When it comes to government supply chains, agencies can’t properly defend what they can’t see. As their networks of third-party vendors and IT components expand, agencies must reassess how they identify, manage and overcome supply chain risks.
Supply chains are the systems that move products or services from suppliers to customers, and they are only growing more complicated in today’s hyper-connected world. Each supply chain contains activities, information, organizations, people, technologies and resources that are vital to government operations. Consequently, supply chains are a top priority for agencies to understand, put controls in place, monitor, and help defend. Agencies that fail to understand their supply chain risks may spend significant energy, money and time addressing disruptions to their missions.
To learn how agencies can better monitor their supply chains, GovLoop spoke with Rob Carey, Vice President/General Manager, Global Public Sector Solutions, and Dan Carayiannis, Archer Government Public Sector Director, at RSA, a cybersecurity and digital risk management solutions provider. They shared three tips for agencies to see supply chains risks more clearly.
1. Develop a risk-based view of supply chains
According to Carayiannis, supply chains create two major concerns for agencies. First, agencies must understand where vulnerabilities and risks exist among their contractors and subcontractors. Second, agencies must understand the technology components contractors leverage to support their organization’s mission.
“Your risk domain has increased significantly,” Carayiannis said of agencies adding contractors, components or both. “You need to account and plan for it. You must assess risk, manage findings and have recovery processes in place not only for yourself, but your contractors as well.”
2. Assemble your supply chain security toolbox
Carey said that many agencies struggle to understand which vendors they contract with, what components they provide, and which manufacturers make them. According to Carey, tools that provide real-time information about these factors can boost agencies’ supply chain security.
“The world for cyber professionals is getting more complex, but the right tools will help simplify things,” he said.
RSA’s Archer platform is one example of a tool that can help agencies quickly assemble information about their supply chains. In turn, this data helps agency leaders make smarter decisions about supply chain management.
3. Move to continuous monitoring
Continuous monitoring can help keep supply chains secure. It is a process that can make supply chain management more mature, robust and thoughtful. Continuous monitoring involves building risk profiles of a supply chain’s main vendors and monitoring them for danger in real-time. Subsequently, agencies understand the threats and risks they face across their supply chains’ ecosystem.
Tools such as RSA’s Archer platform can assist agencies with recognizing, responding to and tracking risk remediation initiatives across their supply chain to include contractors and subcontractors as well as technologies.
“A hyperconnected world demands that the supply chain be examined, and that supply chain risk management be part of the language of the CIO [chief information officer] and CISO [chief information security officer] so that they can continue to do their jobs,” Carey said.
This article is an excerpt from GovLoop’s recent report, “Meeting the Requirements of the Supply Chain Imperative.” Download the full report here.