a supplier meets a certain standard of SCRM on the buyer. This approach has been proven to be ineffective.
A 2019 analysis of defense contractors found that zero percent complied with all controls from NIST SP 800-171, and the average contractor was compliant with just 39 percent of controls. At that point, NIST SP 800-171 compliance had been a requirement for defense contractors for two years. This failure was the motive for implementing the Cybersecurity Maturity Model Certification (CMMC), requiring contractors to be audited for compliance before bidding on DoD contracts.
Without similar enforcement action, the standard of SCRM within U.S. supply chains is unlikely to meet the standards laid out by EO 14028 and NIST SP 800-171.
Protecting the U.S. From Software Supply Chain Attacks
Our new white paper, ‘Protecting the U.S. From Supply Chain Attacks,’ explains why technology vendors are frequently the weak link that allows criminal and state-sponsored hacking groups to access sensitive data and systems, conduct espionage, and disrupt operations. To protect against the dangers of supply chain attacks, technology vendors must have a legal obligation to uphold a minimum standard of SCRM.
Download the report to learn:
- Why President Biden’s Executive Order and new publications from NIST and CISA aren’t enough to protect the U.S. from supply chain attacks.
- What consequences a supply chain attack could have for federal agencies, state governments, and even private organizations.
- The risk posed by unregulated technology vendors and why it’s unrealistic to expect buyers to shoulder the burden of vetting every supplier’s SCRM capabilities.
- Our proposed approach to address supply chain risk in the U.S. and how regulators could structure a legal framework for SCRM.
March 15, 2022