ODNI and GSA want to help smaller agencies manage supply chain risk
With the federal government putting a more watchful eye on the cybersecurity vulnerabilities within IT supply chains, the Office of the Director of National Intelligence is looking for new ways to provide agencies with information to manage their risk.
Speaking at symposium hosted by D.C. law firm Venable, Joyce Corell, assistant director for supply chain and cyber at ODNI’s National Counterintelligence and Security Center, said that with the increasing number of contractors the government works with, agencies need to assume there will be vulnerabilities in their supply chain from third-party suppliers. Resilience has to be baked in, she said.
“It’s not the all-hazards kind of resilience, but if you are going to have to live in a messy environment, are you thinking through resilience from a cybersecurity perspective and from a risk reduction perspective,” she said.
An agency probably should know, for example, if a supplier farther away on the chain might have filed for bankruptcy or been bought out by a foreign company, she said. While Cabinet-level agencies may have the resources to pursue such due diligence through accessing information networks like a Bloomberg terminal, smaller agencies could be limited to using mere internet searches to stay up-to-date on where weaknesses could develop.
So Corell said ODNI is working with the General Services Administration to develop a product that smaller agencies can use to keep track of developments with their supply chain providers.
“They are in a position where they can put in place something like an information service to make access to due diligence more readily accessible to agencies that are under-resourced,” she said.
The basic concept has become popular of late, with the Department of Homeland Security has recently begun a program that offers cybersecurity risk assessments to critical infrastructure companies centered on products that could introduce network vulnerabilities, following the government’s Kaspersky ban.
But for some agencies, Corell said due diligence has become a “cottage industry” where access to the supply chain information is determined by resource allocation. By ensuring that all agencies have access to information that could affect their risk further down the supply chain, they can take steps to prepare for it.
“Often times, there is a minimal amount of functionality that people would like to have from that type of data,” she said. “For example, if you get into business with a firm and in the life of your business relationship with them, they end up in a financially vulnerable perspective and are about to file for bankruptcy, that’s information you might want to know. The algorithms for bankruptcy predictors have been out there for quite some time, so that’s information that you would like to have pushed to you.”
Corell said she anticipated that GSA would release a request for information to industry for market research on a potential information service sometime later this year.
