About | HeinOnline Law Journal Library | HeinOnline Law Journal Library | HeinOnline
LOG IN
LOG IN

1 1 (December 15, 2020)

handle is hein.crs/govdcyc0001 and id is 1 raw text is: * Updated December 15, 2020 Cyber Supply Chain Risk Management: An Introduction A supply chain consists of the system of organizations, people, activities, information, and resources that provide products or services to consumers. Like other types of goods, a global supply chain exists for the development, manufacture, and distribution of information technology (IT) products (i.e., hardware and software) and information communications technology (ICT). As with other goods and services, risks exist to this cyber supply chain. This field is known as cyber supply chain risk management (C-SCRM or Cyber SCRM). Congress and federal agencies have taken actions to bolster cyber supply chain security. In 2017, the U.S. Department of Homeland Security (DHS) ordered federal agencies to remove Kaspersky security products from their networks because of the risk posed. Legislation was subsequently enacted codifying that order. In addition, Congress in 2018 instructed federal agencies and contractors not to use ICT made by certain Chinese companies. Congress established the Federal Acquisition Security Council (FASC), which issued an initial rule in 2020. The Cybersecurity and Infrastructure Security Agency (CISA, a part of DHS) hosts a public-private ICT SCRM Task Force. The Federal Communications Commission authorized the use of Universal Service Fund money to rip-and-replace certain ICT. The U.S.-China Economic and Security Review Commission issued a report highlighting supply chain concerns. While interest in cyber supply chain security has increased recently, there have been other periods of intense scrutiny on supply chain issues. In 2012, for example: the White House issued a report on global supply chain security; the House Permanent Select Committee on Intelligence (HPSCI) released an unclassified report on threats from Chinese multinational companies Huawei and ZTE; ZTE was exposed selling phones in the United States with backdoor access; the Director of National Intelligence (DNI) cited supply chain security as a major threat in the Worldwide Threat Assessment; and the Government Accountability Office (GAO) studied the issue. This In Focus reviews C-SCRM, discusses ways in which it is currently managed, and highlights issues that Congress may consider for federal agencies. One way to view risks to cyber supply chain security is through the threat actors, their motivations, and ways in which they may compromise technology. DNI has identified Russia, China, Iran, and North Korea as cyber threat nations. However, in its report on Department of State telecommunications, GAO highlights that technology is manufactured worldwide and vulnerabilities may be inserted by other malicious actors, such as foreign intelligence services, insiders, or criminals. These actors may be motivated to steal intellectual property, tamper with products, insert counterfeit goods, gain unauthorized access, sell extraneous access, or manipulate the operation of technology. They may accomplish their goals through inserting malicious code in software, manipulating hardware, or a combination of the two. Cyber supply chain risks do not solely result from malicious human interference. The National Institute of Standards and Technology (NIST) finds that natural disasters may impede delivery of critical network components; poor quality assurance and engineering practices by vendors may create deficient products; or an entity's own business practices may result in seeking, buying, and managing sub-par goods. These threats may result in data loss, modification, or exfiltration; system failures; or product unavailability. Managng; Rskc NIST defines C-SCRM as the process of identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of [IT] product and service supply chains. This definition distinguishes C- SCRM as an ongoing activity, rather than a single task, and accounts for the procurement and maintenance of hardware and software. NIST Special Publication 800-161 provides guidance to federal agencies for how they may go about implementing risk management practices. NIST recommends that C- SCRM should align with an organization's existing risk management framework. Activities for risk management include cataloguing current systems and business practices, surveying systems for vulnerabilities, and developing processes to mitigate those vulnerabilities on an ongoing basis. Just because a risk could possibly manifest does not mean that it always exists, nor is it managed as if it perpetually exists. Instead, managers accept that risk is not binary but exists on a spectrum. This perspective pushes managers to consider how they are most at risk and prioritize mitigation strategies. This defense-in-depth strategy accepts that complete security is not guaranteed, but can lead system administrators to deploy tools effectively so that they can detect unwanted activity and stop damages from compounding. Attackers may not know which defensive strategies are deployed on systems. The chance of exposure is a consideration attackers evaluate when seeking to mass- compromise technology and may incentivize them to pursue specific attacks against deliberate targets instead. -.-,'~-' *.~ \n\\\\\\\\\\\\\\\ \\ \\\ \ \ \ \ \ \ \ \\ \ \ Q\\ \\\ \\\

What Is HeinOnline?

HeinOnline is a subscription-based resource containing thousands of academic and legal journals from inception; complete coverage of government documents such as U.S. Statutes at Large, U.S. Code, Federal Register, Code of Federal Regulations, U.S. Reports, and much more. Documents are image-based, fully searchable PDFs with the authority of print combined with the accessibility of a user-friendly and powerful database. For more information, request a quote or trial for your organization below.



Short-term subscription options include 24 hours, 48 hours, or 1 week to HeinOnline.

Purchase Access

Already a HeinOnline Subscriber?

Log In

profiles profiles most