In a previous blog we talked about what cybersecurity looks like for the government. It’s not enough for agencies to protect their own infrastructure and data. Like other industries, government agencies are hyperconnected and cybercriminals regularly target government contractors as their entry vector to gain access to highly sensitive and classified government data. That’s why government contractors or entities that would even like to do business with the government in the future are required to also do their part to make the supply chain ecosystem resilient — and it’s not only good practice, it’s the law.
Find out what goes into securing the public sector supply chain, and how doing so will help prevent data breaches, critical services disruptions, and national security threats.
Securing Your Government Supply Chain
Cybersecurity supply chain risk management needs to be top of mind for all public sector entities. It can come from the top-down (state and federal entities requiring cybersecurity requirements be met) or from the bottom-up (government contract-hopefuls come already compliant and ready to do business). Either way, there cannot be a crack in the armor of government cybersecurity, or attackers will find a way through. CISA warns specifically about software supply chain attacks, which could affect nearly every branch and organization of government that engages in digital practices — in other words, all of them. And that includes even their contractors’ contractors. In 2011, a large government contractor was compromised when their Secure ID tokens, issued by vendor RSA Security, were hacked.
Cybersecurity Solutions for Government
Agencies facing top-level threats require top-level security. While corporate entities are barraged by a slew of low-level threats, hacking-as-a-service campaigns, and spray-gun malware, government entities are exposed to higher-level threats. Advanced persistent threats (APTs) have been active this past year in attacking government entities, and the security vendors a government agency chooses must provide robust solutions that have proven to be able to address the highest level of threats and adhere to the highest level of federal compliance requirements.
Supply Chain: Risk Management and Cybersecurity
Just like private enterprises, government agencies need to understand the level of risk brought in by each one of their partners. Each contractor has their own downstream vendors, developers, and access to open-source code. Not all of those may be properly vetted. Ideally, supply chain partners should be brought up to the same standard of cybersecurity as the government entity itself requires, as attackers will access the agency via any weak link. Some companies give out a questionnaire, issuing a FICO score of sorts identifying the level of cybersecurity vigilance. And recently, laws like the Cybersecurity Maturity Model Certification (CMMC) have cropped up to ensure that third parties — the Defense Industrial Base (DIB) in this case — adhere to a uniform set of bare-minimum government cybersecurity standards. Companies like Fortra can help DIB contractors comply with CMMC requirements and stay in the running for government contracts.
Securely Sharing Government CUI
Government entities rely on contractors to perform a wide variety of business functions. Contractors regularly possess and process sensitive data to deliver products and services to satisfy the business function. This type of data is commonly referred to as controlled unclassified information (CUI). Even though this data isn’t classified, it still needs to be protected and there still needs to be secure collaboration of that data as well.
Continuous Monitoring and Incident Response
Since contractors provide a path into a government agency, cyber criminals will use stealthy attack methods to get past the first line of defenses and hide until they have an opportunity to enter into the government agency. Entities that do business with the government require round-the-clock threat monitoring with advanced detection to surface criminal activity and have a plan in place to immediately contain and eradicate the threat.
Cyber Awareness Training
Cybercriminals depend on human error to carry out their attacks. According to the Verizon Data Breach Investigation Report 74% of data breaches come from human error. That’s why cybersecurity for government contractors requires an equal amount of security awareness from their employees as well. Downstream partners must ensure they have ongoing security and awareness training to keep employees up to speed on the latest tactics being used by criminal actors, because if they won’t work on government defenses, attackers will try them on other defenses down the line. If these supply chain partners aren’t prepared, their employees could be the cause of a massive government breach.
Zero Trust Government Supply Chain
What’s good for the private sector is equally good for the public, if not more so. State and federal entities today cannot afford to operate on anything other than the principle of least privilege, and all solutions should be configured or reconfigured with zero trust in mind. Gone are the days when vulnerabilities and holes get overlooked or forgotten (at least by attackers). Shoring up old infrastructure, especially security-weak Operational Technology (OT) infrastructure security-weak operational technology (OT) infrastructure, should be a top priority for government organizations and their contractors.
Risk Management Framework for Supply Chain
Government agencies perform ongoing risk assessments to identify potential vulnerabilities which need to be addressed. Government contractors need to do the same and demonstrate proof of an ongoing vulnerability management program that includes a disciplined patching program along with a regular cadence of penetration testing. This helps minimize the attack footprint.
Government agencies today need to be awake and alert to the cybersecurity challenges introduced by their third parties. A secure supply chain ecosystem is key to keeping the “crown jewels” safe, and all the public sector cybersecurity measures in the world are only as good as the networks they are attached to. If there is a weak point anywhere in that chain, it’s only a matter of when that connected agency will be attacked. Fortra can help federal and state organizations improve their supply chain cybersecurity and help ensure no downstream supplier puts a hole in their boat.