ISO Secure Supply Chain
DO YOU KNOW WHERE YOUR IT HAS BEEN? Securing global supply chains can protect your agency from a world of hurt.
THE COUNTRY’S TOP INTELLIGENCE
chiefs went to Capitol Hill last
year and sounded an alarm. FBI Director Christopher Wray, then- CIA Director Mike Pompeo and their counterparts in the country’s security infrastructure told the Senate Intelligence Committee that smartphones from Chinese manufacturer Huawei could be used to maliciously modify or steal information and to “conduct undetected espionage.” Given the ubiquity of mobile devices, the potential for compromised phones to undermine national security is incalculable.
The hearing was a stark warning of the perils posed by global supply chains – and the imperative to secure manufacturing and distribution channels. The growth of an international cybercriminal industry and state-sponsored cyber espionage has made increasingly clear the necessity
of ensuring the integrity of IT systems and software acquired by U.S. government agencies. Other factors with the potential to undermine that integrity are  robotics and the evolution of smart technology, including the Internet of Things (IoT).
“To combat intrusions to an integrated supply chain requires understanding geographical and economic factors that contribute to these risks” says Charlotte Lewis, CDW·G’s senior manager of
business process transformation. The scope of the challenge,
however, is bigger than some agencies’ capacity to manage
it. “Agencies are responsible for evaluating risks posed by IT for themselves,” yet some don’t have the capability to perform supply- chain risk checks, according to
a June 28, 2018 report from the Congressional Research Service.
As such, the most potent response to supply-chain challenges frequently is rigorous compliance with risk frameworks developed by U.S. organizations,
such as the National Institute of Standards and Technology (NIST); and global security standards administered by organizations such as the International Standards Organization (ISO).
“The aim is to protect the integrity of products, end to end, so that they are delivered to
the user in the form the original equipment manufacturer (OEM) intended,” says Byron Holden, vice president for procurement
at CDW·G, a major IT provider to government. CDW·G promotes
a supply-chain security program based on the ISO 28000 standard, which was developed to ensure supply-chain security.
Security Challenges
The Department of Defense, under the Defense Federal Acquisition Regulation Supplement (DFARS), sets out
its own requirements for supply-  requirements for supply-chain risk management in its 800-161 special publication.
Even those requirements, by themselves, are not enough, according to CDW·G.
“The NIST framework says what you should do, but it doesn’t  the framework is actually being followed,” says Sheryl McCurnin, senior manager for federal programs at CDW·G. “Until a third party comes in and audits
When Supply-Chain Security Is of No Concern to You
Think what would happen
to your critical mission if your systems break due to counterfeit equipment failures. That catastrophe is what global supply- chain security guards against, says Sheryl McCurnin, CDW·G’s senior manager for federal programs.
CDW·G has developed an enterprise program built around ISO 28000 and ISO/IEC 20243 to ensure security of the supply chain and prevent any intrusions from entering it.
“Supply-chain security is already a part of our DNA, so if [agencies] come to us for products, that’s what they also get,” McCurnin says. As more solicitations include ISO requirements, it will become even easier to deliver global supplychain security to federal 
PRODUCED BY:
SPONSORED BY: