Like with any new agency initiative, nothing moves forward without executive sponsorship.
Without question, 2020 was a very difficult year for all of us. It was also a highly challenging time for government supply chains, which we depend upon for goods and services. In December 2020 alone, the supply chain received two significant pieces of bad news. First, the SolarWinds hack was made public, sending any agencies with the Solarwinds Orion Software Platform in its environment scrambling to contain the damage.
In addition, the Government Accountability Office published its report on supply chain risk management, “Federal Agencies Need to Take Urgent Action to Manage Supply Chain Risks.” GAO found “[f]ew of the 23 civilian Chief Financial Officers Act agencies had implemented seven selected foundational practices for managing information and communications technology supply chain risks.”
Despite that news, the president’s Feb. 24 Executive Order on America’s Supply Chains and the National Institute of Standards and Technology special publication 800-53 revision 5 (adding supply chain risk management controls) offer a perfect opportunity for agencies to focus on strengthening supply chain risk management. The challenge, like other risk management disciplines, is often where to start, scale and sustain a program like this. Here are some key steps to consider:
Start Small with a Cross-Functional Team
Like with any new agency initiative, nothing moves forward without executive sponsorship. Establishing a supply chain risk management program will add more steps in the contract award process. There will be bumps along the way. The cross-functional team charged with establishing the program will need key subject matter experts across the supply chain management lifecycle (i.e., representatives from chief information officer, chief information security officer, procurement, general counsel, and program offices), as well as the executive sponsor that is fully committed to experimenting with the process to find risk-balance optimization.
This team should plan to deliver the foundational building blocks necessary for a supply chain risk management program operating at scale, as well as leverage existing risk management policies and procedures that may already be in place, like agency risk appetite, for example. Early building blocks should include supply chain risk management policy and procedures, integration with existing risk management processes, staff education and outreach.
Focus Forward on High-Risks First
It can certainly feel like establishing a supply chain risk management program is like being asked to boil the ocean. With the cross-functional team in place, basic policies established, and general risk principles agreed on by agency leadership, it’s time to experiment with the process. Agencies can accelerate the implementation of their supply chain management programs by focusing on their high-risk suppliers.
Determining high-risk suppliers may have several different attributes and context that factors into agency risk analysis. Two possible areas to consider are the suppliers that support agency mission-critical functions and/or high-value assets, or HVAs.
Implement and Test Supply Chain Risk Management Controls
Pointing the newly developed supply chain risk management policies and procedures at the supply chain that needs it most first, agencies are well-positioned to validate assumptions, modify processes, and mature an effective operation baseline. Intentionally select a cross-section of suppliers that further position the agency to test the System and Services Acquisition controls captured in NIST 800-53 revision 5.
During this time, the cross-functional team should focus on monitoring the process for procedural gaps, control design weakness, and critical decision points. Supplier risk reviews require the participation of multiple teams. The cross-functional team should assume some initial design assumptions are wrong and be prepared to correct as necessary.
Deploying at Scale
The early days of a supply chain risk management program will be focused on seeking balance with optimizing procurement speed, supplier management, and cost implications with risk-based decision making. It takes practice. Gradually, policy and procedural questions will give way to operational concerns.
Agencies will need to consider extending their existing procurement, Governance Risk and Compliance platforms, and other software to enable supply chain risk management processes at scale. These tools are absolutely necessary as supply chain risk management matures.
The volume and complexity of data associated with tracking and managing supply chain risk will grow quickly. Data such as supplier scope, data handling, privacy issues, inherent and residual risk, associated plans of action and milestones (POAM) must be stored, made available for reporting, and leveraged for risk-based decision making in a timely manner. Also, consider that any one vendor may have many discrete relationships with varying degrees of risk to manage.
The supply chain is absolutely critical to delivering goods and services to the nation. As we have seen in recent months, it is also at risk for disruption or even critical failure. Establishing an effective supply chain risk management program is challenging. The good news is that with the right team and tools, government agencies can establish a cost-effective risk management program to effectively mitigate risk to its mission.
Russ Ficken, former Director of Agency Engagement for Cyber Security at the U.S. Office of Management and Budget, is a Director specializing in cybersecurity with Grant Thornton Public Sector LLC.