There, I said it. I said it because it’s true. Realistically, your supply chain has probably been compromised at some time or another.
Malicious hardware was discovered within several major companies. Or it wasn’t. Either way, this stuff happens all the time. If altered hardware can make it into the largest technology companies and sensitive government installations, it’s a virtual certainty that a vast number of smaller, less sophisticated companies and government agencies have been infiltrated.
Hardware-based attacks are the coup de grace. Once the hardware has been compromised, it’s over. If an adversary can exploit the hardware, they can own the entire environment, and operate potentially undetected for an extended period of time.
Thus, protecting the hardware is of utmost importance. From whom do you buy your hardware? From where do they buy it? How many layers of distribution and supply exist between you and the hardware vendors? How many times have you bought a piece of hardware from a specific supplier based on cost alone?
Supply chain as system
While these sophisticated incidents are on the rise, the numbers pale in comparison to the constant onslaught of software exploits we see on an almost daily basis. Your customers and users primarily interact with your software systems. And these systems connect to other systems. There are multiple API to API interactions. Your systems talk to others’ systems. And these third-party systems are sharing your data with fourth-party systems. This is literally a chain, and as we all know, a chain is only as strong as its weakest link.
Is Your Company a Federal Subcontractor?: “Although your company may not directly contract with a federal agency to supply goods or services, it may nevertheless be considered a federal subcontractor by virtue of the nature and volume of goods or services you provide to a federal prime contractor. And the stakes are high.”
Defense in depth
The response to risk has been the same for as long as INFOSEC has been a thing: defense in depth. Layer your defenses and mitigate risk at all layers. This will limit your risk. A primary tenet of information security is that risk cannot be eliminated. There will always be some residual risk. But the more places we can inject proven processes and techniques, the lower that risk will be.
Defense in Depth: “Because there are so many potential attackers with such a wide variety of attack methods available, there is no single method for successfully protecting a computer network.Utilizing the strategy of defense in depth will reduce the risk of having a successful and likely very costly attack on a network.”
The Defense Federal Acquisition Regulation Supplement, also known as the bible for doing business with the U.S. Department of Defense, slipped in additional regulations back in 2016 that took effect at the end of 2017 specifically designed to improve the security up and down the DoD supply chain.
If you’re a DoD contractor or subcontractor you’re now contractually bound to protect covered defense information in a very deliberate way. The amended DFARS clause requires that all DoD contractors regardless of size provide “adequate security” and adhere to mandatory incident reporting. The DoD could no longer trust that these third- and fourth-party providers and vendors were protecting the supply chain, and they had legitimate cause for concern. Many of the breaches that have impacted the DoD targeted improperly protected systems several links down the supply chain. Now the entire supply chain is obligated to play an active role in safeguarding our nation’s critical infrastructure.
Guidance for Selected Elements of DFARS Clause 252.204-7012: “There is no single or prescribed manner in which a contractor may choose to implement the requirements of NIST SP 800-171… Ultimately, it is the contractor’s responsibility to determine whether it has implemented the NIST SP 800-171”
The problem is, this far-reaching requirement is both ambiguous and subjective. Earlier this week, Rackspace attended by many sub-contractors struggling with this. What is “adequate”? What is “covered defense information”? What is a “System Security Plan”? This is especially troubling for organizations with limited exposure to government compliance or cybersecurity fundamentals. If you’ve never implemented nor documented a “security control” before, you may find yourself lost. And how do you know when you’re done?
DoD’s implementation guidance recommends the following approach: “Review all of the security requirements, then determine which of the requirements 1) can be accomplished by in-house IT personnel 2) require additional research in order to be accomplished by company personnel, and 3) require outside assistance. If unsure of what a requirement means, companies may seek additional guidance.”
I HIGHLY recommend ALL organizations seek additional guidance and outside assistance.
Security-as-a-service across leading cloud technologies
If your organization is looking for help with DFARS or other security and compliance needs, Rackspace can assist. We are a web-scale managed service provider, delivering 24x7x365 hybrid-cloud management, operational support and security services as a packaged, on-demand, audited and pay-as-you-go service. You get the same commercial services that power the Fortune 100, in a compliance-ready state, with the additional security controls and governance necessary for your unique mission.
By turning to Rackspace, you get a team of unbiased experts across a range of leading cloud and infrastructure technologies — built on a compliance-ready framework and backed by ongoing managed operations, continuous monitoring, security services, living compliance documentation and audit assistance.