Incorporating Cybersecurity Supply Chain Risk Management for Business Impact
The Tetra Tech Federal IT Group supports our customers with advanced cybersecurity services to proactively identify risk and inform cyber response activities.
Acute global IT security attacks are driving significant changes in government and commercial IT procurement. The resulting regulations and laws have an increasing impact on the federal contracting and critical infrastructure industries, requiring an investment in policy, risk-based cybersecurity management, standard operating procedure generation, additional tooling, personnel, and enterprise-wide training.
As a result, the government, investing community, and the insurance industry expect corporate cybersecurity risk management to be fully incorporated into business and mission risk plans at all levels. From a regulatory and legal perspective, the days of IT being a purely support function operating in the background are at an end.
Facing Increasing Threats to Vulnerable Supply Chains
Foreign adversaries have weaponized software supply chains to gain access to IT systems for information gathering, monetary and intellectual property theft and extortion, strategic and tactical advantage, and to generally disrupt normal functionality of governments and companies. Added to the weaknesses inherited in large supply chains, organizations are at a substantially increased risk of major disruption and loss compared to the past.
The largest criminal intrusion to date is the SolarWinds Attack of 2020, in which Russia used the software supply chain to introduce vulnerabilities into an open-source dependency of SolarWinds software. These vulnerabilities were exploited to gain access to government and business systems with the intent of gathering intelligence. The remediation of the SolarWinds attack cost the government and industry more than $100 billion to date and is ongoing.
Absorbing the government response
To stem the tide of high-profile attacks, governments around the world are creating new regulations and laws that stipulate minimum cybersecurity compliance and reporting standards. For U.S. contractors, new regulations dictating responsibilities when developing, selecting, or reselling software are the result of the May 2021 Executive Order (EO) 14028 on Improving the Nation's Cybersecurity, which requires all companies involved in critical infrastructure or selling software or services to the federal government to establish policies, procedures, practices, and incident reporting in-line with National Institute of Standards and Technology (NIST) Cybersecurity Supply Chain Risk Management (C-SCRM) and Secure Software Development Framework (SSDF). The government stipulated that these requirements cover all code for both the civilian and defense sides of the executive branch. This includes vetting all sources used to create code. The U.S. government will be consolidating the Cyber Supply Chain Security requirements under a new FAR Part (40), until then, the Office of Management and Budget (OMB) has released interim guidance requiring agencies to procure software that is designed and managed under Secure Software Development Practices and attested to by the corporations that produced them.
The federal government and the insurance industry are now holding companies liable for the processes used to build and purchase software, requiring them to attest to the company’s coherence to secure development policies and procedures. Organizations will need to continuously vet the processes they use to build or acquire software. Companies not currently following these practices will require considerable investment of time and money to achieve the new minimum requirements. The cost of fully implementing a Secure Software Development Life Cycle (SSDLC) complete with secure development/build environments, universal multifactor authentication, least privilege authorization, artifact creation and retention, and associated legal costs to support attestation are not trivial.
Those compliant with the body of new requirements will be well-placed to respond to anticipated Zero-Trust implementation contracts
Since implementation of these security controls is a prerequisite to obtaining future contracts, associated costs are not directly recoverable and need to be incorporated as overhead for the organization. Many small vendors and smaller projects in larger organizations will not have the resources to cover the initial setup and ongoing maintenance and training costs now associated with software development and procurement. These additional costs and reduced volume of work due to the incorporation and automation of cloud offerings are projected to have a negative impact on smaller contractors, thus reducing the number of qualified small businesses over the next decade.
In addition to the reduction of smaller contractors in the market, these regulatory changes will accelerate the adoption of Low/No-code Software as a Service (SaaS) cloud-based services that already incorporate the security controls under FedRAMP. Additionally, the government is looking to migrate legacy applications to Platform as a Service (PaaS) services, which are developed and maintained using Zero Trust principals, reducing the number of systems and code the government must secure on its own.
A Culling of Competition in the Market
Cybersecurity is now a first-tier requirement for Tetra Tech’s clients and their parent organizations. This is a key focus of Tetra Tech’s cybersecurity offering, which focus on governance, risk, and compliance, and cyber program development and operation as well as Zero Trust architectures and secure software supply chains. This rapidly changing posture will have ramifications vertically and horizontally across organizations.
The next few years will require difficult and costly transformations for companies not already familiar with secure application development and management to remain in the market. In response to the regulatory and legal changes, software and service companies have already started making updates to existing services and deprecating old functionality that is not compliant. Legacy applications that rely on outdated functionality will need to be updated to meet the new cybersecurity and mandated zero trust environment, opening the door for companies that can train, staff, and implement policies and procedures compliant with the new requirements.
We are not including the Critical Infrastructure components of the EO in this document. If you are involved in critical infrastructure (pipelines, electrical grid, water/sewer, etc.) we recommend that you investigate the additional responsibilities dictated by the EO for those industries.
Tim Blum is an information technology consultant at Tetra Tech focusing on geospatial technologies, business intelligence, and project management. He has more than25 years of U.S. federal contracting experience across the Department of Interior (DOI), Department of Defense (DoD), Department of Transportation (DOT), Department of Homeland Security (DHS), Department of Energy (DOE), and U.S. Congress. Tim leads Tetra Tech’s ArcGIS hosting environment for North America and is responsible for on-premise GIS systems. He advises Tetra Tech operations on projects spanning the federal, state and local, utility, energy, and environmental sectors. Tim has decades of traditional project support and application development and is currently transitioning teams and applications to cloud-based solutions and Low/No-code services with a focus on meeting the new legal and regulatory IT requirements.