Recent security breaches via software have made supply chain security a priority across government. No longer is it enough to build security into a solution; now every product that is part of that solution is being examined for its security and risk. In response, the Biden Administration issued a Cybersecurity Executive Order that aims to provide more control over the content of code that comes in contact with government systems and infrastructure.
With a number of high-profilesecurity hacks involving widely used software, government agencies are retraining their focus on their organization's security measures and those of the vendors and service providers that work with them. This shift in focus was actually on the rise before the recent hacks in anticipation of cyberattacks just like the ones we've recently seen.
In January of 2020, the Defense Department implemented the Cybersecurity Maturity Model Certification (CMMC), a unified standard for implementing cybersecurity across the defense industrial base (DIB), which includes over 300,000 companies in the supply chain. Contractors have always been held responsible for implementing and documenting their IT systems' security that touch sensitive government data. Under CMMC, this continues, but adds the need for a third party to assess the contractor's compliance.
This spring, the concept of supply chains became a household discussion as families searched high and low for household staples like toilet paper, flour, and hand soap. However, supply chain for government is more complex than the supply and demand driven model for consumer goods. Government supply chains involve monitoring for security and foreign involvement. This means knowing where all parts of a solution were manufactured, programmed, and assembled.
Gregory C. Wilshusen, director of information security issues at the U.S. Government Accountability Office, noted that "supply chains can be long, complex, and globally distributed and can consist of multiple outsourcing tiers. As a result, agencies may have little visibility into, understanding of, or control over how the technology that they acquire is developed, integrated, and deployed."
This lack of visibility is due in part to incomplete vendor reporting. Not only do vendors have to manage all the pieces of their solution, but they themselves may be managed by multiple organizations in an agency. Reporting happens through numerous tools and is siloed, making it difficult to get a full picture of the chain that led to the delivery of a solution to a government agency.
The phrase "Supply Chain" may make you immediately think of retail giants like Amazon and Walmart or manufacturers like GM and John Deere, but government is highly reliant on security supply chains. A supply chain is the network of all the people, organizations, resources, activities and technology involved in the creation and sale of a product. It encompasses the delivery of source materials from the supplier to the manufacturer, to its eventual delivery to the end user. In government, supply chains have come front and center with the Trump administration's rulings banning government use of products from certain Chinese manufacturers citing security concerns that products could contain ways for the Chinese to spy on the U.S. Companies selling technology to the government have to be able to trace the source of all elements of their products to ensure nothing originated with the banned distributors.
Being able to do this requires a mature supply chain process and solution. Interagency committees have been established to determine best practices in securing increasingly complex supply chains. Understanding supply chains is an expensive undertaking and one survey found that small and mid-sized businesses are opting out, counting on the fact that they will not be the ones called out to defend their supply chain to government. This mentality may not be an option for long.
DoD is getting more and more prescriptive in their security and supply chain guidance, adding the review of contractor purchasing systems as part of bid reviews. GSA has also explored banning the use of refurbished IT, since that includes products where a supply chain cannot be re-created.
The rules and regulations around supply chains can seem just as complex as the chains themselves. Luckily, it's a topic of discussion at a number of upcoming events.
We've been watching the use of blockchaingrowing in the government space as agencies look for ways to more efficiently and securely share their data. A Congressional Resolution was introduced to tout the promise of blockchain saying that, "blockchain has incredible potential that must be nurtured through support for research and development and a thoughtful and innovation-friendly regulatory approach." Following this encouragement from congress, it seems like each day there is a new application of the technology being tried and evaluated.
We've gathered a couple applications that we found interesting to help illustrate what blockchain is and what it can do.
Supply Chain - The Navy is looking to use blockchain to track aviation parts throughout their lifecycles, helping them better manage their supply chain. Similarly, the FDA is looking at how blockchain can better track the chain of custody of prescription drugs. In a related application, blockchain is also being considered as a solution for better tracking digital evidence in criminal cases.
Managing Public Records - State and local organizations are using blockchain to digitally distribute records, including marriage certificates, property titles, and business registrations.
Voting - Blockchain is being tested as a way to make it easier for service members and overseas citizens to vote. Last fall, 144 West Virginia voters living abroad were able to vote through their mobile phones via an app. Identities were confirmed by scanning a valid U.S. ID along with a selfie. Once the identity was confirmed, voters made their selections based on the ballot they would have used at their local precinct. Voters were then given a unique ID or hash that, once the vote was cast, allowed them to write on to the blockchain. Each submission was encrypted to the blockchain ledger, which gave election clerks the ability to conduct post-election audits.
Public Health - Blockchain can also speed the delivery of information as it relates to public health crises. The Food and Drug Administration is looking at how to use blockchain to share health care data securely and effectively in real time when epidemics like the swine flu threaten the health of the nation.