Biden appoints new supply chain risk cyber chief

The US Government's Cybersecurity and Infrastructure Security Agency (CISA) is building out a new supply chain risk management office to help agencies, industry and other partners to act on the raft of new cybersecurity regulations, guidance and policies. 

This follows a 2020 finding by the US Government that most major agencies had not implemented supply chain security practices due to a lack of federal guidance.

CISA is an agency of the US Department of Homeland Security, and is responsible for cyber protection across all levels of government. The new office falls under CISA's jurisdiction, and is led by Shon Lyublanovits, a former General Services Administration, an independent US government agency that supports all federal agencies. 

Lyublanovits will head-up supply chain cyber risk-management at Federal level, as supply chain stakeholders seek to navigate the rapidly changing cyber landscape.

This began changing in earnest after then-US President Donald Trump approved the National Cyber Strategy (NCS), a key objective of which is to improve Federal management of the supply chain. 

A critical component of the NCS is the integration of supply chain risk management into the procurement and use of IT, to ensure the government deploys safe, reliable, and resilient technology.

To this end, the SECURE Technology Act was passed, which gave rise to the Federal Acquisition Security Council (FASC), whose function is to develop government-wide criteria for federal supply chain risk management programmes. 

Secure supply chain management is aim of FASC

Lyublanovits and her team will help agencies with the creation of secure supply chain management programmes in the face of new laws and executive orders, which create changing requirements for managing IT risk in government purchases.

While some agencies, such as NASA, have long been leaders in managing supply chain risk, Lyublanovits told Federal News Network that others are “struggling with the basics”.

She says the main difficulties for most agencies are “knowing where to start” and also “how to have that conversation with my leadership”?” she said. 

“If you don’t have leadership buy-in, you can’t get funding, which means you can’t hire people to help you do what you want to do,” Lyublanovits added.

To help counter this, CISA is developing supply chain risk management training courses that it will launch later this year. 

CISA will also host a series of roundtable events focused on “operationalising secure supply chain management”, Lyublanovits said. These will focus on three areas: 

• Federal employees
• Industry
• State, local, tribal and territorial governments

“We want to make sure we’re looking collectively at all of this because it isn’t a government problem, it isn’t an industry problem – it’s a nation problem,” Lyublanovits said.

The FASC will continue to coordinate governmentwide policies and guidance, writes Federal News Network. It will do this by drawing on best-practice guidance established by agencies like NASA and the National Institute for Standards and Technology (NIST).

“A lot of what we’re trying to do is not have everybody reinvent a practice,” a FASC spokesperson told Federal News Network. “This is one environment where you’re not going to be penalised for plagiarism.”

US agencies struggle with IT supply chain security

NIST recently published new cyber supply chain guidance to help organisations manage potential malware risks in IT products. NIST is also developing a scorecard to help agencies and other organisations manage their supply chain risk management challenges.

The FASC spokesperson added: “There’s a need to understand the industry’s perspective on supply chain challenges. Contractors typically have more information about the companies in their supply chains, and also provide products across multiple agencies, meaning they understand which supply chain initiatives are working and which aren’t.”

NIST Computer Security Division Deputy Chief, Jon Boyens, told Federal News Network that companies are “participating more in supply chain security conversations than they were a decade ago”.

He added: “We’re in the midst of relationship changes between acquirers and suppliers. Ten years ago, IT vendors were saying ‘Here’s my product. Take it if you want it. If not, we’re going elsewhere.’ That’s changed.”

He added that the complexity of modern technology requires a “constant relationship between the supplier and the acquirer”.

Varun Badhwar is CEO and co-founder of Endor Labs, a company that helps security teams navigate the open-source software landscape.

Badhwar told Supply Chain Digital that CISA "deserves credit for bringing its considerable influence to this critical issue".

Of security threats from open source software, Badhwar said agencies and organisation typically use 40,000 open source  software packages that are downloaded by developers.

“This causes a massive, ungoverned sprawl that increases the supply chain attack surface across multiple dimensions," he warns.