• Tim Blum

Cybersecurity Supply Chain Risk Management: Business Impact

July 2022

Cybersecurity Has Become an Inescapable First-tier Requirement

Acute global IT security attacks are driving significant changes in U.S. government and commercial IT procurement. The resulting regulations and laws have an increasing impact on the IT and Critical Infrastructure industries. The impact on business requires an investment in policy development, risk-based cybersecurity maturity model, SOP generation, additional tooling, personnel, and enterprise-wide training. As a result, corporate Cybersecurity Risk Management is expected by the government, investing community, and the insurance industry, to be fully incorporated into business and mission risk plans at all levels. From a regulatory and legal perspective, the days of IT being a purely support function operating in the background are at an end.


Facing Increasing Threats to Vulnerable Supply Chains

Foreign adversaries have weaponized software supply chains to gain access to IT systems for the purposes of information gathering, monetary/IP theft and extortion, strategic and tactical advantage, and to generally disrupt normal functionality of governments and companies. Added to the weaknesses inherit in large supply chains, organizations are at a substantially increased risk of major disruption and loss than they have been in the past.


The largest criminal intrusion to date is the SolarWinds Attack of 2020, in which Russia used the Software Supply Chain to introduce vulnerabilities into an open-source dependency of SolarWinds software, these vulnerabilities were exploited to gain access to government and business systems with the intent of gathering intelligence. The remediation of the SolarWinds attack cost the government and industry more than $100bn to date and is ongoing.


Absorbing the Government Response

To stem the tide of high-profile attacks, governments around the world are creating new regulations and laws that stipulate minimum cybersecurity compliance and reporting standards. For U.S. contractors, new regulations dictating responsibilities when developing, selecting, or reselling software are the result of the Cyber Security EO 14028 of May 12, 2021, which requires all companies involved in critical infrastructure or selling software/services to the federal government to establish policies, procedures, practices, and incident reporting in-line with NIST Cybersecurity Supply Chain Risk Management (C-SCRM) and Secure Software Development Framework (SSDF). The Government has stipulated that these requirements cover all code for both the civilian and defense sides of the executive branch. This includes vetting all sources used to create code such as Open-Source, COTS/GOTS products, and Cloud Services (IaaS, PaaS, SaaS, etc.).


The SEC is currently reviewing proposed cybersecurity rules stipulating a number of high-level policies and practices expected of publicly traded companies, to protect the investor community from unmitigated IT risk. The rules go as far as requiring that a board member be responsible for the corporations IT security implementation and provide regular guidance and reporting of IT policies/practices and incidents.


New Liabilities Impacting Industries We Support

The federal government and the insurance industry are now holding companies liable for the processes used to build and purchase software, requiring them to attest to the company’s coherence to secure development policies and procedures. Organizations will need to continuously vet the processes they use to build or acquire software, ensuring that secure software development practices are incorporated and followed. Companies not currently following these practices, will require considerable investment in time and money to achieve the new minimal requirements. The cost of fully implementing a Secure Software Development Life Cycle (SSDLC) complete with secure development/build environments, universal multifactor authentication, least privilege authorization, artifact creation and retention, and the associated legal costs needed to support attestation are not trivial.

Those compliant with the body of new requirements will be well-placed to respond to anticipated Zero-Trust implementation contracts

Since implementation of these security controls is a prerequisite to obtaining future contracts, associated costs are not directly recoverable and need to be incorporated as overhead for the organization. Many small vendors (and smaller projects in larger organizations) will not have the resources to cover the initial setup and ongoing maintenance/training costs now associated with software development and procurement. These additional costs and reduced volume of work (due to the incorporation and automation of cloud offerings) are projected to have a negative impact on smaller contractors, thus reducing the number of qualified small businesses over the next decade.


In addition to the reduction of smaller contractors in the market, these regulatory changes will accelerate the adoption of Low/No-code Software as a Service (SaaS) cloud-based services that already incorporate the security controls under FedRAMP. Additionally, the Government is looking to migrate legacy applications to Platform as a Service (PaaS) services which are developed and maintained using Zero-Trust principals, reducing the number of systems and code the government must secure on its own.


A Culling of Competition in the Market

Cyber security is now a first-tier requirement for our clients and their parent organizations. This rapidly changing posture will have ramifications vertically and horizontally across organizations. For companies not already familiar with secure application development and management, the next few years will require difficult and costly transformations to remain in the market. On the plus side, survivors that can train, staff, and implement policies and procedures compliant with the new requirements will be well placed to respond to the Zero-Trust implementation contracts expected over the next couple of years.


Notes:

We are not including the Critical Infrastructure components of the EO in this document. If you are involved in critical infrastructure (pipelines, electrical grid, water/sewer, etc.) we recommend that you investigate the additional responsibilities dictated by the EO for those industries.