CISA to Set Up New Office for Supply Chain SecurityFormer GSA Administrator Leading Effort to Tackle Software Supply Chain Issues
U.S. federal authorities are establishing an office to tackle supply chain security issues and help the industry and partners put updated federal guidance and policies into practice.
Shon Lyublanovits, a former General Services Administration official, says she is spearheading the initiative. She now leads the project management office for supply chain risk management, or C-SCRM, within the Cybersecurity and Infrastructure Security Agency's cybersecurity division.
"We've got to get to a point where we move out of this idea of just thinking broadly about C-SCRM and really figuring out what chunks I want to start to tackle first, creating that road map so that we can actually move this forward," says Lyublanovits, who spoke this week at a private event organized by a Washington-based media firm and was quoted by Federal News Network.
CISA, part of the Department of Homeland Security, first raised the issue of supply chain security in December 2018, when it established the information and communications technology SCRM task force, "a public-private partnership charged to identify and develop consensus risk management strategies to enhance global ICT supply chain security."
The task force is composed of federal government and industry representatives from across the IT communications sectors and is the agency’s "center of gravity for supply chain risk management partnership activity," according to CISA.
A spokesperson for CISA was not immediately available to provide additional details about the new supply chain office.
In January, CISA released a handbook, "Securing Small and Medium-Sized Business Supply Chains," that provides an overview of supply chain risk categories commonly faced by ICT SMBs, including cyber risks.
The task force also promotes software assurance and the benefits of tracking software components in a software bill of materials, and it explores ways to build partnerships to enhance ICT supply chain resilience.
NIST's Revised Framework
Last year, the National Institute of Standards and Technology released a revised set of guidelines for supply chain cybersecurity risk management to help organizations protect themselves as they acquire and use technology products and services.
It provides guidance on identifying, assessing and responding to cybersecurity risks throughout the supply chain at all levels. "The guidance helps organizations build cybersecurity supply chain risk considerations and requirements into their acquisition processes and highlights the importance of monitoring for risks."
Jon Boyens of NIST and the author of the revised guidelines told Information Security Media Group that the need to manage supply chain cybersecurity is here to stay.
"If your agency or organization hasn't started on it, this is a comprehensive tool that can take you from crawl to walk to run, and it can help you do so immediately," he says.