Federal agency officials said that having the rights tool, and a workforce culture tuned into security, are key elements in making gains on cybersecurity-supply chain risk management (C-SCRM).
Speaking at ACT-IAC’s C-SCRM Forum on Jan. 19, officials said that the scope of supply chain security management is made more difficult by the number of entities that need to be involved in creating and executing on security strategies. One way to deal with that complexity is by managing the tools that organizations use to verify customers and products in the supply chain.
Rajiv Uppal, chief information officer at the Center for Medicare and Medicaid Services (CMS), explained how looking at the right tools is a vital step.
“If you look at our infrastructure, and the tools we use or the products we use, the level of complexity is so much that there isn’t any single entity building the entire product … we are all using libraries [and] tools from all over,” Uppal said. “Knowing where these different parts are coming to make the whole is really important.”
Using good tooling to give people the right information they need to make security decisions is critical, he said. With that in place, Uppal said CMS goes through a “composition analysis” to determine the security of software that the agency is using.
Also key to the security puzzle is the need to create a strong supply chain security culture, said Kevin Cox, deputy CIO at the Justice Department.
“One of the things that we’ve really looked to do at the Department of Justice is build a culture around the idea of supply chain, and cyber supply chain, and software supply chain, where it’s not just the headquarters” who are performing assessments of major acquisitions, he wide.
In addition, Cox continued, it’s the “folks down at the mission level who are involved in the acquisition and really needing to take the responsibility of assessing what they’re looking for by doing the research of all the different vendors in the market.”