The Cybersecurity and Infrastructure Security Agency’s new Cyber Supply Chain Risk Management Office is developing training and maturity models for federal agencies, while also considering the role of supply chain illumination tools and other supplier evaluation techniques.
The C-SCRM Office is a little over a year old. Shon Lyublanovits, program lead for cyber supply chain risk management at CISA, said her team is still growing as it develops a strategic plan for spreading supply chain best practices across government.
“How do we strategically put that message out? What are some of the things that we must do internally that would best position us to help other agencies?” Lyublanovits said during Federal News Network’s Cyber Leaders Exchange 2023.
She said CISA is considering how the supply chain office intersects with the work being done at the agency’s National Risk Management Center (NRMC), which does critical infrastructure risk analysis, and its Vulnerability Management (VM) division, which works to reduce the risks of software exploits.
“We’re having a lot of internal conversations to really sync better and make ourselves stronger as we continue to sort of shine that light outwards, to industry, to the information and communications technology community through NRMC, to our vendors that are working really closely right now on some software projects with VM, and to my team and agencies — really focusing on the federal civilian executive branch to really help them figure this thing out,” Lyublanovits said.
The cyber supply chain office has split its activities into three primary areas. She detailed the work being done within each of these focus areas.
C-SCRM Focus 1: Strategy and governance
The new office’s strategy and governance group is focused on developing metrics and key performance indicators for supply chain risk programs.
In fiscal 2024, the group will develop a maturity model for cyber supply chain risk management, Lyublanovits said.
“Being able to articulate not only the fact that we need to do it, but what value will it bring to the agencies? What goals am I helping to accomplish by actually doing this work?” she said. “Putting a little bit of framing and structure around that is important for us as we move forward.”
C-SCRM Focus 2: FASC work
CISA is also designated as the information sharing agency for the Federal Acquisition Security Council. FASC was established to develop governmentwide supply chain risk management policies under the Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure (SECURE) Technology Act.
The council has been empowered to make recommendations on exclusion and removal orders for products that have been deemed too risky for federal use. The proposed rule to implement the council’s exclusion orders is currently in front of the Federal Acquisition Regulation council.
Lyublanovits said her office’s Sigma team is leading CISA’s work for FASC. It’s focused on ensuring agencies can share information about supply chain risks with the council as well as helping agencies implement potential removal or exclusion orders.
“If we’re going to remove, we’ve got to be able to help agencies prepare to have off-ramps, but also other vendors in play to help take the place of that vendor that we’re having to remove,” Lyublanovits said. “So when we’re thinking about acquisitions and we select a vendor, what other pools of vendors are available to help backfill if we need to remove one?”
CISA is also looking at how it can use technologies to conduct supplier illumination within federal acquisition.
“It really is shining a light on connectivity of vendors,” Lyublanovits said. “If I’m looking at Vendor A, but I’m noticing, ‘Oh there’s Vendor G and H that are giving me some pause for concern.’ ”
In a similar vein, her office is also considering how to promote the use of vendor risk assessments across the government. It’s an approach some agencies have already started using.
“Is there a bar that we need these vendors at before they can bid on these contracts? And that’s where the vendor risk assessment comes in,” Lyublanovits said. “It says, ‘These are my criteria. If you fall below this, then you’re not the right vendor for this solution.’ So moving forward, it’s really being more thoughtful about the vendors that we’re having on some of these contracts.”
C-SCRM Focus 3: Training
The new CISA office has also been focused on developing C-SCRM training for federal employees. Lyublanovits said her Storm team is developing the training, to include courses ranging from basic SCRM skills through expert-level instruction.
CISA will pilot its basic, steward-level C-SCRM training with multiple agencies starting in 2024.
“We’ve had a few select agencies that we’re going to have come in and pilot it — tell us where there are opportunities for us to improve right before we do a broader release,” Lyublanovits said.
Blending IT and acquisition also critical
Although IT divisions are typically focused on cyber risks, Lyublanovits said C-SCRM “starts and ends with acquisition.” She said her office has identified specific points in the acquisition process where procurement experts need to consider cybersecurity risks.
That approach is already starting to bear out through efforts like the Biden administration’s introduction of a secure software development “self-attestation form” that companies will need to sign before providing agencies with software.
“Continuing to pull the acquisition community and the IT people together so that we can talk about what matters to each side, and figuring out a good path to move forward, is going to be key,” Lyublanovits said. “The days are over where the IT people do their own thing and the acquisition people do their own thing. We’ve got to do this together.”
For more cyber tips and tactics, visit the Federal News Network Cyber Leaders Exchange 2023 event page.