6/13/2019

Securing the Supply Chain for Government Contractors through Integrated Risk Management: How to compete in the Deliver Uncompromised Environment

“Deliver Uncompromised” aims to protect critical technology from cradle-to-grave by establishing Security as a fourth pillar in acquisition, on par with Cost, Schedule, and Performance, and to embrace security, not as a "cost center" but as a key differentiator. – Defense Security Services (DSS)

At last month’s Spring Joint NDIA / AIA Industrial Security Conference, there were some indications as to how DSS plans to execute on Deliver Uncompromised. A few key mentions were the passage of Public Law No: 115-390 – The SECURE Technology Act, NIST 800 – 171, and the establishment of a Cybersecurity Maturity   Model Certification (CMMC) where a required CMMC Level (potentially 1 through 5) will be contained within RFP sections L&M and will serve as a gate of entry to bid on a contract. All these requirements are targeted at lowering supply chain risk.

One approach for the Defense Industrial Base (DIB) to consider as it will have to compete within a Deliver Uncompromised environment and perhaps one that will require certification by 3rd party assessors for compliance with CMMC is through Continuous Adaptive Risk and Trust Assessment (CARTA). CARTA was coined by Gartner in 2018 and they’ve provided seven imperatives to assist in its implementation: 

Imperative No. 1

Replace One-Time Security Gates with Context-Aware, Adaptive and Programmable Security Platforms

Imperative No. 2

Continuously Discover, Monitor, Assess and Prioritize Risk — Proactively and Reactively

Imperative No. 3

Perform Risk and Trust Assessments Early in Digital Business Initiatives

Imperative No. 4

Instrument Infrastructure for Comprehensive, Full Stack Risk Visibility, Including Sensitive Data Handling

Imperative No. 5

Use Analytics, AI, Automation and Orchestration to Speed the Time to Detect and Respond, and to Scale Limited Resources

Imperative No. 6

Architect Security as an Integrated, Adaptive Programmable System, Not in Silos

Imperative No. 7

Put Continuous Data-Driven Risk Decision Making and Risk Ownership Into Business Units and Product Owners

Additionally, the ACT-IAT Zero Trust project recently published Cybersecurity trends paper defining trust as a foundational element of Zero Trust implementations. Dynamic, context aware trust elements are necessary in such projects. Many vendors are answering this call to action by providing risk or trust scoring as part of their next generation firewalls or endpoint services. Continuous Adaptive Trust (CAT) is an arbiter or orchestrator of that trust providing context beyond cyber data streams and looks beyond basic User and Entity Behavioral Analytics. 

Deploying solutions supporting combined person-centric and device-centric architecture provides a way to further close the supply chain security gap between the person, their personnel / industrial security profile, and their exposure to the entire supply chain – from subcontractors to prime contractor to classified contracts and associated secure facilities, and the acquiring Government Agency.

In short, this architecture continuously updates a person’s Trust Score via Continuous Vetting from multiple sources which determines accessibility to networked resources. CAT serves as a failsafe for the Zero Trust environment; providing continuous authorization and attribute-based access control.

Use of these types of systems and their integration capabilities can provide a much lower capital and operational cost to the DIB by allowing them to maintain a single system of record, collapse networks, access tokens and help link the need for access with personnel security systems. Additionally, this approach ensures that the user is still the same user who was authenticated, and the system deemed trustworthy.  As the DIB prepares to compete in a Deliver Uncompromised environment, they should take a closer look at CAT and trust engines for solving supply chain complex security challenges and uncertainty while remaining innovative, competitive, compliant and profitable.

This article originally appeared in the 2019 PSC Federal Acquisition Conference Thought Leadership Compendium.