This week, we announced a new panel discussion topic on Supply Chain Security at our February 14th IT Audit conference event. This panel is hosted by Parham Eftekhari, the Executive Director at the Institute for Critical Infrastructure Technology (ICIT) and will feature Fellows from the ICIT discussing emerging trends in supply chain security, and the important role agencies can play in spreading these principals throughout their partner ecosystem.
In anticipation, we are sharing two ICIT white papers that will be discussed during the panel discussion.
To better protect critical infrastructure and essential systems, the Pentagon recently announced its intention to begin awarding contracts based on security assessments as well as cost and performance. The strategy, referred to as “Deliver Uncompromised,” is detailed in a proposal by Mitre which contains suggested courses of action that quantify risk, dismantle intra- and inter-government information silos, and prioritize threat mitigation. While the “Deliver Uncompromised” proposal was created to address specific concerns for the Department of Defense and the IT components of its weapons systems, its principles and many of its “Courses of Actions” can be applied to suppliers in all critical infrastructure sectors. In this brief, entitled “Deliver Uncompromised: Pentagon Leadership Can Improve Supply Chain Security Across the Nation,” ICIT discusses the importance of “Deliver Uncompromised” not only to the defense industrial base, but to the national conversation around supply chain security. This analysis includes a discussion on:
- Why “Deliver Uncompromised” can abate security-by-design apathy
- A summary of “Deliver Uncompromised”
- What non-DoD organizations can glean from “Deliver Uncompromised”
- Recommendations for Suppliers and Buyers
The second white paper is called, “What we Learned from the Bloomberg-SuperMicro Debate”
Supply chain security was a pressing problem long before Bloomberg Businessweek published its article alleging that Chinese threat actors compromised SuperMicro’s supply chain. Why are American firms, the media, and the public only now beginning to take notice of the importance of supply chain security when defense, intelligence and other communities have been sounding the alarm for over a decade?
Bloomberg’s October assertion that SuperMicro’s supply chain might be vulnerable should not have been a bombshell viral report. Supply chains in every commercial sector have been vulnerable for over a decade, and not enough has been done by stakeholders to mitigate the risk of compromise. In order to achieve any measure of progress towards supply chain security, government agencies, private companies, the media, the public, and other stakeholders need to demonstrate through meaningful action that the security of the products employed in our critical infrastructure sectors, businesses, and everyday lives is a top priority.
In this paper, ICIT explores our history of ignoring calls to action on supply chain security, lays out both sides of the SuperMicro/Bloomberg debate in an objective manner without giving credence to either argument, and discusses what the global community can learn from the aftermath of this incident and what steps we can take to begin to improve our supply chains.
The authors would like to thank the following ICIT Fellows for their advisement and expertise around supply chain security. The views expressed in this paper is that of the authors, not that of the Fellows listed below.
- Michael Aisenberg, ICIT Fellow & Principal, Cyber Policy Analyst / Counsel, Center for National Security, MITRE
- Jerry Davis, ICIT Fellow & Vice President and Global Chief Security Officer, Lam Research
To hear this and other great topics, register for our GWDC IT Audit in Civilian and DoD Environments Conference on February 14th.
Kenneth joined ISACA in 2013 and presently serves as the GWDC Communications Director. Kenneth also volunteers with ISACA International and some of his volunteering consists of the Learning Visions Working Group, Identity Management Topic Leader, and Emerging Technology Topic Leader. Kenneth is a Senior Manager for Protiviti Government Services within the Security and Privacy Practice. He holds the CISM, CISA, PMP, CIPP/G, AWS CCP and is a trained CyberArk Delivery Engineer.