Supply Chain Risk Management
New Cyber Threats are Changing our Risk Assessments
The cybersecurity of the supply chain has become a worrisome issue for the Defense Department. Cyber-attacks continue to reach epidemic proportions. These attacks are not just against government-owned systems, but against defense contractors and their suppliers. What is worse, the Pentagon has very little control over non-U.S. ownership of hundreds of corporations that may not be prime contractors or weapons manufacturers, but still provide somewhat sensitive products and service to the military.
There is also uneasiness about more sophisticated types of espionage, such as the acquisition of American firms that do business with the military. This is all in addition to fears of conventional attacks against Pentagon suppliers that have access to secret and unclassified but controlled technical information (UCTI).
The worry is that adversaries could penetrate networks that hold information about the movement of U.S. Troops and equipment. This has resulted in the command taking preemptive measures such as requiring contractors to certify the security of their networks and to report intrusions. The impact of DFARS flows all the way down from the government agencies that issue contracts, down through their Prime Contractors to all sub-contractors, and their sub-contractors, or in other words, “All the way down the supply chain.”
The Defense Federal Acquisition Regulation Supplement (DFARS) is a wide-reaching list of regulations that includes IT specific security requirements and is fast becoming a mandatory requirement in many DoD contracts.
A noticeable trend is picking up traction in the commercial sector. While some larger businesses have long understood the traditional risks in the supply chains and have worked to address those, some are now, finally, asking their suppliers to complete comprehensive questionnaires that are aimed at assessing just how secure their sub-contractors and supplier’s IT infrastructure is.
Considering today’s cyber-attacks can deliver sophisticated, weaponized attachments and CryptoLocker and Ransomware attacks, the stakes are very high. A crippled supplier can be shut down for days, or worse, could serve as a stealthy backdoor for an attacker that could then steal purchase order information, alter technical specifications or launch a sideways attack on other vendors up and down the supply chain. Poisoning the supply chain this way can cause as much disruption as a natural event and be much harder to track down and deal with.
4681 Research Park Blvd
Huntsville, AL 35806