Practical Steps to Managing Supply Chain Risk

bymuratdeniz/iStock

Featured eBooks
Space Tech
Read Now

CDM

Read Now

Digital Transformation

Read Now
By Russ Ficken,
Director of Cybersecurity, Grant Thornton Public Sector

By Russ Ficken

|

Like with any new agency initiative, nothing moves forward without executive sponsorship.

Without question, 2020 was a very difficult year for all of us. It was also a highly challenging time for government supply chains, which we depend upon for goods and services. In December 2020 alone, the supply chain received two significant pieces of bad news. First, the SolarWinds hack was made public, sending any agencies with the Solarwinds Orion Software Platform in its environment scrambling to contain the damage.

In addition, the Government Accountability Office published its report on supply chain risk management, “Federal Agencies Need to Take Urgent Action to Manage Supply Chain Risks.” GAO found “[f]ew of the 23 civilian Chief Financial Officers Act agencies had implemented seven selected foundational practices for managing information and communications technology supply chain risks.”

Despite that news, the president’s Feb. 24 Executive Order on America’s Supply Chains and the National Institute of Standards and Technology special publication 800-53 revision 5 (adding supply chain risk management controls) offer a perfect opportunity for agencies to focus on strengthening supply chain risk management. The challenge, like other risk management disciplines, is often where to start, scale and sustain a program like this. Here are some key steps to consider:

Start Small with a Cross-Functional Team

Like with any new agency initiative, nothing moves forward without executive sponsorship. Establishing a supply chain risk management program will add more steps in the contract award process. There will be bumps along the way. The cross-functional team charged with establishing the program will need key subject matter experts across the supply chain management lifecycle (i.e., representatives from chief information officer, chief information security officer, procurement, general counsel, and program offices), as well as the executive sponsor that is fully committed to experimenting with the process to find risk-balance optimization.

This team should plan to deliver the foundational building blocks necessary for a supply chain risk management program operating at scale, as well as leverage existing risk management policies and procedures that may already be in place, like agency risk appetite, for example. Early building blocks should include supply chain risk management policy and procedures, integration with existing risk management processes, staff education and outreach.

Focus Forward on High-Risks First

It can certainly feel like establishing a supply chain risk management program is like being asked to boil the ocean. With the cross-functional team in place, basic policies established, and general risk principles agreed on by agency leadership, it’s time to experiment with the process. Agencies can accelerate the implementation of their supply chain management programs by focusing on their high-risk suppliers.

Determining high-risk suppliers may have several different attributes and context that factors into agency risk analysis. Two possible areas to consider are the suppliers that support agency mission-critical functions and/or high-value assets, or HVAs. 

Implement and Test Supply Chain Risk Management Controls

Pointing the newly developed supply chain risk management policies and procedures at the supply chain that needs it most first, agencies are well-positioned to validate assumptions, modify processes, and mature an effective operation baseline. Intentionally select a cross-section of suppliers that further position the agency to test the System and Services Acquisition controls captured in NIST 800-53 revision 5.

During this time, the cross-functional team should focus on monitoring the process for procedural gaps, control design weakness, and critical decision points. Supplier risk reviews require the participation of multiple teams. The cross-functional team should assume some initial design assumptions are wrong and be prepared to correct as necessary.

Deploying at Scale

The early days of a supply chain risk management program will be focused on seeking balance with optimizing procurement speed, supplier management, and cost implications with risk-based decision making. It takes practice. Gradually, policy and procedural questions will give way to operational concerns.

Agencies will need to consider extending their existing procurement, Governance Risk and Compliance platforms, and other software to enable supply chain risk management processes at scale. These tools are absolutely necessary as supply chain risk management matures.

The volume and complexity of data associated with tracking and managing supply chain risk will grow quickly. Data such as supplier scope, data handling, privacy issues, inherent and residual risk, associated plans of action and milestones (POAM) must be stored, made available for reporting, and leveraged for risk-based decision making in a timely manner. Also, consider that any one vendor may have many discrete relationships with varying degrees of risk to manage.

