CISA is Developing Guidelines For Managing Cyber Supply Chain Risks

The Cybersecurity and Infrastructure Security Agency (CISA) is developing a guide to help agencies overcome the challenges of managing cyber supply chain risks.

According to Brian Paap, cyber engineering consultant at CISA, the agency has been working on how to approach Cyber Supply Chain Risk Management (CSCRIM) over the past two years.

CISA recently ran a pilot designed to figure out all of the measures required to stand up and sustain a CSCRIM program within federal departments and agencies.

Paap noted CISA has recently developed the Overview and Guidelines document, which combines learnings from NIST 161 and elements of NIST 853, Rev 5 and several other resources.

“What we tried to do is turn all of this ‘what’ that NIST, DOD and industry provided into ‘how’ you do that. Essentially turning the what into the how for standing up and sustaining a CSCRIM program,” Paap said during ATARC’s Overview of Standards and Mandates, Tools and Solutions to Manage Cyber Supply Chain Risks Event.

In 2013, the White House released an executive order for specific agencies to stand up a CSRIM capability, which was followed by the passage of the 2018 Security Act that requested CFO ACT agencies implement their own CSCRIM program.

“In 2020 we held listening sessions with the CFO ACT agencies and they said, can you tell us how to do this and give us boiler plate language to better protect ourselves and so we listened to them and that’s what really drove us into the pilot and where we are today,” Paap said. “There’s a lot more that can be done for the fed govt. And the number one issue across the board is funding and resources.”

Paap also talked about the importance of developing guidelines for overcoming any obstacles to CSCRIM implementation.

“The problems with NIST doctrine is they’re asking you to do things but there is no method of how to do all of those things. Rather than 101 agencies doing it 101 different ways. We want to set the parameters around it and guide them through process of doing this the right way,” Paap said.

During the event Nnake Nweke, director of Cybersecurity Supply Chain Risk Management at the General Services Administration (GSA), talked about the challenges with implementing and managing supply chain risk management.

Some common obstacles are resources, workforce training and supply chain risk control requirements that are set out for vendors.

“Defining requirements is one of the biggest challenges. Trying to strike the right balance between what is really required and what is sufficient. Also, making sure requirements are not impacting their ability to operate.  Striking the right balance without sacrificing security is critical,” Nweke said.

Paap said one of the most challenging steps involves securing software provided and managed by second- and third-party vendors.

“I like to look at is as rules before tools. You need to have the methods down before you can perform the actions because you don’t know if the actions you’re performing are correct unless you know what it’s supposed to be based on your mission,” Paap said.