June 29, 2018
Cyber Supply Chain Risk Management: An Introduction
Introduction
foreign intelligence services, malicious insiders, or
A supply chain consists of the system of organizations,
criminals. These actors may be motivated to steal
people, activities, information, and resources that provide
intellectual property, tamper with products, insert
products or services to consumers. Like other types of
counterfeit goods, gain unauthorized access, sell extraneous
goods, a global supply chain exists for the development,
access, or manipulate the operation of technology. They
manufacture, and distribution of information technology
may accomplish their goals through inserting malicious
(IT) products (i.e., hardware and software). Recent media
code in software, manipulating hardware, or a combination
have highlighted the risks posed to IT from the supply
of the two.
chain.
Cyber supply chain risks do not solely result from
In 2017, the U.S. Department of Homeland Security (DHS)
malicious human interference. The National Institute of
ordered federal agencies to remove Kaspersky security
Standards and Technology (NIST) finds that natural
products from their networks because of risk they posed.
disasters may impede delivery of critical network
Legislation was subsequently enacted codifying that order.
components; poor quality assurance and engineering
In addition, stories of persistent administrative passwords
practices from vendors may provide deficient products; or
on devices or otherwise vulnerable products allowing
an entity’s own business practices may result in seeking,
unauthorized access to sensitive networks became more
buying, and managing sub-par goods. These threats may
frequent.
result in data loss, modification, or exfiltration; system
failures; or unavailable products.
This year, Congress is considering additional measures to
promote cyber supply chain security (H.R. 5515 and S.
Managing Risks
3085). Among other recent developments, DHS says they
NIST defines cyber supply chain risk management (C-
are investigating cyber supply chain security further; the
SCRM) as “the process of identifying, assessing, and
Federal Communications Commission is considering
mitigating the risks associated with the distributed and
prohibiting foreign telecommunications equipment for
interconnected nature of [IT] product and service supply
domestic use; and the U.S.-China Economic and Security
chains.” This definition distinguishes C-SCRM as an
Review Commission has issued a report highlighting supply
ongoing activity, rather than a single task, and accounts for
chain concerns.
the procurement and maintenance of hardware and
software.
While interest in cyber supply chain security has increased
recently, there have been other periods of intense scrutiny
NIST Special Publication 800-161 provides guidance to
on supply chain issues. In 2012, for example, the White
federal agencies for how they may go about implementing
House issued a report on global supply chain security; the
risk management practices. They recommend that C-SCRM
House Permanent Select Committee on Intelligence
should align with an organization’s existing risk
(HPSCI) released an unclassified report on threats from
management framework. Activities for risk management
Chinese multinational companies Huawei and ZTE; ZTE
include cataloguing current systems and business practices,
was exposed selling phones in the United States with
surveying systems for vulnerabilities, and developing
backdoor access; the Director of National Intelligence
processes to mitigate those vulnerabilities on an ongoing
(DNI) cited supply chain security as a major threat in the
basis.
Worldwide Threat Assessment; and the Government
Accountability Office (GAO) studied the issue.
Just because a risk could possibly manifest, does not mean
that it always exists, nor is it managed as if it perpetually
This InFocus reviews cyber supply chain risks, discusses
exists. Instead, managers accept that risk is not binary but
ways in which they are currently managed, and provides
exists on a spectrum. This perspective pushes managers to
issues that Congress may consider.
consider how they are most at risk and prioritize mitigation
strategies. This defense-in-depth strategy accepts that
Cyber Supply Chain Risks
complete security is not guaranteed, but can lead system
One way to view risks to cyber supply chain security is
administrators to deploy tools effectively so that they can
through the threat actors, their motivations, and ways in
detect unwanted activity and stop damages from
which they may compromise technology. DNI identified
compounding.
Russia, China, Iran, and North Korea as cyber threat
nations. However, in their report on Department of State
Attackers may not know which defensive strategies are
telecommunications, GAO highlights that technology is
deployed on the systems where their compromised IT is
manufactured worldwide and vulnerabilities may be
installed. This uncertainty creates the possibility that
inserted by other actors. Some of those actors may include
purposefully embedding vulnerabilities in technology will
https://crsreports.congress.gov
Cyber Supply Chain Risk Management: An Introduction
be detected and exposed, perhaps incriminating the attacker
This may help agencies better assess their own risk, and
and stopping their plans. The chance of exposure is a
allow the companies to directly mitigate vulnerabilities in
consideration attackers evaluate when seeking to mass-
their products. Such a strategy recognizes that government
compromise technology—and may incentivize them to
is positioned to support the private sector, which has
pursue specific attacks against deliberate targets instead.
different responsibilities and greater control over
technology.
