Supply Chain Risk Management Isn’t Just About the Supply Chain

Concerns over the risk to federal networks from supply chain threats have led to a slew of new government measures over the past two years aimed at mitigating this risk.

These include the Cybersecurity Maturity Model Certification (CMMC), which prescribes specific cybersecurity standards for suppliers to the Defense Department (DoD). The federal government has also banned its agencies and suppliers from using products that have been deemed extremely risky. But, according to Katherine Gronberg, Vice President for Government Affairs at Forescout Technologies, government IT users must also bear responsibility for implementing the proper policies and controls so that supply chain risk that is unknown or unavoidable can be mitigated after deployment.

Gronberg shared three ways federal agencies can leverage Forescout to mitigate risks to hardware and software deployed to federal networks.

1. Continuously monitor device behavior

The National Institute of Standards and Technology (NIST) recommends agencies have continuous and comprehensive awareness of the IT assets coming and going from the network. “Monitoring all devices while they’re connected gives agencies the ability to identify anomalous device behavior and take action,” Gronberg said. This is the overarching objective of two major federal cybersecurity programs, the Continuous Diagnostics and Mitigation (CDM) program for civilian agencies and the Comply to Connect (C2C) program for DoD.”

“The government should implement policies that incentivize or require better security practices from suppliers. But it also needs to ensure agencies can remain secure even when their devices are not.”

2. Segment devices into like groups

Network segmentation isolates devices and device communications into separate areas of the network to limit their access. According to Gronberg, “Proper network segmentation can prevent attackers from communicating to a compromised device, and it can block the unauthorized exfiltration of data.”

Network segmentation as a control category is moving toward dynamic network segmentation, in which segmentation policies are enforced automatically and in real time to separate traffic for any user or device. “Forescout profiles devices in real time as they connect and disconnect from the network, enabling the application of segmentation rules based on this real-time data,” Gronberg explained.

3. Aspire to Zero Trust

Zero trust is an end-state where devices and users can only access network resources if they have demonstrated the requisite level of security and authorization. It requires continuous assessment of these devices and users while connected. The Forescout platform enables customers to identify all the devices connected to their networks and provides them real-time, in-depth information around these devices. It then allows customers to use this information to take actions and build policies that improve overall security posture. “Forescout believes all assets should be distrusted, regardless of where they’re made or who makes them,” Gronberg said.

Federal agencies today are better equipped to implement these best practices because of the Forescout capabilities they have received through the CDM and C2C programs. “The federal government has realized that managing supply chain risk is not just about vetting or prohibiting suppliers and products. It is also about helping agencies use them safely,” Gronberg said. “CDM and C2C are doing this.”

This article is an excerpt from GovLoop’s recent report, “Meeting the Requirements of the Supply Chain Imperative.” Download the full report here.

Leave a Comment

Leave a comment

Leave a Reply