Supply Chain Security

Cole French:

Are you grappling with how to secure your supply chain? Do you feel overwhelmed and like you have no idea where to start? If so, you want to tune into this important conversation. Supply chain is far-reaching and full of complexity, but is also achievable using tried and true risk mitigation techniques that are old hat.

The globalization of the world’s economy has brought unprecedented complexity to economic activities. How things are made and delivered has never before encompassed the level of intricacy we see in today’s global economy. The impacts are vast, far-reaching and largely of benefit to the world around us. That said, like countless other systems, security wasn’t built into the global economy by default. The cost is tremendous.

Collectively, we’re just now beginning to tackle the problem. The problem is commonly referred to as supply chain security and comprises the activities necessary to ensure that the products made, and services delivered by third-party entities and organizations include security. Supply chain security can be scary at first, however, it’s quite simply risk management with a focus on the supply chain.

As we’ll discuss on today’s episode, the approach to supply chain security is just like the approach to so much of security. Know and understand your assets, that is your suppliers and the risks those assets present to your operating environment. From there, ensure the appropriate processes are in place and actions are taken to mitigate the identified risks.

Joining us again on the Cyber Compliance & Beyond podcast today is John Santore, director of cybersecurity services here at Kratos. John brings valuable insights and expertise gained from his experience with a wide array of supply chain use cases.

Cole French:

John, thank you for joining us again here on the Cyber Compliance and Beyond podcast. I’m really excited for today’s conversation. While the topic isn’t necessarily the most interesting, I think it’s an important one mainly because it affects every organization. And it really hasn’t received its fair share of attention for quite some time, so most are behind on it. And perhaps most importantly, the lack of supply chain security is perhaps the largest conduit to data theft out there. And we’ll talk more about data theft as we go through this conversation, but John, first if you could just start us off by level setting for our listeners, what is a supply chain?

John Santore:

Oh, ask me the hard questions. Usually I come on and talk FedRAMP. But so supply chain is a specific type of risk associated with anytime you’re using third party products or vendors. And basically you want to make sure that you’re getting what you’re supposed to get. And to use an analogy, if you’re trying to be health conscious and eat well, you want to make sure you know what you’re putting in your mouth. And the same thing applies for supply chain. You want to make sure you know where the products are sourced, that they’re secure, that they’re organic, as it were, and you have a level of trust with that. And so the failure to do that may allow vulnerabilities that you didn’t expect. In the case of some well publicized supply chain issues, back doors were embedded by developers of third-party solutions. And so when you’ve got supply chain stuff, it’s really about trusting the products and vendors that you’re using.

And that’s how I define it. And I’m sure you can correct me because I know you work a lot with CMMC and DFARS and that stuff, and I know supply chain is really heavy there, so feel free to correct me if appropriate.

Cole French:

Yeah, so you’re right. So within a DIB or defense industrial base context, yeah, I mean supply chain, really CMMC, the impetus behind CMMC is supply chain security, even though ironically it’s data theft first and foremost, but one of the ways in which data theft occurs is weak supply chains. Interestingly, the current version of CMMC does not include supply chain requirements. We’ll talk more about that I think as we go through the conversation. But it’s definitely important within the context of the stuff that we work with and within the context of the DOD, right? With a lot of that type of work involving the warfighter and sensitive information may not be classified, often isn’t classified, but it’s still sensitive information, requires protecting. And if it leaks and gets out there, it provides adversaries or other countries even the opportunity to essentially steal our intellectual property. So that’s one of the ways you mentioned vulnerabilities, that’s another way.

But I think just to step back for one second. So I guess I would say supply chain, to summarize, is an organization’s suppliers. So an organization builds a particular product. Well, they don’t make all the pieces that go into that product. They have other companies that make some of those pieces and then they put them all together and the final product is what they ship out. So those organizations or companies that make those products that go into it, that’s your supply chain.

So what are some ways in which you can secure a supply chain? So organizations are thinking, I want to make sure that the products I’m getting are secure or the data I’m getting is secure from these companies I’m working with. What are some ways that organizations can ensure security within their supply chain?

