When it comes to cyber supply chain risk management (C-SCRM), what does good look like?
For suppliers and customers alike, the question is especially vital for any industry doing business with the government. Software vulnerabilities can have a devastating impact on defense systems, critical infrastructure, and national security.
The U.S. government has been a leader in forging guidelines and policies, including the requirement that suppliers produce a software bill of materials (SBOM) that details all components of the software. Agencies like the National Institute for Technology and Standards (NIST) offer further resources and bolster the National Cybersecurity Strategy.
JC Herz, SVP of Cyber Supply Chain Risk Management at Exiger, recently led a panel discussion with leaders in government and industry about key issues in building a trusted software supply chain. Some of the key themes that emerged were cooperation, the criticality of SBOMs, and prioritizing investment to build supply chain resilience.
Cooperation Makes for Good C-SCRM and Trusted Suppliers
To effectively manage risks in a software supply chain, cooperation is vital. It happens on many levels, starting with the government’s guidelines (like SBOM standards, Section 889 or Executive Order 14028), but industry partners are critical for implementing change and driving progress widely. A great example is how the FDA has worked with medical device makers to deliver cyber supply chain visibility.
“The FDA partnered with industry on a lot of issues with regards to how to bring SBOMs into that particular supply chain, how to work with that information and make sure that we know what’s in a medical device,” said Jeanette McMillian, Assistant Director, National Counterintelligence and Security Center (NCSC). “So while we’re not dealing with medical devices every day here in the national security arena, we are certainly taking a clue from that particular industry and how they’ve been able to partner with the champions in the medical industry.”
Cooperation is also key for suppliers and sets a path for good C-SCRM, as risk auditors need to work cross-functionally with dev teams, legal, security and procurement. Christine Halvorsen, Managing Director of Protiviti, described it as a “cultural hurdle” that’s hard to get over when technologists are rushing to innovate with new technology and then risk officers show up later and demand retrofits — which ends up slowing the development process further.
“You can’t count out your chief risk officers, right?” She added: “You can’t bring them in at the end of the project and say, ‘Hey, now I want you to come in and look at what we’ve built before we deploy it to see what risks are here.’ That conversation has to start at the beginning of that DevOps process.”
[Learn more about our supply chain cyber risk management solution]
The Software Bill of Materials (SBOM) Is a Matter of Good Cyber Hygiene
SBOMs reveal important information for the customer, like end-of-life fragilities or even that the code is maintained by just one person. An SBOM can show you that “what’s bright and shiny on the outside may be brittle and moldy inside,” Herz said.
SBOMs are still relatively new, and there’s still room for wider adoption and implementation, particularly in the private sector. Leadership from the #1 company in the Gartner Supply Chain Top 25 for 2023, Schneider Electric, talked about the journey to become a trustworthy supplier to the U.S. government. Cassie Crossley, VP of Supply Chain Security, Schneider Electric, stressed that SBOMs work best for risk management “as long as a team has a cybersecurity architect who can understand the concept and the tools to be able to review some of the risks that it may present.”
“Doing it just for a checkbox isn’t very valuable; other than you can prove, okay, that person does know what an SBOM is,” she added.
Moving beyond the SBOM checkbox can also mean committing to regular maintenance and monitoring.
“It is just good cyber hygiene, at the end of the day,” said Halvorsen. “I know the regulations are there, but people have to stop thinking of, ‘I need to meet this regulation,’ or ‘I need to meet this new directive that’s out because I want to do business with the government’ — instead of thinking it’s really about good cyber hygiene.”
Herz stressed that SBOMs are also a critical business issue. “On a business level, what the SBOM tells the customer is that there are products which are end-of-life unmaintainable, where investment hasn’t happened in maintenance, in updates, in security.”
Building Supplier Trust Comes with a Cost, and It’s a Very Good Investment
Building trust is essential for businesses working with the federal government. The standards set in place by agencies like the NCSC and NIST can make it more expensive to do business — but they can also boost your software supply chain resilience and save your business from expensive remediation costs in the long term. The key is to act in good faith to provide transparency, and the government will be on your side.
“If you’re doing those things to develop your software in a secure way to make sure that you’re providing a secure product, here’s a safe space for you to come into,” McMillian said. “From a government perspective, the national strategy for cyber, all of the NIST standards — everything has really been in done in true partnership with industry to make sure that we’re not putting something out there that is not achievable.”
Building resilience into the software supply chain — a desired outcome of many of the government’s procurement guidelines — is a considered investment.
“I think companies that are thinking about going into business with the government or releasing a product to the government have to think about what the tail is on it,” said Halvorsen. “I think a lot of times they are so excited about the opportunity, and they forget that there is a tail on it for that resiliency that has to be built into it and maintained. You have to do the ROI on it long-term, not just for that one customer.”
McMillian stressed that the best practices for C-SCRM are “absolutely iterative.” You could put every best practice in place and still run into a vulnerability or a zero day, she said, adding there is no hall of fame (yet!) for companies that demonstrate good C-SCRM.
Rather than looking to model your efforts on a company that has a “gold star,” she again pointed to the value of making good-faith efforts in software risk management. “Look for someone who’s actually working it every day, who’s made the investments, who has really put the work in and looked at what’s industry standard for them. What are they looking for in a trusted partner and how are they reciprocating it? So you kind of get out what you put in.”