The National Counterintelligence and Security Center (NCSC) on Thursday issued new guidance for government and industry for supply chain risk management, highlighting risks throughout the lifecycle of supply chains and making recommendations on ways to reduce these risks.
"Exploitation of our supply chains by foreign adversaries, especially when executed in concert with cyber intrusions and insider threat activities, represents a direct and growing threat to strategically important U.S. economic sectors and critical infrastructure," William Evanina, director of the NCSC, said in a statement.
The guidance is contained within a new tri-fold document, Supply Chain Risk Management: Reducing Threats to Key U.S. Supply Chains, and includes three focus areas to reduce threats to supply chains and tools and technologies to mitigate threats at all stages of the supply chain.
The first focus area is "Enhancing Capabilities to Detect and Respond to Supply Chain Threats" and recommends tools and technologies that can automatically update about threat and how to mitigate them, rapidly detect and automatically respond to threats, and incorporate artificial intelligence and machine learning capabilities into technologies to "increase agility."
Some of the tools and technologies the guidance says are needed at different stages of the supply chain lifecycle include data encryption, continuous monitoring, unique product identifiers using barcodes and radio frequency identification, GPS and Bluetooth tracking, tamper evident tapes and seals, access controls, and data destruction tools.
The second area is focused on the federal government, which needs to make supply chain security a top priority through supply chain risk management programs that include information sharing and best practices, the NSCS says.
The third focus area is more outreach on threats, risk management and best practices, and says buy-in for a supply chain risk management program begins with senor stakeholders across an enterprise, and includes broad communication, training and awareness programs. Best practices include the use of mitigation tools such as continuous monitoring of system data, identifying and prioritizing critical systems and networks.
The NCSC also says managing third party risk such as routine due diligence of first tier suppliers, incorporating supply chain risk management as a primary metric of contracts, and monitoring of supplier compliance with risk management requirements is another key aspect of the focus of the third area.
The NCSC, which is part of the Office of the Director of National Intelligence, says that supply chains are at risk from foreign adversaries, in particular via malware.
"The increasing reliance on foreign-owned or controlled hardware, software, or services as well as the proliferation of networking technologies, including those associated with the Internet of Things, creates vulnerabilities in our nation's supply chains," the guidance warns.