John Santore:

So there’s a couple of things and a couple of different ways to look at it, but I think having a strong vendor management process. And when I say vendor management, I also mean product process. Anything you choose to bring into your environment, into your product, how are you evaluating the best practices of your vendors? And sometimes that’s by reviewing what certifications they have. Have they had some third-party independent auditor come in and say yes, they’re doing things correctly? Sometimes that’s determining how you’re using them. Certain things are more critical than others. And I’ll give you an example there.

Theoretically, you’re using office products. You can get it from Office Depot, you could get it from Staples, wherever you get your paperclips. If Staples has a problem, you can always get it from Office Depot without impacting your business. So you want to know how critical those components are. Paper clips aren’t. A key software library that is critical to your product, yeah, that matters. And so you want to take into account the trustworthiness of that path, but also the criticality and potential impact should that be disrupted, not even necessarily in a data theft thing, but in a lack of availability, backlog, no spare parts, what have you.

And so you want to make sure as you’re building your product, you know what all of those components are, you know where you’re getting them from, and you’ve evaluated all of the vendors or suppliers. And usually having a really good robust process to vet them, hey, fill out this security questionnaire. Contractually speaking, attest to following certain best practices. Third-party audit attestations or opinion letters. And review that on a regular basis so that you have a level of confidence that what you’re bringing in, or to use my analogy earlier, what food that you’re putting in your mouth is in fact safe.

Cole French:

So essentially what you’re saying is, or what I’m interpreting from what you’re saying is really supply chain security is not that dissimilar in terms of the approach from your overall just general risk management, right? We want to, as the general rule, historically, I want to identify all the risks in my organization. And I think supply chain security is really just creating a separate list, so to speak, of taking some of those risks, but also relating it back to my suppliers or those in my supply chain and determining how the entities in my supply chain may impact some of those risks that I’ve already identified.

John Santore:

That’s exactly right. A lot of times when people are thinking cybersecurity or even physical security, they’re like, “Oh, do I have locks on the doors? Do I have anti-malware? Are my things encrypted?” And they don’t always think about the vendors and products that they’re incorporating, combining, consuming, et cetera. And so again, there’s been some sort of high-profile breaches. I don’t want to shame anybody by naming big names, but if you look out there are supply chain breaches, and so there’s been a new focus. As you said, CMMC is focused on there, the Revision 5 of NIST 800-53 upon which FedRAMP and some other things are based, added the supply chain risk management framework. So it’s very much in the spotlight, very much a new focus and an important one. And that’s why I think it’s been historically not as obvious as some of the other security measures. And the landscape is changing, and that’s for the better.

Cole French:

I agree. I think too, some of it stems from, or at least what my read on the situation is that supply chains have also increased dramatically as we still have obviously the manufacturing, the products that get built, but also you have software. And there’s even a supply chain with software development and different organizations developing different pieces of software and all that kind of stuff. I think supply chains have just exploded. Organizations just... I think there’s a lot of... organizations don’t even realize the depth and the breadth of their supply chain or they’re just coming around to it. So in keeping with that idea, I think that’s one of the main challenges with supply chains and securing the supply chain. But are there any other challenges that you see out there when it comes to securing the supply chain?

John Santore:

Well, I think, there’s a couple things I’ll talk about. A lot of people are cloud focused, and so they’re like, “Oh, I don’t have to worry about a physical hard drive. I’m not buying physical media from Seagate or whoever.“ And so a lot of times they think, oh, I inherit all of this. It’s part of my cloud. And so again, out of sight, out of mind. But you want to make sure, to your point, that we’re hitting the software pieces. Just like buying a physical piece of equipment you want to make sure is coming from a safe and secure path, you want to make sure any libraries, third party products, container images, whatever is properly vetted before it’s introduced in your environment because you don’t want to accidentally introduce backdoors or potential vulnerabilities or things that you may not know. And that’s why it’s really important to vet that.

