Managing Risk in Technology Supply Chains After SolarWinds
In December 2020, as many of us were watching all things political and pandemic, current events eclipsed a serious breaking story. The SolarWinds hack exposed a level of data across the nation that was — to use the oft-turned phrase for 2020 — “unprecedented.” Not to be outdone, 2021 has now given America a data breach through the Microsoft Exchange email software that (conservatively) affected 60,000 organizations, spanning every level of size and sophistication.
Responding to the SolarWinds breach, Representative John Katko — the Ranking Member of the House Homeland Security Committee — announced five “pillars” that he believes will support the Homeland Security Committee’s cybersecurity legislation in the next two years. These pillars are 1) reorganizing the roles of key government agencies and roles; 2) addressing third-party risk; 3) identifying “concentrated sources of risk” within the government’s tech supply chain and requiring vendor certification; 4) driving software assurance; and 5) mounting a “muscular” national response to cyberattacks. We can only imagine the response that will be called for after the Microsoft Exchange hack.
The bulk of these pillars largely fall under the umbrella of revamping the way the United States government manages supply chains. The SolarWinds hack rocked the assumptions many in government held about the security of their own systems, in no small part because the SolarWinds hack seems to have begun entirely outside of the federal government’s control and was imported by trusted software.
This should not be a surprise. Already, according to the Ponemon Institute’s 2020 Report on the Cost of a Data Breach, one in six data breaches are caused by third-party software vulnerability, and data breaches associated with third-party software vulnerability are among the most expensive for a business (averaging over $4 million in all-in costs). Investment in a robust technology supply chain management program before an event takes place will save the business significant pain and customer angst by avoiding as many such events as possible, and by building in resilient responses when not.
All this suggests the possibility of a fundamental shake-up in federal technology procurement may be coming, and corporate, state, and municipal procurement can build off of these developments. With $600,000,000,000 in existing government contracting and the Biden Administration signing orders heightening preferences for American manufacturers in federal procurement, the federal government has the ability to transform American supply chains, if it chooses to do so.
So, what will these changes look like? We will not know before legislation is filed. However, we do know what the Department of Defense (“DoD”) recently put in place when it had similar concerns about cybersecurity in supply chains. The Cybersecurity Maturity Model Certification (“CMMC”) Program requires anyone who wants to bid on DoD contracts — and their subcontractors — to maintain certification by independent organizations that the bidding company meets certain cybersecurity maturity requirements.
Under this framework, there are five levels of cybersecurity “maturity” against which the DoD will measure those organizations wanting to enter procurement contracts. These measurements are divided between both “Practices” and “Processes.” “Practices” are the controls with which many in the security world have become familiar and “Processes” are the degree of institutionalization core groups of controls (called “Domains”) have achieved within an organization.
At the first level of maturity, fewer practices need to be implemented, and the institutionalization can be that they are just performed. But moving up the maturity levels would mean that more and more practices are implemented at greater levels of maturity. This ranges from performing the relevant practices at level one, to documenting them at level two, to managing them at level three, reviewing them at level four, and optimizing them at level five. And as each process becomes more institutionalized, the number of practices that institutionalization must cover increases.
The DoD began the process of implementing this program at the end of 2020. Within 5 years, all DoD contracts are anticipated to require participation in the CMMC Program. It remains the best basis for future policy development. Businesses that want to get ahead of legislative requirements or otherwise want to secure their procurement and supply chains would do well to model their cybersecurity programs on the most appropriate level of the CMMC framework for their business.
As companies and governments outside of the Defense Industrial Base and the DoD begin to tackle these procurement and supply chain threats in the context of the SolarWinds and Microsoft data breaches, they should strongly consider building their process starting from the foundation created by the CMMC framework. In their requests for proposals or procurement contracts, they should include a provision that the suppliers will need to receive an independent certification for the organization’s review documenting the practices implemented and their level of institutionalization. This requirement will minimize the business risk associated with these supply chain breaches and help limit the legal risk associated with data breach notification and response.
Businesses and governments looking to tackle these issues can take the following steps to begin to reduce the risks the organizations face:
- Confer with an attorney knowledgeable about supply chains and data protections to draft standard procurement contracts informed by the organization’s appetite for risk.
- Develop a systematic technology supply chain risk management program, looking to both practices and processes of suppliers and requiring external verification of both.
- Evaluate the business’s or government’s market power — i.e. a $10 million company or a 10,000-resident town is unlikely to be able to convince a technology giant to use its standard procurement contracts, but may be able to move a $50 million supplier closer to the organization’s position.
- Develop a plan for managing risk in situations that (for whatever reason) must, by necessity, fall outside the standard procurement contracts and systematic technology supply chain risk management program for a period of time. This plan should include a pathway for bringing as much of the supply chain as possible within the program, and an insurance plan for that portion of the supply chain which the organization does not have the market power to bring within its standard agreements.