Sponsored: Secure Federal Environments Depend on Secure Supply Chains
Integrity of the information and communications technology supply chain is essential to protecting critical federal missions and important agency data. Given the global nature of supply chains and the increasing complexity of product design, development, manufacturing and delivery, as well as the high levels of data sharing that occur within an expansive third-party supplier ecosystem, supply chains have become a significant threat vector that can increase risk to our government. The confidentiality, integrity and availability of our nation’s sensitive data can be at stake due to this increased risk.
Given the importance of supply chain risk management (SCRM), it is encouraging to see new Federal efforts creating an interlock between proper supply chain controls and Federal acquisition policy. Congress’ creation of the Federal Acquisition Security Council was an important step, enabling the Federal government to take action to mitigate supply chain risks —such as exclusion or removal orders for risky technologies —while also encouraging joint industry-government collaboration to identify supply chain best practices and incentive structures for their adoption.
Ensuring supply chain integrity requires rigorous vetting of supply chain partners, highly controlled collaboration and stringent risk management procedures. Palo Alto Networks’ practices for cyber supply chain management, recently highlighted by NIST, present a thorough approach to establishing and maintaining a secure supply chain:
- Manage end-to-end risk: Vendors should identify supply chain risks early in product development and adopt a defense-in-depth strategy across the lifecycle —design, sourcing, manufacturing, fulfilment and service. This requires leadership commitment and cross-organizational collaboration focused on end-to-end risk management.
- Engage with proven manufacturers: Vendors can simplify cyber supply chain risk management by working with suppliers that have strong security postures themselves and are proven to impose both stringent security requirements and risk management in their own supply chains. Manufacturers with ISO 9001 and U.S. Customs and Border Protection's Customs-Trade Partnership Against Terrorism (C-TPAT) certifications are markers of quality processes that focus on supply chain security. NIST even identified acquisition and procurement preferences as leverage points for federal agencies seeking to ensure that vendors apply risk-based decision-making toward product integrity. Adopting this practice will significantly strengthen the security of important government IT acquisitions.
- Tightly manage supplier relationships: Before onboarding, vendors should thoroughly vet all supply chain partners through a formal security assessment that incorporates best practices and standards such as the NIST Cybersecurity Framework and/or ISO 28001. The assessment should include physical inspection of the supplier’s facilities and processes. The results can be used to evaluate suppliers, help inform product design decisions, ensure the supplier’s business viability, qualify their security posture and minimize compliance risk. Proactive technical engagement is important to assist suppliers in the development of their internal cybersecurity and SCRM capabilities. Assessments should be repeated annually or more often, given the continually shifting threat landscape.
In addition, adopting strong collaboration and data-sharing practices, such as a formal product release process that governs the handling of sensitive data, will help control and trace access to intellectual property like design specs or bills of materials. Vendors should also obligate suppliers to disclose security incidents, data loss and other vulnerabilities so they can be acted on quickly.
- Formalize incident response and recovery: Vendors should apply stringent methods such as using serial numbers, lot and date codes so that if an incident occurs, it can be readily traced. Sourcing components through multiple, well-vetted suppliers can mitigate the impact of supply disruptions. Vendors must each have a formal incident response plan and requirements for the supplier to cooperate with it.
- Practice continuous improvement: Vendors should also factor continuous improvement into their end-to-end security framework. Visibility into changes in the threat landscape is critical to determining how products need to be improved. Instituting a corporate security council, composed of cross-functional team representatives, is a useful mechanism for formalizing oversight of each function’s security measures. The security council can then document and track progress on the security program’s development, readily identify weaknesses that need to be addressed, and impose a timeline to do so.
- Embrace public-private partnership: Vendors that work with the government can amplify their contribution by voluntarily participating in public-private partnerships. This will increase collaboration and deepen the understanding necessary to make sound recommendations about strong supply chain security. As an example, Palo Alto Networks participates in the Department of Homeland Security’s Information and Communications Technology Supply Chain Risk Management Task Force as an executive committee member. The task force develops recommendations for both government and industry to adopt robust supply chain and cybersecurity practices.
We believe any company seeking to do business with the Federal government has a responsibility to ensure its technologies are the product of a strong supply chain. New acquisition policy is emerging that will not only require increased SCRM maturity but also incentivize these efforts —such as the ICT SCRM Task Force’s work on qualified bidder lists for vendors with strong supply chain practices. It all starts with a rigorous, well-defined, end-to-end supply chain risk management process. Palo Alto Networks is proud to be a leader in this strong security practice.
As the global cybersecurity leader, Palo Alto Networks is committed to raising the bar on best practices for cyber supply chain management – for ourselves and for the industry. Our efforts also extend to stringent source code, product integrity protections, and certifications such as FedRAMP to exceed US government standards. For more information, contact us at FedTeam@paloaltonetworks.com.