Similarly, in another unique case is when you’re dealing with, what about open source, right? There is no vendor for the open source. And so in many respects, you’ve got to look at that somewhat differently. You look at it in the context of, hey, there’s a big community checking this stuff. Some things have been vetted unofficially or through best practices. You want to make sure that you check things like vulnerability databases, CVEs, that kind of thing. And there’s a lot of composition tools when you’re developing software that goes, ah, you’ve got an old library of this, or there’s a known thing in this particular package, so you want to make sure you stay on top of that. It’s not that you can’t use open source, it just means you want to make sure you do so in a smart way. So those are some of the unique outlier cases. Just because in the cloud, doesn’t make it all magic. And just because open source and there is no vendor, you still want to make sure you do your due diligence there.

Cole French:

Absolutely. I think another one I would add that occurred to me as you were talking about those examples is I think there’s a unique thing, or maybe a historical way of thinking of a supply chain is, well, that organization makes this widget or develops this piece of software, passes it along to me. So there’s a link there where we share that information with a product that’s a little more discreet, right? I’m shipping that product to you. With software it’s a little grayer because there’s a way in which that software would need to get transferred.

But then I think also something that organizations need to keep in mind when it comes to securing the supply chain and I think is particularly challenging is third parties. And you mentioned this already with breaches and things like that that have happened because third parties had access to an organization’s systems, and that through that access vulnerabilities were introduced. So I think a particularly risky component of supply chain security is third parties, members of your supply chain that actually have direct access to your systems. When we’re talking about risks, I think, and the risks associated with the supply chain, that’s I think probably at the top of the list is any organization that has individuals that actually have access, whether that’s physical access or logical access to your systems, I think that’s a major risk, presents a major risk, and is definitely I think one of the top challenges when it comes to securing the supply chain.

John Santore:

Well, and to your point, you don’t want to just stop at the vendor level. You want to recursively go down. And so it’s one thing if you buy a car from let’s say Ford, you’ll see this thing that says, here’s where the parts are from. Such and such percent was in America, such and such percent was in wherever. You want to do something similar with your software. There’s a thing called a software bill of materials or SBOM. That tells you what the libraries are. So just because you’re getting it from Ford, you can sort of look in and say, okay, who’s making the radio? Who’s making the tires? Who’s making the engine or whatever? Yeah, I’m using sort of a car analogy, but the same thing applies with your software. Oh, okay. While I’m getting this from vendor A, vendor A should be able to document all of those individual pieces that comprise their offering as well.

And again, software bill of materials, I don’t know that any of the compliance frameworks have a hard and fast control associated with that, but I’ve heard it sort of bandied around and I expect there will be something soon. It’s complicated enough that I think they want to try and flesh it out rather than submit something half bake. But for anyone listening or just in general, knowing that and being ahead of that is likely a good thing. It’s coming, we don’t know what it’s going to look like, but exercise those sort of principles and say, “Hey, I want to see what is your stuff made of?“ Same thing like foods. Here’s all the ingredients. Same thing.

Cole French:

Yep, same thing. And I think just one last thing on that before I kind of segue off of you mentioning the SBOM is just I think too, the recursive was a word you used. So another thing too is to also remember that sometimes there’s supply chains within supply chain. So I’m organization A and I may have a supply chain of organization B, C and D, but the B, C and D organizations may also have their own supply chains. I think that’s why securing the supply chain is so important and so difficult and complex is there’s many, many layers to it, and it varies based on the organization. Some organizations may have many, many levels deep. When you’re talking the biggest prime contractors out there, the Lockheed Martins of the world, Northrop Grumman, those type of organizations, they’re going to have tremendously complex supply chains. Whereas a mom and pop shop that makes one widget, you’re not going to run into as complex of a supply chain. But still something to keep in mind.

John Santore:

In everyday life, people often see things like Underwriters Labs approved or Good Housekeeping or ISO9001 or whatever from a manufacturing perspective, you want to make sure that at the level that you are vetting, they have something that proves that they vetted the underpinnings.

So I know in CMMC, if you’re leveraging something, there’s the whole talk about you must use either another CMMC vendor or FedRAMP equivalent. In the SOC 2 world, when you’re doing a SOC 2 audit, you want to get a report from all of your sub services. And so you’re either getting it attestation or you’re looking at their report. And so those report chains drill deeper. At some point, there’s the trust that everybody in the chain has been independently audited. And if you’re doing something that you don’t audit, make sure that it’s not a critical or a dangerous component. Like the example with paper clips, doesn’t really matter if it comes from here or there, it can’t really affect anything. And so you want to evaluate that and make sure that you do, that your vendors are doing that to their vendors and so on.

