A Challenge To Traditional Supply Chain Risk Management Programs

Traditionally, IT and acquisition leaders have thought about their cyberattack surface in terms of physical IT assets, such as laptops, servers and networks. But there’s an important class of assets that don’t fit into that traditional management framework – such as IP addresses, domain names and cloud instances – that introduce risks into the cyber supply chain.

GovLoop spoke with Dr. Matt Kraning, Co-Founder and CTO of Expanse, who leads the implementation of cyber supply chain risk management (SCRM) projects with the Defense Department (DoD) and Defense Industrial Base primes like Lockheed Martin. He discussed four key steps to enhancing the maturity of SCRM programs through digital asset inventory.

1. Scale best practices in attack surface reduction

Leading organizations that successfully limit their cyberattack surface share two characteristics: A comprehensive asset inventory program that includes the inventory of digital and ephemeral assets including IP addresses, domains, certificates and cloud instances; and a comprehensive program to dynamically and continuously discover new parts of their attack surface anywhere they may appear on the Internet, including on assets previously unknown to the organization.

2. Place zero trust in self-attested compliance, and don’t let point-in-time audits become “compliance theater”

A security policy is only as good as its enforcement: Place zero trust in self-attestation. Moreover, depending on the threat environment faced by an enterprise, point-in-time audits may be insufficient relative to continuous validation of asset management practices. Every employee is now a de facto systems administrator who can spin up risky internet assets in minutes. That means the entire Risk Management Framework (RMF), which is a cyclical model to be repeated as necessary, fails at Step 1 if a current, accurate and complete asset inventory is not maintained to manage risk relating to internet-exposed assets.

3. How continuous should “continuous monitoring” be?

The problem with continuous monitoring as implemented in most environments is that monitoring is too infrequent, and only known assets are monitored. Successful continuous monitoring requires comprehensive asset management. As written in the National Institute of Standards and Technology (NIST) Special Publication 800-137, Information Security Continuous Monitoring (ISCM) for Federal Systems and Organizations, “More accurate system component inventories support improved effectiveness of other security domains such as patch management and vulnerability management.”

By necessity, a mature SCRM program facing an acute threat environment must apply a daily-or-better refresh rate to point-in-time audits of dynamic internet assets.

4. Scale internet asset management across your cloud assets and key suppliers

DoD’s Cybersecurity Maturity Model Certification (CMMC) program has delivered baseline maturity levels focused on the protection of information hosted on premises. There remains, however, a critical capability gap to baseline risks relating to “weak links” like cloud hosted assets and key suppliers, often the principal vectors of attack.

Just as agencies should develop a comprehensive inventory of their own Internet assets, Kraning said, they need to overlay continuous, risk-based SCRM initiatives to address the extended attack surface presented by key suppliers. The costs are no longer prohibitive.

This article is an excerpt from GovLoop’s recent report, “Meeting the Requirements of the Supply Chain Imperative.” Download the full report here.

Leave a Comment

Leave a comment

Leave a Reply