Supply Chain Risk Management (SCRM) is the process of assessing and mitigating the risk of vulnerabilities within the acquisition supply chain from being exploited. Within the Federal Government, specifically, supply chains may be targeted by foreign military/intelligence, corporations, terrorists or criminal organizations seeking any information that could weaken the United States' economic and national security. Information targeted could include, but not limited to:
FAI offers a helpful video describing SCRM in relation to the Federal Government. This video urges Government Employees to focus on two major components to strengthen their agencies against potential supply chain exploitation:
The first recommendation refers to the team of government officials that investigate and respond to potential or active threats against their agency. In most cases, this team involves representatives from their security, information assurance and insider threat teams but they do not include members of their acquisition teams. This model leaves a gapping hole in the defense assessment because it fails to investigate potential threats coming through the products or services in use. Agencies, therefore, should include acquisition into their integrated defense system.
While the scenario above addresses how to investigate a potential supply chain exploit once it has occurred, the second component focuses on preventing such products or services from coming into the agency to begin with. An agency's acquisition and procurement team needs to be mindful in the types of products and services they are procuring and the various threats they could potentially bring into the agency.
"Many federal departments and agencies have limited [Cyber Supply Chain Risk Management] C-SCRM capabilities, resources, governance, guidance, and training; especially in acquisition of information and communications technology (ICT). Executive Order #14028, “Improving the Nation’s Cybersecurity,” mandates enhanced C-SCRM contracting requirements and guidance that holds vendors accountable for assessing the risk of their supply channels, particularly in the area of embedded software.
GSA Kicks Off Government-Wide Cyber Supply Chain Risk Management Acquisition Community of Practice
While supply chain risks are by no means limited to only cyber attacks, this statement reflects the importance the U.S. Government places on enhanced SCRM. While the requirements for enhanced SCRM contracting efforts are not set in stone, agencies need to be planning for such mandates. The government offers a few pieces of guidance to help agencies build their Supply Chain Risk Management Plans, including:
If the above policies, resources, EOs, and directorates are any indication, all organizations that do business with the Federal Government need to be assessing and mitigating their own supply chain risks sooner rather than later. As you investigate your own supply chain, you need to continually be examining:
As agencies continue to emphasize SCRM efforts, you can expect the procurement process to start incorporating more specific risk mitigation questions. As a contractor, you need to be prepared to answer questions such as:
Additionally, you will likely need to provide insight into your own supply chain risk management efforts.
One thing to keep in mind, these questions do not mean that the Federal Customer expects solutions that hardened against every potential threat (not possible) but they do expect to do business with organizations that understand the potential risk they are exposed to and are passing along to the Government through their products or services. They also expect these customers are consistently reviewing their threat landscape and looking for ways to reduce their risk.
As an IT product company it is important that you are examining every aspect of your supply chain and understanding your vulnerability exposure. Some questions to start with include:
This is by no means a comprehensive list, but it can get you started. Ultimately, the government needs to know if there could be an adversary to compromise the integrity of the products or components of those IT products being delivered and added to the information network at all levels of government. Any weak link is a possible risk or vulnerability to compromise the data secured within the confines of those networks.
Remember, while you will certainly benefit by understanding and reducing your supply chain risk, the goal of SCRM in the federal space is understanding the risks your company's technology presents and how you can help safe guard the national security of the United States by working to mitigate it.
Use the form below to request your FREE Federal Sales Consultation and learn how we can help tailor your Federal Sales process to highlight your supply chain risk assessment and mitigation.