Final Thoughts

The supply chain is absolutely critical to delivering goods and services to the nation. As we have seen in recent months, it is also at risk for disruption or even critical failure. Establishing an effective supply chain risk management program is challenging. The good news is that with the right team and tools, government agencies can establish a cost-effective risk management program to effectively mitigate risk to its mission.

Russ Ficken, former Director of Agency Engagement for Cyber Security at the U.S. Office of Management and Budget, is a Director specializing in cybersecurity with Grant Thornton Public Sector LLC.

NEXT STORY: 5 Strategies to Prepare Now for the Next Pandemic

X
This website uses cookies to enhance user experience and to analyze performance and traffic on our website. We also share information about your use of our site with our social media, advertising and analytics partners. Learn More / Do Not Sell My Personal Information
Accept Cookies
X
Cookie Preferences Cookie List

Do Not Sell My Personal Information

When you visit our website, we store cookies on your browser to collect information. The information collected might relate to you, your preferences or your device, and is mostly used to make the site work as you expect it to and to provide a more personalized web experience. However, you can choose not to allow certain types of cookies, which may impact your experience of the site and the services we are able to offer. Click on the different category headings to find out more and change our default settings according to your preference. You cannot opt-out of our First Party Strictly Necessary Cookies as they are deployed in order to ensure the proper functioning of our website (such as prompting the cookie banner and remembering your settings, to log into your account, to redirect you when you log out, etc.). For more information about the First and Third Party Cookies used please follow this link.

Allow All Cookies

Manage Consent Preferences

Strictly Necessary Cookies - Always Active

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data, Targeting & Social Media Cookies

Under the California Consumer Privacy Act, you have the right to opt-out of the sale of your personal information to third parties. These cookies collect information for analytics and to personalize your experience with targeted ads. You may exercise your right to opt out of the sale of personal information by using this toggle switch. If you opt out we will not be able to offer you personalised ads and will not hand over your personal information to any third parties. Additionally, you may contact our legal department for further clarification about your rights as a California consumer by using this Exercise My Rights link

If you have enabled privacy controls on your browser (such as a plugin), we have to take that as a valid request to opt-out. Therefore we would not be able to track your activity through the web. This may affect our ability to personalize ads according to your preferences.

Targeting cookies may be set through our site by our advertising partners. They may be used by those companies to build a profile of your interests and show you relevant adverts on other sites. They do not store directly personal information, but are based on uniquely identifying your browser and internet device. If you do not allow these cookies, you will experience less targeted advertising.

Social media cookies are set by a range of social media services that we have added to the site to enable you to share our content with your friends and networks. They are capable of tracking your browser across other sites and building up a profile of your interests. This may impact the content and messages you see on other websites you visit. If you do not allow these cookies you may not be able to use or see these sharing tools.

If you want to opt out of all of our lead reports and lists, please submit a privacy request at our Do Not Sell page.

Save Settings
Cookie Preferences Cookie List

Cookie List

A cookie is a small piece of data (text file) that a website – when visited by a user – asks your browser to store on your device in order to remember information about you, such as your language preference or login information. Those cookies are set by us and called first-party cookies. We also use third-party cookies – which are cookies from a domain different than the domain of the website you are visiting – for our advertising and marketing efforts. More specifically, we use cookies and other tracking technologies for the following purposes:

Strictly Necessary Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Functional Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Performance Cookies

We do not allow you to opt-out of our certain cookies, as they are necessary to ensure the proper functioning of our website (such as prompting our cookie banner and remembering your privacy choices) and/or to monitor site performance. These cookies are not used in a way that constitutes a “sale” of your data under the CCPA. You can set your browser to block or alert you about these cookies, but some parts of the site will not work as intended if you do so. You can usually find these settings in the Options or Preferences menu of your browser. Visit www.allaboutcookies.org to learn more.

Sale of Personal Data

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Social Media Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.

Targeting Cookies

We also use cookies to personalize your experience on our websites, including by determining the most relevant content and advertisements to show you, and to monitor site traffic and performance, so that we may improve our websites and your experience. You may opt out of our use of such cookies (and the associated “sale” of your Personal Information) by using this toggle switch. You will still see some advertising, regardless of your selection. Because we do not track you across different devices, browsers and GEMG properties, your selection will take effect only on this browser, this device and this website.