A report for Congress has suggested possible strategy changes for managing agency cyber supply chain risks, including consolidating oversight that now “is distributed among many federal agencies.”
The Congressional Research Service noted that interest in cyber supply chain security has been increasing in general, and inside the government in particular, in response to incidents and assessments of general threats to steal information and manipulate the operation of technology. However, individual agencies “are responsible for evaluating risks posed by IT for themselves” and some “lack the capability or capacity to perform thorough evaluations of their systems for supply chain risks,” it said.
The report raised as a possibility using the shared services model in which the GSA’s FedRAMP program evaluates cloud service providers and creates documentation on the security of those services available to all agencies.
“An option for Congress would be to assign a single federal agency the responsibility to evaluate supply chain risks in IT for all other agencies. This agency would examine IT hardware and software for potential risks. In order to do so, the agency would likely need access to threat intelligence, technical expertise, business relationships of the vendors, building products, and security experts, among other factors,” it said.
It added: “Rather than assign a single federal agency with all the responsibility for supply chain security, Congress may identify unique responsibilities and parse those out to agencies; such as intelligence gathering, technical expertise, the development and promulgation of defensive measures, and coordinating federal efforts.”
Other potential steps include to “increase the information available from open and restricted government sources to all agencies and the information technology sector . . . This may help agencies better assess their own risk, and allow the companies to directly mitigate vulnerabilities in their products.”