The other week the Biden Administration issued an executive order to improve cybersecurity across the federal government. Now we have a peek at just how bad numerous government agencies are at the task — and what steps they’re likely to take to improve the situation, which could affect government contractors providing IT services.
Said peek comes in the form of a Government Accountability Office report issued Tuesday, which examined the current state of vendor risk management at 23 civilian agencies.
The current state is not good.
The GAO had previously identified seven “fundamental practices” for better management of cybersecurity risks in the supply chain. Across all 23 agencies, including ones with highly sensitive information such as the Justice Department, NASA, and the Department of Homeland Security, none had fully implemented all seven practices, and 14 of the 23 had not implemented any of the practices at all.
So when we consider President Biden’s executive order to improve cybersecurity, one can see the urgency here. Way too many federal agencies have been way too loosey-goosey about this issue for far too long. That point was made painfully clear by the SolarWinds attack last year, and now the GAO has provided equally painful documentation of the shortcomings.
This matters to corporate compliance, audit, and risk management professionals because another big theme of the Biden order is that the federal government does want to keep using cloud-based software and other technology services, but it can’t allow this scattershot approach to cybersecurity to continue.
So any government contractor, and particularly those who provide IT services, will be swept into the order’s mandate for better oversight of cybersecurity risk in the federal government’s supply chain. The GAO report simply gives us a sense of what those weaknesses are, and presumably where the federal agencies will try to improve.
The Seven Foundational Practices
The GAO listed seven foundational practices for better supply chain risk management (SCRM) for information, communication, and telecommunication (ICT) assets. Those practices are:
- Establish executive oversight of ICT activities, including designating responsibility for leading agency-wide SCRM activities;
- Develop an agency-wide ICT SCRM strategy for providing the organizational context in which risk-based decisions will be made;
- Establish an approach to identify and document agency ICT supply chain(s);
- Establish a process to conduct agency-wide assessments of ICT supply chain risks that identify, aggregate, and prioritize ICT supply chain risks that are present across the organization;
- Establish a process to conduct a SCRM review of a potential supplier that may include reviews of the processes used by suppliers to design, develop, test, implement, verify, deliver, and support ICT products and services;
- Develop organizational ICT SCRM requirements for suppliers to ensure that suppliers are adequately addressing risks associated with ICT products and services; and
- Develop organizational procedures to detect counterfeit and compromised ICT products prior to their deployment.
Those seven practices come from NIST, the National Institute of Standards & Technology. NIST is the outfit that publishes the cybersecurity frameworks that government agencies and contractors must follow; and that all other organizations should follow if you’re smart. So I’d recommend that all corporate compliance, audit, and risk folks involved in cybersecurity print out the above list and tape it next to your laptop for daily inspiration.
Now back to those 23 federal agencies the GAO audited. Figure 1, below, shows how many agencies had fully, partially, or not at all implemented each of those seven foundational practices.
None of this looks good. Perhaps most interesting is that six agencies have at least managed to develop some sort of cybersecurity due diligence process for their vendors; that was the most widely adopted of the NIST best practices. On the other hand, none had developed an agency-wide process to assess cybersecurity supply chain risks; and hardly any had articulated any cybersecurity supply chain requirements they could communicate to suppliers.
The GAO report did not say which specific agencies whiffed on which of the NIST cybersecurity practices. The GAO did say it made 145 recommendations to the various agencies last fall to improve their vendor risk management oversight, but that report hasn’t been released to the public.
So What Do Contractors Do With This?
Even though this report addresses federal agencies, corporate compliance professionals can still learn plenty from it. Why? Let’s remember Kelly’s Law of Third-Party Risk:
The better you are at managing your own third-party risks, the more attractive a third party you are to your customers.
So the business imperative for getting your own vendor risk management under control is clear. The seven NIST principles outlined above are the pillars of that effort; study them, consider how well your business already embraces them, and implement any remediation steps you might need. The more confidently you can document cybersecurity control over your own supply chain, the more attractive you’ll be to Uncle Sam as a potential vendor.
Next question: how does an organization implement those seven NIST principles, exactly?
By mapping those principles to a control framework, and then performing a gap analysis to see how well your internal controls measure up.
For example, one could say that the first NIST principle — “establish executive oversight of ICT activities, including designating responsibility for leading agency-wide SCRM activities” — maps to the control environment component of the COSO internal control framework.
Specifically, that practice corresponds to Principle 3 (“Management establishes structures, reporting lines, and appropriate authorities and responsibilities in the pursuit of objectives”) and to Principle 5 (“The organization holds individuals accountable for their internal control responsibilities in the pursuit of objectives”). And from there, each of those two principles provides several more specific points of focus you could translate into actual policies, procedures, and controls for oversight of your supply chain.
That’s just a basic example. Other NIST principles map to other parts of the COSO framework. They also map to cybersecurity frameworks such as the NIST 800-53 standard, or PCI DSS, or COBIT, or whatever you want to use.
However you want to make this journey, the journey should be made. It will make you a more attractive bidder on federal contracts, as federal agencies keep paying more and more attention to the cybersecurity risks swirling all around them.