Cybersecurity
Mixed reviews for cybersecurity assessment tools
The National Institute of Standards and Technology offers a Cybersecurity Framework to help agencies conduct assess- ments, but Waldron said such frameworks are not always reli- able because they can be implemented incorrectly and they don’t help agencies understand how to adapt to new threats.
Similarly, Chris White, chief security officer at BlueVoyant and a former contractor for the National Security Agency, said the reviews will likely conclude that most industries lack the data to determine whether they have sufficient cybersecurity controls protecting their supply chains.
“There will be a big fat goose egg of, well, we were able to understand that we know there’s a problem \[and\] we know there is risk, but we have no insight into how to measure that risk” and don’t know how to reduce it, he told FCW.
White said many cybersecurity frameworks often aim to establish “comprehensive, mutually exclusive, perfect require- ments,” which makes them unwieldy and difficult to explain to the executives who make decisions about how to invest in cybersecurity.
However, he praised NIST for creating a framework that
can be understood by engineers and an organization’s top executives.“We all need to be reading from the same sheet of music,” White said. “I think the call to action here is the need for a standard that solves the critical problem that NIST solved, which was that it can be universally interpreted by engineers at the low technical level, but...be boiled up into a very simple message surrounded by five concepts that any board anywhere can understand.”
Gaining visibility into every stage of a supply chain
Another challenge will be gaining visibility into the entire supply chain, said Blake Moore, former chief of staff for the Defense Department’s CIO and now vice president of strategy and operations at Wickr. He described the various levels of a programmatic supply chain, starting with a developer creating a piece of software and continuing all the way to the integra- tion of a system of systems.
“If you walk that chain back, it exponentially grows as far as the potential avenues of vulnerability as you move further down the supply chain,” he said. “I think they’re going to real- ize that visibility across the entire process needs to be clear,
House task force focuses on supply chain security
The House Armed Services Committee has launched a task force to investigate vulner- abilities in the defense supply chain, con- cerns about foreign manufac-
turing and related issues raised during the pandemic.
Authorization Act for fiscal 2022. The mem- bers will examine material production, manufacturing and access points, and
their activities could be extended for an additional three months if necessary.
Rep. Mike Gallagher (R-Wis.), the task force’s co-chairman and previous co-chairman of the Cyberspace Solarium Commis- sion, said the new task
force will build on the commission’s work by
security vulnerabilities for ourselves by allow- ing the free market to just decide where they want to build these things.”
The bipartisan task force also includes Reps. Donald Norcross (D-N.J.), Chrissy Houlahan (D-Pa.), Mikie Sherrill (D-N.J.), Don Bacon (R-Neb.), Michael Waltz (R-Fla.)
and Stephanie Bice (R-Okla.). Together, they will strive to come up with solutions that tap U.S. allies and don’t require pro- ducing everything DOD needs
in the United States, Gallagher said.
“I’m hoping that, as the Biden administration has federal agencies conduct their reviews to the supply chain executive
Rep. Elissa Slotkin (D-Mich.),
who serves as co-chairwoman
of the new Defense Critical
Supply ChainTask Force, told
reporters on March 10 that
“the experience of our totally disrupted supply chains in the
early part of the pandemic was a pretty searing experience.”
Supply chain vulnerabilities have long been a concern at the Defense Depart- ment but have gained increased attention in recent years, particularly with regard
to foreign manufacturing of technologies such as small drones, semiconductors and microelectronics.
The task force will spend three months on developing legislative solutions that can be included in the National Defense
34
March/April 2021 FCW.COM
Rep. Elissa Slotkin
zeroing in on cybersecurity vul- nerabilities to the government’s supply chains.
“That’s going to be our chal-
lenge going forward — to keep
us really focused \[and\] keep the
final report short as a plan of
action without it commenting on every- thing,” Gallagher said.
Slotkin added that “sometimes the mar- ketplace just doesn’t get it right, and we, without intending to, create real national
Rep. Mike Gallagher
pursuant
order, they’ll focus less on ‘buy America’ and more on this idea of ‘buy ally,’” he added.
— Lauren C. Williams