A dependable supply chain of secure information and communication technology underpins U.S. national security. In mid-December 2020, the Cybersecurity and Infrastructure Security Agency (CISA) issued an emergency directive to federal agencies to “immediately disconnect or power down SolarWinds Orion products” from their networks. CISA determined that malicious actors were exploiting SolarWinds Orion products, posing an “unacceptable risk” to the Federal Agencies.
“Treat all hosts monitored by the SolarWinds Orion monitoring software as compromised by threat actors and assume that further persistence mechanisms have been deployed.”
Emergency Directive 21-01
According to CISA, Information and Communication Technology (ICT) systems are central to the nine National Critical Functions. ICT is a broad term that includes all computer, software, networking, telecommuting, internet, programming, and information system technologies. Disrupting any of the nine National Critical Functions would have a “debilitating effect on security, national economic security, national public health or safety, or any combination thereof.”
This event, and numerous others like it, emphasizes the need for rigorous risk management frameworks to steer the procurement of ICT at federal agencies.
At the Department of Homeland Security (DHS), the mission of the Office of the Chief Information Officer (OCIO) is to Protect, Connect, and Perform. Their job is to procure and implement IT systems and infrastructure to support every DHS mission and activity. These services prevent and deter terrorist attacks in the U.S. and secure and safeguard its borders and cyberspace. For this reason, the OCIO is “focused on delivering world-class IT” to ensure the security of all Americans.
Managing risks and threats to DHS IT and communication technologies supply chains remains a top priority as well as a constant challenge. To address these concerns, the Acting Secretary of Homeland Security asked its experts on the Homeland Security Advisory Council four questions:
- What additional steps should DHS take to identify and mitigate its ICT supply chain risks?
- How effective are DHS’s procurement efforts, and how might it increase the security of its ICT products?
- How might DHS better use its full suite of cybersecurity, law enforcement, trade, and customs authorities to identify and reduce ICT risks?
- In what areas might DHS better collaborate with the private sector to increase its shared understanding of supply chain vulnerabilities and threats?
In November 2020, a subcommittee of the Homeland Security Advisory Council (HSAC) delivered a report, recommending how DHS can meet its ICT challenges and produce a robust and secure network. Several recommendations focused on procurement, including an examination of the effectiveness and security of DHS procurement procedures. HSAC found that the Office of the Chief Procurement Officer at DHS lacked sufficient authority to secure all ICT products used across DHS, namely unclassified technology. The Chief Procurement Officer, Soreya Correa, relayed to HSAC that classified products were easier to secure at DHS because of well-defined requirements and a consistent list of vendors. Her office could easily reject vendors because acquisitions rules favor the government’s discretion.
As a result, HSAC first recommended that DHS “develop an effective and robust risk management framework to guide ICT procurement across the government, with particular emphasis on unclassified systems.” Experts advised DHS to develop more stringent guidelines for unclassified technologies, including the creation of a risk management framework:
- Assess the potential consequences of successful attacks on the Department’s ability to execute its critical missions. Who are the key adversaries, and what would these adversaries gain by disrupting unclassified ICT systems?
- With the help of the intelligence community (IC), assess the vulnerabilities of those systems to supply chain corruption, and understand how and where adversaries are conducting attacks against the procurement system and its technologies.
- Work with the IC to identify specific threats of greatest significance to unclassified ICT supply chains and products.
HSAC further recommended that the risk management framework should include: identifying all aspects of vendor and subcontractor relationships; mapping out the entire supply chain; developing customized risk rating and mitigation methodologies; and assessing how key ICT systems function under stress.
Perhaps the most novel HSAC recommendation was for government agencies to cooperate with each other, share knowledge, and establish consensus on risk tolerance and standards across the whole of government.
“DHS should take the lead in building out a more widely applicable risk management framework.”
The report laid out a rationale for a common framework that all agencies could easily understand and consistently apply throughout all government department and agencies.
At WBD, our risk management experts can help your organization build frameworks and processes to manage systemic risk. We leverage decades of experience in management consulting, analytics, and risk management to forecast potential threats and areas of focus. These insights are subsequently aligned with best practices that suit your goals for tomorrow. WBD is supporting the Joint Service Provider — the agency that defends the Department of Defense’s key cyber terrain and provides IT services to Pentagon and National Capital Region customers.
Author: Mary Jane Maxwell, Lead Consultant at Washington Business Dynamics.