Cole French:

Yeah, that’s a really good point. I’m glad you brought that up and explained that for us. I will add with the CMMC piece that you mentioned, it actually goes even a little bit deeper than that even yet. So if you’re leveraging a cloud service, well, a cloud service, there’s FedRAMP reciprocity, so you can leverage that. But if you’re leveraging some other service, they need to be CMMC certified as well. And also any external service provider. So if you think of a managed service provider, they also have to be CMMC certified as well. So it’s really essentially anything that you leverage in the context of CMMC that’s outside your organization that touches your authorization boundary, it becomes what we would say is in scope. So then those organizations and those systems that you’re using, they also have to meet the CMMC certification or FedRAMP equivalency.

John Santore:

I’m glad you brought that up because we didn’t talk about the supply chain of services. So we’ve talked software, we’ve talked hardware. If you are getting a managed service provider, how do you know that they’re trustworthy too? So you want to make sure you check those as well. There are controls that talk about, definitely in the 800-53, the FedRAMP space, I think it’s PS-7 talks about third party contractors kind of a thing. How are those folks vetted? And so treat the people as part of your supply chain, treat the contractors, the people you’re hiring. To take an everyday example, whenever you hire, let’s say a plumber or somebody to come do something in your house, they always advertise certified and bonded or something like that, bonded and insured. You want to make sure that there’s some sort of a stamp of approval, somebody’s vetted them, somebody’s determined that they are safe from a risk perspective. So let’s not just stop at the software, let’s include the services and the people involved.

Cole French:

Yeah, and the services and people involved, I think in a lot of ways, what I was mentioning earlier, I think they actually introduce the most risk in a lot of cases because they’re people that are actually going to, not only... yeah, you want to make sure, like your plumber example, you want to make sure that they’re bonded and insured because that means you’re protected if something goes wrong, but also means that they’re licensed, they are capable, they’re competent, all that stuff. But from a security perspective, these are the people that are actually going to come into my house. Or in the context of what we’re talking about in a more traditional supply chain is these are people that are actually going to touch my systems. They’re going to come into my facilities. I might give them logical access to systems. So yeah, services are huge. And I think services, historically, people don’t necessarily think of services

John Santore:

We forgot until you brought it up with CMMC. So yeah.

Cole French:

Exactly. Yep. So speaking of CMMC, how have compliance frameworks helped move this forward? Or do you think they’ve been slow to develop controls and practices? What’s your take on how compliance frameworks have dealt with supply chain security?

John Santore:

So CMMC is not my natural place. I have a FedRAMP specific focus. But I like the idea of a compliance mechanism. In the FedRAMP world. To use any third party services, and this has been around for, I don’t know forever, but as long as I can remember, you can only use other FedRAMP authorized services or else show that a particular thing does not have government data or metadata. So to the paperclip example, some things don’t matter because there’s nothing dangerous there. And you have to evaluate that.

And so I think that the compliance, regardless of which framework you use, provides that level of trust and perhaps the recursive level of trust that your supply chain is, nothing is going to be perfect, but you’ve done your due diligence, you’ve mitigated that risk as much as you can. You’ve possibly through contractual things and insurance and the like, you’ve done all the things. So if something really bad happens, you can at least recoup some of that. A little harder to do with information versus cost of being down, but you’ve done your due diligence and you’ve done your due diligence at your vendor’s level and you’re making sure that your vendor is, their vendors are good too.

And so whether it’s CMMC, whether it’s FedRAMP, whether it’s SOC 2, whether it’s the Good Housekeeping seal of approval or a plumber from Angie’s List, somebody has vetted something. It’s not just random. And so you can’t test everything yourself. You’ve got to rely on those compliance things. And so I think they’re very, very important. And depending on the nature of the information that you’re protecting or the value of your environment, services, data, et cetera, you find the right compliance framework that matches that. And so yeah, if you’re dealing with controlled unclassified information, you’re talking CMMC, well, then you follow the CMMC rules because that’s appropriate for the information you’re protecting.