Conceptualizing risk is challenging because entities may
not have threat information available to them, may lack an
Oversight
appreciation of their own vulnerabilities, or lack a
As part of annual oversight, Congress may ask agencies
framework to take that information and make resource
about their C-SCRM programs, their effectiveness, and
decisions with it. For entities with general risk management
challenges. Congress may also require such programs. In
programs, they may not have relevant expertise in IT
performing agency oversight, Congress may request a
products and threats to apply their established risk
review and report by an agency into how it assesses and
management practices to the supply chain. The
manages cyber supply chain risks. This review could
prioritization of risk management requires that entities
inform future congressional activity and impel agencies to
understand their own weaknesses, why they may be
consider these issues and document their plans.
targeted, who or what may target them, and how. In order to
extend these principles to their supply chain, entities will
An example of such oversight is the Wolf Provision (found
also need information on their vendors and suppliers, threat
in Section 514 of Division B of P.L. 115-141 the
tactics, and best practices to mitigate risk.
Commerce, Justice, Science, and Related Agencies
Appropriations Act, 2018). The National Aeronautics and
Potential Issues For Congress
Space Administration (NASA) Inspector General has an
Generally, risk profiles (e.g., risk tolerance, resource
audit of NASA’s implementation of the provision.
allocations, vulnerabilities, threats, etc.) and risk
management are unique from one entity or sector to
Prohibition on Specific Companies
another. This makes managing risk an activity which is
As with the Kaspersky products, Congress may ban a
individualized for each entity or sector. However, there are
certain company’s products from being purchased or used
policy areas in which Congress may act with regard to C-
at federal agencies. While such a prohibition may limit
SCRM that can affect federal activities.
exposure to specific perceived risks posed by a product, set
of products, or a company’s work, complexities of the
Clarity of Responsibility
global cyber supply chain, business relationships, corporate
Federal IT management is dispersed among many federal
restructuring, and other factors may inhibit the intended
agencies. The Office of Management and Budget (OMB)
effectiveness. Such prohibitions have also faced court
creates strategic guidance, NIST create documents
challenges regarding the banned company’s due process
describing implementation, DHS helps agencies with
and laws against bills of attainder.
security management, and agencies themselves have to
implement information security programs. Congress may
Single Evaluator
consider creating specific responsibilities for federal or
Currently, agencies are responsible for evaluating risks
national supply chain security and assign those
posed by IT for themselves. However, some agencies lack
responsibilities across agencies or to a single federal entity.
the capability or capacity to perform thorough evaluations
Rather than assign a single federal agency with all
of their systems for supply chain risks. An option for
responsibilities for supply chain security, Congress may
Congress would be to assign a single federal agency the
identify unique responsibilities and parse those out to
responsibility to evaluate supply chain risks in IT for all
agencies; such as intelligence gathering, technical expertise,
other agencies. This agency would examine IT hardware
the development and promulgation of defensive measures,
and software for potential risks. In order to do so, the
and coordinating federal efforts. While this approach may
agency would likely need access to threat intelligence,
provide clarity, its effectiveness may depend on the scope
technical expertise, business relationships of the vendors,
of authority Congress grants and resource allocations to the
building products, and security experts, among other
designated entity or entities.
factors.
Increased Awareness
This strategy would align with the Administration’s
The federal government may increase the information
initiative to increase shared services. FedRAMP is a
available from open and restricted government sources to
program Congress may look to in establishing such a
all agencies and the information technology sector. To
program. In FedRAMP, one agency evaluates cloud service
assist with increased awareness, the federal government
providers and creates documentation on the security of
could undertake activities to better understand the business
those services available to all agencies. This avoids the
relationships involved in the design or delivery of an IT
duplicate efforts of every agency examining the same
product or service, and assess those businesses for potential
product, and allows agencies to assess the product relative
risks. Rather than barring corporate activity, the
to their specific concerns.
government could then alert industry and consumers of
those risks so that they may make informed decisions on
Chris Jaikaran, Analyst in Cybersecurity Policy
whether and how they may use those products or services.
IF10920
https://crsreports.congress.gov
Cyber Supply Chain Risk Management: An Introduction
Disclaimer
This document was prepared by the Congressional Research Service (CRS). CRS serves as nonpartisan shared staff to
congressional committees and Members of Congress. It operates solely at the behest of and under the direction of Congress.
Information in a CRS Report should not be relied upon for purposes other than public understanding of information that has
been provided by CRS to Members of Congress in connection with CRS’s institutional role. CRS Reports, as a work of the
United States Government, are not subject to copyright protection in the United States. Any CRS Report may be
reproduced and distributed in its entirety without permission from CRS. However, as a CRS Report may include
copyrighted images or material from a third party, you may need to obtain the permission of the copyright holder if you
wish to copy or otherwise use copyrighted material.
https://crsreports.congress.gov | IF10920 · VERSION 3 · NEW