On Wednesday, October 22, 2021, Rep Ritchie Torres sponsored the DHS Software Supply Chain Risk Management Act of 2021. It aims to strengthen the Department of Homeland Security’s (DHS) infrastructure by offering in-depth visibility to its software supply chain. The new legislation that the U.S. House of Representatives passed in a 412-2 vote was a development in line with the Biden administration’s Executive Order on Improving the Nation’s Cybersecurity. It is aimed to prevent future cyber-attacks on critical DHS infrastructure by allowing the agency to manage the software supply chain with increased visibility.
What does the DHS Software Supply Chain Risk Management Act of 2021 mean to the Vendors?
According to this new act, contractors across the DHS will need to submit a list of their software, including its origins and components, for review. Along with the list, contractors should also submit a certification that each item in the bill of materials is free from specific security vulnerabilities or defects affecting the security of the end product or service, notification of any identified vulnerability or defect, and a plan to mitigate or resolve any identified vulnerability or defect.
“As cyberattacks become increasingly frequent and sophisticated, [the] DHS must have the capacity to protect its own networks and enhance its visibility into information and communications tech or services that it buys,” said Rep. Torres. “As a federal leader in the cybersecurity space, [the] DHS must set an example by modernizing how it protects its networks.”
Such visibility into the supply chain allows the DHS to thoroughly understand the platforms and technologies being utilized, keep an eye out for potential vulnerabilities, and discover ways to fix them.
Importance of Supply Chain Visibility (SCV) in Cybersecurity
Over the years, threats arising due to supply chain vulnerabilities have been a concern because organizations have little to no visibility into the operations of their vendors. The complexity of the SolarWinds attack, the ripples of which are still felt even now, has shown that supply chains can provide a point of entry for cybercriminals. Malicious actors are always on the lookout for less secure vendors who can be easily infiltrated. When these vendors supply to other clients, they introduce malware that can infect all clients within the supply chain at once.
This is a new reality that every organization must accept! You have to make sure that your vendors share your urgency and concern about cybersecurity. If not, these third-party risks will leave every business vulnerable to a cyber-attack.
Benefits of the DHS Software Supply Chain Risk Management Act of 2021
The new legislation will create ways and means for the DHS to identify the vulnerabilities among the thousands of components and pieces of software that various vendors utilize throughout their work.
Each component is coded or built by smaller vendors from across the globe. By identifying the components, the DHS has at least on paper mapped 3-4 levels of touchpoints that may carry potential threats. The next step could be to see the vulnerabilities of these software components and check for ways to fix them or identify if the criminals have already exploited them in any way.
The good news is that no matter who fixes the vulnerabilities, the whole ecosystem will benefit from it. So, vendors should not worry or shy away from being transparent in sharing vulnerabilities because the DHS can bring far greater resources to resolve them than any other vendor could. Such transparency can also aid the vendors in receiving increased business from the government.
SCV was coined as an operations term that could bring more efficiency and transparency to linear supply chains. The same principles applied from a cybersecurity point of view will reduce the risk to the overall ecosystem and provide tremendous confidence in software applications to businesses in the coming years. It will also drive demand for applications that are secure by code and push for regular security updates. Emphasis will shift from buying the most affordable to the most secure products.
Supply Chain Cybersecurity Best Practices
Alliant cybersecurity has identified a few supply chain cybersecurity best practices for you: You can learn more on this topic by visiting our webpage.
- Get a clear picture of the entire threat landscape;
- Follow and insist on following the standards, policies, and governance;
- Move towards zero-trust implementation;
- Implement proper information access management practices; and
- Cover the risk at coders/developers end by practicing secure coding practices.
Are you a vendor for DHS and don’t know where to start with your supply chain vulnerabilities? Get in touch with us. We can get you started right away!