FedRAMP’s a different animal. It’s based off of FIPS 199, it’s still an information classification for cloud stuff. And again, SA-9 says you can’t use any non-FedRAMP authorized system for anything that transmits processes or stores federal data or metadata.

Cole French:

So yeah, that’s a good point. And when you talk about CMMC, I can speak to CMMC, that’s a little bit more of the world that I live in. Interestingly, I think I mentioned this when we started the conversation, CMMC was born, in a lot of ways because of risks and theft associated with poor supply chain security. And the original CMMC framework included a pretty robust set of controls, or well, I guess it was really just one control. But that one particular control definitely had some test objectives around pretty strong supply chain security, including developing a supply chain risk management plan, things like that. When they went away from CMMC 1.0 and they scaled it back to 800-171, that supply chain risk management plan was gone. It was not part of the 2.0 framework. However, 800-171 Revision 3 is going to have some controls around supply chain security.

So it’s coming back. And like we talked about already, they’ve brought back some of the supply chain stuff, or they’ve heightened some of the supply chain stuff in the rule itself by not allowing you, similar to you, John, with FedRAMP not being able to leverage a non FedRAMP authorized system to store process or transmit government data. Same kind of thing with CMMC, you can’t leverage a system that, or when the rule is in place, you won’t be able to leverage any systems that don’t have CMMC Level 2 certification if we’re talking Level 2 or a FedRAMP moderate or higher equivalency.

John Santore:

Yeah, no, and to those listening where these frameworks may not matter, find the framework that fits your information. And even if it doesn’t have an explicit requirement, you want to do your due diligence on your vendors, the third party products that you’re bringing into the environment and evaluate and vet those. And it could be part of your procurement, it could be part of your risk management, but evaluate the criticality, right? Regardless of whether there’s a control or not, this is not only just a good thing to do, but maybe an absolutely critical thing to do. You tailor it based on the level of protection you need and what’s the risk if something actually were to go bad, but you do want to do it and you do want to do it at the appropriate levels for your needs.

Cole French:

Yeah, I think this is one of the areas where we would say don’t worry so much about the controls in place in a particular framework or compliance regime, but build out a supply chain risk management plan, build out the processes and procedures to support it in keeping with your own risk management processes. And I think that’s the biggest key is looking at supply chain as a part of security as a whole and not so much as a compliance framework. That being said, are you seeing any movements, John, towards any kind of compliance frameworks that deal specifically with supply chain security?

John Santore:

Well, like I mentioned that FedRAMP or NIST 800-53 Revision 5 adds a new supply chain risk management control family. So there’s a whole suite of new controls that you need to address. Some of them overlap a little bit with the SA control family, which system and services acquisition, SA-4 and SA-5 talk about are your vendors, are your products, are the developers that you’re relying on external to you documenting things correctly? Are they building it to the requirements that you’ve got? Are they making sure their encryption is at the right levels? You get to set those security requirements and you should deal with those contractually as well as part of vetting things.

So I don’t know that things are necessarily changing. I think there’s more of a spotlight on it than there may have been in years past. I think because FedRAMP is relatively new with the Rev 5 stuff, I don’t know that we’ve seen all of the best practices yet in a FedRAMP context. I don’t know that we’ve seen what agencies are expecting, what the FedRAMP PMO is expecting, and that will necessarily mature as we’ve got a little bit more historical data to see how those things are being interpreted. But regardless of that, I mean, again, everybody should do this from a risk management perspective, don’t ignore the supply chain. And then as FedRAMP and these other people will start looking at this more, hopefully we’ll get some new best practices, some new guidance and some new particular best practices to follow.

Cole French:

So I know we’ve talked about software, I guess this isn’t so much a compliance framework, but I’ve been hearing some stuff recently about the SSDF or I think it’s Secure Software Development Framework, and that does touch on, I don’t know if the SBOM that you were talking about earlier is a part of that, but I know that touches on the supply chain security as it relates to software development. Does it not?

