How C-SCRM could fill the gaps on supply chain security

Software supply chain security is finally getting the attention it deserves with the recent announcement of a new supply chain risk management office in the Cybersecurity and Infrastructure Security Agency (CISA). The goal of the office is an ambitious one. It wants to help agencies, industry and other partners put into practice the deluge of guidelines and policies pouring from the federal government on Cyber Supply Chain Risk Management (C-SCRM).

The problem up to now is that no one is making the effort to define what supply chain risk management is. In the industrial world, everyone has a good idea what a supply chain is. But for software supply chains, the guidance has been vague.

For example, in 2020, the Government Accountability Office (GAO), which is Congress's watchdog on government operations, identified seven key practices for managing supply chain risk. Then it examined 23 agencies to see how those practices were being implemented.

The results were disappointing. None of the agencies had implemented all the practices, and 14 hadn't implemented any of them at all. The practice implemented by the most agencies — six of the 23 — was establishing a process for conducting a C-SCRM review of a potential supplier. One practice was ignored by all the agencies: establish a process for conducting agency-wide assessments of supply chain risks.

The GAO noted that the agencies cited a number of factors limiting their implementation of the seven foundational practices of managing supply chain risk, but the most commonly cited factor was a lack of federal C-SCRM guidance.

This new office for supply chain security has the potential to make that guidance concrete and consistent, filling a gap in private and government initiatives. Here's why it's a great first step.

Video: C-SCRM: Much-needed definitionSpecial: NIST CSF 2.0 and C-SCRM for Software Risk Management

Get on the same page for supply chain guidance

For the first time, a dedicated agency is going to take the reins and nail down what software supply chain security risk management means — and answer some key questions, such as what should the process to implement C-SCRM look like, how should risk be managed for software development across any organization, and whether it be a government entity, industrial vertical, or small- or medium-sized business.

Another question the office should address is how should self-attestation of software work? Does it mean that a vendor can say, "My software is secure" and a user should just believe them, or should an attestation include a software bill of materials (SBOM) or a checklist of things the vendor has to attest to?

An additional area where the office could make a worthwhile contribution is in SBOM guidance. How should they be delivered? Should they all be in the same format? The office has an opportunity to deliver overarching guidance that can clear up a lot of the noise around SBOMs now.

We're all in the supply chain security fight together

The new C-SCRM office will benefit from changing attitudes between acquirers and vendors, who are beginning to acknowledge there might be problems with how they deliver software and are more willing to participate in supply chain security conversations.

Jon Boyens, deputy chief of the computer security division at U.S. Department of Commerce’s National Institute of Standards and Technology (NIST), told the Federal News Network:  

I actually think we’re kind of in the midst of relationship changes between acquirers and suppliers. Ten years ago, the reception I received from some industry colleagues, typically IT vendors, was, ‘Go pound sand. Here’s my product. You get it if you want it. If not, it’s a global market, we’re going elsewhere.’ That’s changed.

Jon Boyens

Boyens added that the relationship between industry and government has also evolved. Government is getting more accommodating to industry's concerns and treating cybersecurity as a partnership:

"I think often government gets in the habit of asking for a lot of information that it doesn’t use, and asking for a lot of requirements that costs more money, that are unnecessary. I think we’re getting there. We’re not yet. It’ll be a few more years, but we’re on the right road.”

Jon Boyen

Shon Lyublanovits: A leader who "gets it"

To head up the new C-SCRM office, CISA has chosen Shon Lyublanovits, an old General Services Administration hand. The GSA is the procurement agency for the federal government. From Lyublanovits' remarks following her new appointment, it appears that she "gets it" when it comes to the current state of software supply chain risk. Lyublanovits said during a Jan. 30 event hosted by GovExec:

We’ve got to get to a point where we move out of this idea of just thinking broadly about C-SCRM and really figuring out what chunks I want to start to tackle first, creating that roadmap so that we can actually move this forward.”

Shon Lyublanovits

Under the umbrella of guidance, Lyublanovits' new office will be offering new training courses on supply chain risk management later this year. It's also going to start a series of roundtables on operationalizing C-SCRM. They will include three tracks — one for federal employees, one for industry, and another for state, local, tribal and territorial governments.

Noting what she said plagued agencies in the past were where to start and how to get buy-in.

One, where to start? And two, how do I have that conversation with my leadership? If you don't have leadership buy-in, you can't get funding. You can't go hire people to help you do what you want to do.

Shon Lyublanovits

A new supply chain security discipline could emerge

In ReversingLabs' new special report, The Evolution of Application Security, I posited that software supply chain security needed to be recognized as distinct:

Software supply chain security needs to be recognized for what it has become: A separate discipline within the application security ecosystem.

With C-SCRM and supply chain security finally getting the recognition it deserves, new hires may be cast in new roles. Instead of just being a penetration tester or an application security professional, a new discipline may emerge for supply chain security professionals.

See Matt Rose's related ReversingGlass explainer: C-SCRM: Much-needed definition for supply chain policy and processes.