This is part two in a multipart commentary on supply chain security. For part one, click here.
Federal departments and agencies are obligated by the Federal Information Security Modernization Act to protect the confidentiality, integrity and availability of defined categories of federal information (“controlled unclassified information,” or CUI) and information systems that host, process or transmit that information. But it’s often not enough to secure the federal supply chain against software threats and cyber-physical dangers.
FISMA is directed to protect against network and information system attacks that can compromise federal CUI. Present federal efforts give comparatively little attention to cyber-physical threats, such as corruption of firmware or other types of software that produce unwanted and adverse effects on connected equipment. Measures intended to protect IT, even where successful, may do little to secure operational technology.
Spurred by Congress, DoD requires its larger contractors to implement systems and procedures to detect and avoid counterfeit electronic parts. On its own initiative, DoD has implemented DFARS procurement regulations and contract requirements to make all DoD suppliers safeguard controlled technical information of military or space significance and other CUI types, using NIST security principles.
DoD’s acts concern the risk that the supply chain might deliver counterfeit parts and the cyber threat to the confidentiality of information and information systems that host CTI and other forms of CUI. To protect contractor information systems against network-delivered attacks, DoD requires contractors to employ the 110 safeguards of NIST Special Publication 800-171.
The present challenge is to identify, detect, defend against, respond to or recover from software-delivered cyber-physical attacks on operational technology – for example, industrial control systems, supervisory control and data acquisition, programmable logic controllers and other systems that operate manufacturing facilities and infrastructure. SP 800-171 is not intended to protect these systems.
Civilian departments have done less than DoD against supply chain threats. For years, civilian agencies have considered a counterpart to the DoD “cyber DFARS” to require protection of CUI when shared with non-federal entities. There currently is no such regulation or requirement, but an inter-agency effort is proceeding that may produce a regulation, like the “cyber DFARS,” requiring use of NIST SP 800-171 safeguards by non-federal entities to protect all CUI they receive it from a federal agency.
DoD presently has special authorities, to avoid counterfeit electronics and exclude high risk sources, not available to all federal departments and agencies. Generally, civilian agencies take no regular and direct measures, beyond ordinary quality and conformance requirements, to require suppliers or service providers to secure their supply chains or to report and remedy supply-chain attacks. But adversaries will not limit hostile activities to the defense sector.
The president’s executive order from May 11, 2017, holds heads of executive departments accountable for managing cybersecurity risk to their enterprises and calls on the executive branch to support the cybersecurity efforts of the owners and operators of critical infrastructure. It further requires a report on the cybersecurity risks facing the defense industrial base, including its supply chain. These are commendable in intent, but more policies, efforts and reports do not produce objective improvements in security, nor do they necessarily change the security practices of commercial enterprises.
It’s critical to recognize threats to private industry affect government interests. Federal action on cyber and supply chain threats focus upon federal information systems and contractors for supplies, systems or services. Attacks upon utilities or transportation facilities, or other aspects of critical infrastructure can produce discomfort, inconvenience, economic loss, property damage or even personal injury or death. Attacks upon civil logistics providers, even where facilities are located in the continental United States, can inflict damage on defense business and erode the ability of commanders to deploy forces and execute missions on foreign soil.
Robert Metzger is a shareholder of the law firm of Rogers, Joseph O’Donnell, PC and head of the firm’s office in Washington, D.C. As a special government employee of the Department of Defense, he was a member of the Defense Science Board (DSB) Task Force that produced the Cyber Supply Chain Report in 2017. He is active in other public-private initiatives, including cyber and supply chain security work for the MITRE Corporation.