John Santore:

I don’t know that it’s so much SBOM. It is essentially a set of, it’s not even necessarily controls, and there’s a bunch of different references that point to that. So, what we’re seeing from the government is they are requiring anybody who provides software to the government to submit either an attestation or third-party evaluation of your software development life cycle, is it being done securely. And some of it is are your developers using multi-factor authentication? The development environment, has that got your audit logs and all the rest of that as well? But it also does touch upon some of the particulars as far as including third-party libraries and the as well as testing that stuff for vulnerabilities prior to being released into production.

I know, Cole, you and I talked about this very briefly before this podcast. I’ve got some of the references and it’s a little bit confusing because there’s multiple people asking for multiple things. So there’s a little bit of nuance to this. So there’s Executive Order 14028, which says basically vendors must attest to or prove that their software was built using secure software practices. There’s NIST 800-218, which is a NIST document that talks a little bit about that. There’s two OMB memos, M-22-18 and M-23-16, which all have slightly different nuances and self-refer to each other.

I think the guideline there is who’s driving the question? If it’s federal agency or if you’re responding to a particular thing, follow their instructions on what they want to see. I think they all refer to each other. So I think 1428 refers to the NIST 800-218. There is a stock attestation letter where you can as an organization go through that and self-attest to it. There’s also a set of control, it’s not exactly control, a matrix of requirements. As a assessor in the FedRAMP world, I think of them as controls. And I think that’s included there. And it’s based off of 800-218 where you go through all of the pieces. You can have a third party do that for you. You can self-attest to it.

And I think if you’re doing other frameworks, if you’re already doing FedRAMP and you’re already doing CMMC, maybe bits and pieces that you can leverage there. Not everything, and I don’t know that you get some percentage because you’ve already got FedRAMP, but there’s overlap with the SA-4 controls and SA-5 and some of the supply chain controls and whatnot. And so hopefully, if you’ve already got that other compliance, the SSDF on top of it is not a huge lift. People have been asking about it. Because we are an independent assessor, we’ve got to do the rigorous deep dive to attest on somebody’s behalf. It may be the easier path in general, assuming that the C-suite of your organization is comfortable, to just do a self-attestation. And we’re happy to talk about the specifics. If you have got questions, certainly reach out to us at Kratos and we can see what your specific environment or requirements are and help design something there.

So the SSDF, relatively new requirement. Just like everything else, we’re seeing how that plays out over time. And so as we watch what’s going on, hopefully new best practices, new guidance, clear guidance, clear expectations will come out of that.

Cole French:

Yeah, I appreciate that overview, background, explanation on the SSDF. We’ll definitely link to all those references that John provided. We’ll link to those in the show notes so you can go out, take a look at them for yourself if you think SSDF is something your organization may need to get or you’re just interested in learning more about this. I do think one thing, one follow up question I had to what you went over, John, is, so it’s software development, so it’s the practice... So if I’m an organization, I’m developing software, I’m attesting to my software development lifecycle meeting certain requirements or controls, like you said, us as assessors, we tend to go to controls is the term that we tend to use. But does it really delve into your supply chain so much? Or is it really just your software development lifecycle?

John Santore:

I think it’s secure software development lifecycle. And at the most atomic level, let’s assume that you have no other libraries, everything is built in-house, that’s the foundation of... remember what I was talking about, sort of the recursive level of trust with attestations or compliance? This is a piece of that. So it goes into that. I don’t know the controls off the top of my head as well as perhaps I should. I do think that there are some controls or requirements around the composition of your software. So obviously best practices for secure development is make sure what libraries you’re using, make sure that those libraries are vetted against vulnerabilities and the latest things and that kind of stuff. I don’t exactly know how that’s listed in there and I’m not sure to what degree it is, but that’s a good practice in general. So, how’s that for a, sort of non-answer, talking around the question?

Cole French:

That’s perfect. I think your point about the composition of your software gets us back to what we were talking about earlier with open source software. A lot of libraries are open source. It’s not uncommon to leverage and use open source libraries. So, definitely want to make sure just because there’s no vendor, actually really in fact because there is no vendor, you definitely want to make sure that and understand the vulnerabilities associated with those particular software libraries that you may be using. Is there anything else you wanted to add or discuss?

