This month marks the four-year anniversary of National Supply Chain Integrity Month—an initiative established by Federal agencies to raise awareness of pervasive threats to U.S. supply chains. Most recently, the SolarWinds incident has brought increased public attention to software supply chain hacks and further illustrates the need for greater awareness.
As the Federal Chief Information Security Officer, supply chain security is one of my top priorities. In partnership with the Office of the Director of National Intelligence National Counterintelligence and Security Center (NCSC), Department of Homeland Security Cybersecurity and Infrastructure Security Agency (CISA), Department of Defense and other Government and industry partners, we are promoting a “call to action” for organizations across the country to work together to strengthen global supply chains.
To promote increased awareness during the month of April, CISA outlined a weekly themed approach. As we kick-off week four, “Knowing the Essentials”, organizations should ensure they are following key principles recommended by CISA to enhance supply chain resiliency, which include:
- Diversify Suppliers: A single source of goods or services is a single point of failure.
- Mitigate Third-Party Risks: Conduct robust due diligence on suppliers, understand their security practices and set minimum standards for them. Incorporate security requirements into third-party contracts and monitor compliance throughout the lifecycle of a product or service.
- Identify and Protect Crown Jewels: Map the location and status of essential assets and prioritize their protection. Monitor systems and network performance to minimize impact of disruptions.
- Ensure Executive-Level Commitment: Name a senior executive as owner of supply chain risk and include stakeholders across the enterprise in the risk mitigation program. Communicate across the organization to ensure buy-in and establish training and awareness programs.
- Strengthen Partnerships: Information exchange between government and industry on current threat information and security best practices is paramount.