






















By Ken Walker, President & Chief Executive Officer, Owl Cyber Defense
Government agencies are under siege from ransomware and incredibly sophisticated cybersecurity threats, such as the 2020 SolarWinds supply chain attack. To help fight back, lawmakers are introducing steps to broaden defenses through non-traditional approaches. The Supply Chain Security Training Act (SCSTA) bill, recently passed in the U.S. Senate, would extend cyber responsibilities to federal employees with supply chain risk management responsibilities, like program managers and procurement professionals.
This is a much-needed step. SCSTA directs the General Services Administration (GSA) to develop a training program for federal employees that will help them identify and reduce agencies’ supply chain risks. Extending security responsibilities in this way is practical and necessary to widen the resource pool for tackling cyber risks, particularly given the shortage of people with hard technical skills who are battling supply chain threats. At this point, everyone needs to stay vigilant and not expect security to be someone else’s responsibility.
While SCSTA would obligate another element among current job training requirements, it is vital – even for non-technical employees – to understand the security angles of technologies they are acquiring. Focusing on specific vendor practices for both physical and digital supply chains will drive a thorough assessment of cybersecurity across a vendor’s entire process, sub-supplier requirements, and risk mitigation policies.
To get started, agencies can frame the discussion around a few simple but strategic questions: what are the supply chain security risks in what you’re offering me? In what ways could your product be compromised? How could the product be installed or integrated incorrectly that might cause or increase cyber risk? Then drill down into specifics. Here are some ideas of what to probe:
For physical systems:
For software applications:
Even with elevated training, it can be complicated for program managers and procurement professionals to interpret vendor input for particularly technical situations. Consulting with internal cyber experts can help when vetting a vendor’s response. Still, in the face of supply chain shortages that are already straining the acquisition process, and the growing number of cyber threats, these roles will certainly get harder.
SCSTA represents a big task. Yet taking such steps is vital in the modern threat environment. Cybersecurity is not an endpoint, it is a journey. Legislation like the SCSTA is a call to action for strengthening layers of national cyber defenses with the resources we already have. More people understanding the risks, asking the right questions, and knowing what to look for, will go a long way in making agency systems – and the country – more secure.
此内容由惯性聚合(RSS阅读器)自动聚合整理,仅供阅读参考。 原文来自 — 版权归原作者所有。