Who said that securing our Federal IT supply chain was an impossibility? No one. But many -- from NASA to NIST -- are noting the tremendous challenges associated with such a feat.
The innovative and global nature of today’s IT environment, with its accelerated speed and vast scale, results in a very complex and diverse supply chain. This, coupled with the en-vogue purchasing of Commercial off-the-shelf (COTS) hardware and software makes the visibility and detectability of threats in the supply chain extremely difficult. The value chains alone in this process of creating and delivering a product/service can be up to 15 times removed from a department/agency. So the struggle doesn’t lie with understanding the primary contractor, it’s in knowing the end-to-end supply chain, with its endless contractors and subcontractors, and knowing exactly who along the way, ‘touches’ the product/service.
Clearly, developing a comprehensive understanding of today’s supply chain is a monumental undertaking and requires a depth and breadth of insights that could be considered endless. There are many strategies and tactics needed to be implemented, with much training and collaboration required by the entire team. However, before any of those efforts begin, we must build a solid foundation to enable us to effectively secure our supply chain which requires two critical steps: 1. Developing an IT supply chain communication strategy; and 2. Implementing a standardization of practices.
IT Supply Chain Communication Strategy
First, departments/agencies must establish a communication strategy that begins with clear definitions. More commonly than not, all parties involved in the IT supply chain process speak different ‘languages’. “Often, within 30 seconds of a conversation about a product, it’s realized that not everyone defines the product and/or its supply chain in the same way”, says Joanne Woytek, SEWP Program Manager for NASA. This communication failure can have a profound impact, causing tremendous frustrations and significant loss of time and money.
Also critical to a sound IT supply chain communication strategy is an enhanced approach for information sharing. Information is a powerful tool, and the sharing of details related to products/services, existing processes and procedures, expectations, etc. can only help improve efforts. “Contractors need to do a better job of providing departments/agencies with supply chain information” says Woytek. “And the government needs to pay better attention to the information provided to them.” This heightened level of information sharing and awareness will help solve the communication gap, and lead to a more secure supply chain.
Standardization of Practices
Now, let’s talk about standards, an equally important foundational step, critical to successfully securing the federal IT supply chain. Currently, federal departments/agencies and their suppliers are using non-standardized practices, such as varying authorization criteria for accessing or modifying product information. These variations in standards, which automatically create gaps, can result in inefficiencies, ineffectiveness, and increased levels of threat. That said, the common practice of establishing standards that require multiple certifications is not necessarily the answer. So often, when such requirements are institutionalized, departments/agencies experience a loss of innovation and an increase in costs. Success here is in ‘striking a balance’, says Woytek. Federal departments/agencies, and private industry need to develop a trusted vehicle for ensuring the quality and safety of products/services without endless requirements for certifications. This solution will enable the federal government to continue to experience the benefits of COTS (cost reduction, operational efficiency, economies of scale), while ensuring the integrity and security of systems, networks and data.
With a foundation built on strategy and unified efforts - where everyone speaks the same language, shares information, and follows trusted procedures - the federal government will obtain a 360 view of its global IT supply chain and will have the tools necessary to secure it. The impact of this achievement promises to be great. So too do the efforts required to make it happen. Worthwhile? I say, yes. After all, it is our nation’s security.