In today’s blog, we’ll take a look at the role of vendor assessments in supply chain risk management (SCRM). We’ll also offer some suggestions of where to start if you’re tasked with protecting your organization’s supply chain, your organization at large, or just curious to learn more about this aspect of cyber security.
Why Is Supply Chain Risk Management Important?
Supply Chain Risk Management typically extends beyond traditional vendor management to include suppliers and other external parties, such as integrators and even third-party communications providers.
One area where we’ve seen SCRM in focus recently is in countless news articles about Chinese conglomerates Huawei and ZTE. Many government officials, as well as cyber security experts, have expressed valid fears that these company’s products could pose security risks to end products and users, and even potentially to US infrastructure. Earlier this year, FBI Director Christopher Wray said that products and services provided by Huawei could allow the Chinese government to “maliciously modify or steal information, conduct undetected espionage, or exert pressure or control.”
Beyond counterfeit or compromised products, there are also valid concerns of malicious hackers using vulnerabilities in third-party suppliers to get access to government entities and critical infrastructure. The Department of Homeland Security (DHS) US Computer Emergency Readiness Team (CERT) has repeatedly warned of this.
Besides these far-reaching and global scenarios, most companies don’t have to look too far to find examples of third-party vendors they work with every day who can introduce risk into their business. Given that it’s virtually impossible in today’s business world not to operate using third-party suppliers, the principles outlined here can apply to companies that aren’t necessarily producing or distributing goods.
So, where do you and your security team begin?
Identify Frameworks or Laws to Follow
The first step is to identify the laws or frameworks that apply to your organization. A good place for US companies to start is the NIST Framework, which added SCRM as a new category in 2018.
The Supply Chain Risk Management Practices for Federal Information Systems and Organizations (NIST Special Publication 800-161) is meant to offer guidance for federal agencies, but commercial organizations can learn from it as well. In the assessments I’ve conducted the past few years, I’ve seen many commercial clients successfully adapt the controls in the framework to fit their specific needs.
Information and Communications Technology (ICT) risks are paramount in NIST 800-161, and the guidance attempts to identify and mitigate specific risk factors. Some of those identified in the publication include:
- Insertion of counterfeits
- Unauthorized production
- Insertion of malicious software and hardware
- Poor manufacturing and development practices in the ICT supply chain
Note that this language echoes what the FBI Director said earlier this year. Threats and vulnerabilities created by malicious actors (individuals, organizations, or nation states) are often especially sophisticated. They are difficult to detect, and thus provide a significant risk.
In the course of my NIST work, I was immediately struck by the stark example I recently heard on NPR. The Planet Money Podcast, “Episode 900: The Stolen Company” tells a compelling, labyrinthine story about an American company that suffered a bizarre case of counterfeits, unauthorized production, and theft.
I highly encourage you to listen to the episode and think about the ICT risks identified by NIST. I can’t come close to telling the story in this blog. Suffice it to say I started thinking very deeply about supply chain risk in ways I had never thought about before – especially the subtle and unexpected ways the supply chain can be compromised. An organization can be totally unaware of bad actors infecting their supply chain.
An example of a state law is The California Transparency in Supply Chains Act. The intent of this law is to document efforts to eradicate human trafficking and slavery from a company’s direct supply chain for tangible goods offered for sale.
Here’s a brief outline of a program a company might use to comply with the California act:
- Hire advisors/assessors on staff to initiate and monitor program
- Set expectations of prospective suppliers
- Hold initial interview and due diligence of suppliers
- Review supplier compliance regularly
- Get a third-party audit to confirm compliance reports
For its part, the US government is trying to provide additional clarity. The government recently established the Supply Chain Risk Management Task Force, which falls under the Department of Homeland Security (DHS). In July 2019, the Cybersecurity and Infrastructure Security Agency (CISA), along with government and industry members of the ICT Supply Chain Risk Management Task Force, made additional recommendations for securing the supply chain.
Additionally, the group discussed input for the Federal Acquisition Security Council, which further analyzes supply chain concerns. One recent consideration from the Task Force, for example, is to incentivize ICT purchases from the original suppliers and authorized resellers.
Conduct a Vendor Security Assessment
The second step is to conduct a vendor assessment. The focus of the vendor assessment can be broad or narrow. It can even be as general as finding what areas, vendors, or business functions can benefit from an assessment.
Unlike the audit step (which we saw in the California example above), a vendor assessment is collaborative. It is designed to help both parties set a baseline for what’s currently in place and identify any risks. Vendor security assessment goals can include:
- Minimizing threats to data and information via third-party vendors and partners
- Determining if and how vendor security controls are protecting data or the supply chain
- Discovering how vendors interact with your network environment
- Verifying how vendors interact with each other (if at all)
- Gaining confidence when working with a new or critical vendor
- Conducting an initial assessment if the vendor has been in business less than three years
Using a third party to do a vendor assessment is highly recommended. They’re going to look at a lot avenues, processes, and agreements your organization might not consider.
There are already many complex risks associated with vendors and supply chains in today’s connected world, and it’s only getting worse. Criminals are taking advantage of the confusing and often obtuse connections between global manufacturers and supply chain.
Let’s think back to the example in the “Stolen Company” podcast. This was a sophisticated, established company. They had no idea they were the victim of international counterfeiters until they attended a trade show and got a rude surprise.
If your organization is involved in manufacturing, processing, and shipping goods, or simply concerned with how secure your suppliers or other third-party vendors are, you can’t afford to ignore the issue. Step one is all about finding what laws and frameworks are required and most helpful for your organization. There will likely be several, sometimes many, and your needs may change as your organization grows and the threat landscape evolves.
Once you’ve determined what laws and frameworks may impact your organization, then you need to map out the risks and develop a plan to address them. To minimize risks and make sure security controls are working, hire a third party that can conduct in-depth, independent vendor assessments.