Continuing its efforts to create a capability to assess risks to cyber supply chains, the Department of Homeland Security is conducting market research to learn about industry capabilities to identify and mitigate risks in the supply chains of information and communications technology (ICT).
An Aug. 17 Request for Information (RFI) says the government is interested in cyber risks to ICT hardware, software, devices and cloud services. The request identifies two categories of capability offerings that are of interest, supply chain risk due diligence information, and tools, products or system solutions used to deliver due diligence information.
The Trump administration and some Republicans in Congress in July proposed legislation aimed at helping federal agencies strengthen the security of their cyber supply chains and DHS has said it is developing a risk framework for the supply chain. In June, a bipartisan group of senators introduced a bill to create a federal council that would assess national security risks to the IT supply chain and July DHS stood up the National Risk Management Center, which centralizes collaborative risk management efforts to better protect the nation’s critical infrastructures.
“The government anticipates due diligence research will be conducted on selected suppliers that provide products, services, or solutions which connect in any way to a stakeholder information system or which contain, transmit, or process information provided by or generated for the stakeholder to support the operations and assets of a stakeholder entity,” the DHS RFI says. “Possible subjects of due diligence research include all companies directly involved in delivery of products, services, and solutions to stakeholders, through all tiers of the supply chain.”
Homeland Security Secretary Kirstjen Nielsen on Aug. 14 told a trade symposium hosted by Customs and Border Protection that “Many of you oversee global supply chains, so you must not only secure your networks but work with your customers, suppliers, vendors, and even other governments, to ensure that someone else’s insecurity isn’t an entry point for a debilitating disruption, or worse. Do you know where your weakest link is?”
Later in her presentation, Nielsen said, “If you are a big company, what can you do to help your smaller vendors, suppliers and customers raise their baseline of security? Can you share best practices? Can you provide technical resources and support? If you are a small company, who can you reach out to for help?”
Among other things, the supply chain risk management capability that DHS plans to create to support stakeholders will enable information sharing, be an “automated process supported by threat analysis,” minimize duplication of efforts, and align with current practices. Responses are due by Oct. 10.