Agencies Urge ‘Trust and Verify’ as Supply Chain Cyber Risks Shift

Federal agencies must adopt continuous risk management practices and a “trust and verify” mindset to secure increasingly complex supply chains, federal leaders said last week at GovCIO Media & Research’s CyberScape: The Federal Cybersecurity Summit in Arlington, Virginia.

“A lot of the cyber requirements that you’re hearing from the federal government, in the Department of War, are not just federal government or Department of War,” Defense Logistics Agency CIO Adarryl Roberts said. “They’re also to protect yourself. Outside of doing business with the government, this helps protect your investment as well.”

Roberts said the complexity of supporting the warfighter is compounded by a global marketplace where federal dollars do not always dictate terms. Thousands of industrial partners form the backbone of federal logistics, and while internal systems are relatively secure, visibility into partner risk remains limited.

This “visibility gap” is particularly acute for DLA, where roughly 60% to 65% of partners are small businesses that lack the massive cybersecurity budgets of defense titans, he added. Roberts said that the Cybersecurity Maturity Model Certification (CMMC) is less about new rules and more about “accountability” and that the government must move past the initial vetting process.

“We have to get better at it post-award, because even then, particularly with what we do within Department of War, mergers are more incentivized by bad actors because they want access to [DOW] information,” Roberts explained.

Contracts remain the federal government’s primary mechanism for enforcing cybersecurity standards across a fragmented industrial base, said Rosa Underwood, senior cybersecurity adviser at the General Services Administration’s Federal Acquisition Service. With more than 5,000 IT vendors alone, she said agencies must move beyond one-time vetting to a full lifecycle approach.

“If there’s some issues with non-compliance or compliance, we’ll work with those vendors to make sure that they’re up to speed and they’re able to incorporate whatever changes they need to do,” Underwood said.

She added that supply chain risk management must be addressed early in the requirements development phase to prevent prohibited technologies from entering federal systems. Contracting officers and program officials must conduct due diligence from the outset.

“What are those vendors doing? What are they offering? Are how are they investing? Who’s investing in them?” Underwood said.

Jennifer Franks, director of the Center for Enhanced Cybersecurity and acting director of the Analytics Foundry at the Government Accountability Office, said contracting language is increasingly being used to address gaps in “inventory awareness.” She pointed to the 2020 SolarWinds breach as a turning point, when many agencies struggled to respond because they lacked visibility into their own systems.

“We struggle with understanding what source of fluidity is built into this model. What are we now going to be purchasing, introducing into our environment for our services to be utilized to support the American people?” Franks said.

The Shift to Human-Centric Threats

Underwood said attackers are increasingly targeting personnel within the supply chain rather than systems alone. Nation-state actors, including North Korea and Iran, are attempting to infiltrate federal ecosystems by embedding operatives within third-party contractors.

“It’s still products, but now you have to really look at to those people, those employees that are being hired by the companies to support agencies,” Underwood said.

To combat this, GSA is urging agencies to treat every phase of the acquisition lifecycle as a “due diligence” exercise, she added. Information sharing is the most efficient weapon against these obscured risks, she stressed.

“Share the information, even if you’re not sure … it eliminates or reduces overlap and streamlines processes,” Underwood said.

She said that supply chain risk isn’t exclusive to high-tech hardware. Even mundane contracts, like those for office supplies, carry data risks regarding where those items are delivered and who is ordering them, she said.

“You should care about pencils … because in the federal space, those pencils have to be delivered somewhere,” Underwood said. “The information could be sensitive around that contract. Who’s ordering those pencils and where those pencils are going?”

Everyone in the supply chain needs to do a better job of assuming breaches and, thus, sharing information so that others can protect themselves, she said.

“It was ‘if’ a breach happened now it’s ‘when’ it happens,” she said. “In this day and age, for whatever reason, people may feel embarrassed, or they may think that they missed something, and it may reflect on them.”

Franks added that awareness is critical for response and resiliency when a breach happens at any level of the supply chain.

“It took us time, but what’s intricately important is the leadership awareness and the responsibility of just knowing and having that knowledge base,” Franks said.

The Supply Chain, AI and Resilience

AI has turned what was once a liability — massive amounts of siloed data — into a proactive defensive tool, Roberts said. He noted that AI helps with breach visibility across agencies.

“The advent of AI [is important] in terms of sharing data. Before, we didn’t share data because it was security risk. Now? It’s a risk to security not to share data,” Roberts said.

AI is being deployed to bridge the gap between traditional IT and the mission-critical Operational Technology (OT) that powers logistics on the ground, he added. The tech efficiently integrates OT and IT cybersecurity, he added.

“A lot of our OT is no longer separate. Because of mission and because of need, it has to be integrated,” Roberts said. “For years, we haven’t funded it from a cybersecurity perspective, so there’s a lot of catch up there that we’re trying to work on with zero-trust models.”