Supply Chain Security Requires Acquisition Reform, Security Experts Say

The government can make significant progress in securing its IT supply chain by following a few basic procurement practices, but most agencies have yet to adopt them, according to federal security experts.

While government leaders have recently given a lot of attention to the supply chain security threats posed by foreign vendors, officials must devote equal energy to reforming their acquisition policies so they put those warnings to good use, experts said. Those efforts require an in-depth understanding of both the government’s IT infrastructure and the countless firms in its vendor pool, they said, but today that remains a challenge for most agencies. 

“Supply chain [security] is where we were with cyber[security] maybe 15, 20 years ago,” Michele Iversen, director of risk assessment and operational integration at the Defense Department, said Tuesday during a panel at Fifth Domain’s CyberCon event. “We really don’t really have the visibility that we need to know where the threats are and what’s actually happening.”

While it’s relatively easy to stay away from high-profile companies like Kaspersky Lab and Huawei, there are hundreds of thousands of firms that do business with the government, and still more that support those vendors. Each of those firms could pose a range of potential risks—from espionage threats to poor software development practices—and procurement officials don’t always know who to trust, panelists said.

During the event, they offered a few policies that could go a long way in addressing those risks.

In the case of the Defense Department, officials do a good job vetting vendors for critical projects like weapons systems, Iversen said, but they don’t always apply the same scrutiny to more standard purchases. Expanding basic due diligence practices across all acquisitions help agencies better understand the threats they face and work around them.

She also pushed agencies to more closely examine the companies that supply their vendors, and where their products originate. Much of that information is publicly available, she said, and her team is working to build a tool that would make that data more readily accessible.

John Boyens, acting deputy chief of the computer security division at the National Institute of Standards and Technology, said agencies must gain a more holistic understanding of the critical systems within their IT ecosystem and monitor how vendors access those technologies. Government contractors should also follow suit, he said.

"These are some of those best practices that if the entire supply chain used, it would plug up a lot of those holes,” Boyens said, adding that NIST plans to release a report on supply chain best practices “in the next few weeks.”

Iversen also encouraged procurement specialists to adopt software bills of materials for the tech they buy and create “common sense” policies for using foreign tech, like banning tools from state-owned companies from mission-critical operations. She also pushed the government to increase accountability for vendors that sell dubious tech.

Panelists also noted there are a handful of technology solutions that could improve supply chain risk management, but agencies have been slow to adopt them. In the years ahead, the government could use its purchasing power to further expand the marketplace for such tools.

“Industry is waiting for demand signals,” Boyens said. “We need to start asking for some of these things before industry will actually invest in them.”