John Santore:

So there’s a couple of things. The DoD Cloud Computing SRG had specific requirements for certain impact levels to have a supply chain risk management plan. That was true even prior to 800-53 REV 5. REV 5 explicitly adds that in the SR control family, however there are not specific FedRAMP or DISA templates for that. I believe that there is a NIST reference, which I don’t know off the top of my head, that can give some guidance in the supply chain risk management stuff.

At a high level though, let’s talk about some of the things that we covered in this session. You want to make sure you’re accounting for your vendors. So you’re evaluating your vendors based off of the risk of the product, service or software that you’re consuming from them, both from a, does it have vulnerabilities, but as well as the criticality. So if a company were to even go out of business, how reliant are you on that? And Cole, I know you and I were on a project once where somebody was using some really old software that had been long since end of life. How do you get the thing packaged? How do you deal with that? And if you can’t turn that off, how did you deal with it? The side note to that is they had a specific enclave with this dedicated thing and had some mitigating controls around that.

But determine the criticality, evaluate your vendors, test what you can test. So A, check their compliance, their attestations, their certifications. Run whatever tools you can run against stuff. So vulnerability scans, compliance scans, static code analysis, composition analysis. Obviously do dynamic code analysis so you’re making sure your stuff is as secure as possible, even with those dependencies.

I see a lot of people doing third-party container images. There is a company out there, and this isn’t an advertisement, I have never personally used them, I’ve just heard about it. I think they’re called Chainguard, which is designed to give you already reasonable third-party container images. So again, if you’re going to trust Chainguard, I think that’s their name, make sure that you vet their compliance framework stuff. What authorizations do they have, what compliance frameworks are they attested to and all the rest of that?

Criticality? Check your sub-services, check the vendors, check the products, and then if you’re dealing with services, make sure you’ve got some mechanism and process in place to evaluate any service providers as far as people.

And I think that’s the gist of it. I think if you hit all of those in perhaps a more structured fashion than my rambly speech, I think you’ll have a pretty good foundation for a supply chain risk management plan. And then just tweak as necessary based on the control framework you’re working on, any provided templates from that framework, take a look at the NIST reference and hit any pieces that I may have missed in my ramble, and I think that’s a good place to start. Obviously tailor anything to your corporate specific needs.

Cole French:

Yeah, appreciate that, John. And as we wrap up this conversation, I’ll just add a couple things onto what you said. I think that if as an organization, you’re looking for a place to start, the first step I would take is take an inventory of your supply chain. So sit down and really just put everything down that you think might constitute some piece or part of your supply chain. Define that inventory, define that list, and start from there. Do all the things John just said, right? So, John was talking about a supply chain risk management program. So, yea, he did talk about identifying your vendors, but I think that’s an easy first step is identify and inventory all of your vendors. What is it that they’re supplying to you?

And then I think also after you’ve done that risk management exercise, think about how am I going to interface with those vendors to get the information I need? Because certainly you’re going to come across vendors that you don’t really have any idea necessarily what their security posture is because they’re a mom and pop shop, they’re not attesting to any kind of frameworks or anything. But to John’s earlier example of paper clips, that doesn’t necessarily mean that that precludes them from being in your supply chain. It just means you may need to do some due diligence, reach out to them, have conversations with them, and get an understanding that way of the security that they have in place, which is beneficial to you. So it could be a compliance framework that they’re leveraging, it might not, but the value of that or the criticality of that is based on the risk of whatever function they’re supplying in your supply chain.

So all the things John said, just hitting as we close again on inventorying those people, services, products in your supply chain and then figuring out how am I going to interface with all of those different elements to get the information that I need? So John, I’ll give you one last... as we close out, anything else you wanted to add or mention before we finish up?

John Santore:

I want to follow up on exactly what you said. You said inventory the vendors. I take it one step further, inventory all of your stuff. One of the key components of just security in general is know your assets and what are your assets, breaking down into the sub components. And that should tie exactly to the inventory of your vendors. And then follow everything we’ve said for the past, however long it’s been.

Cole French:

Absolutely, John. And I think similar to all the references we mentioned earlier around the SSDF and stuff like that, we’ll include these in the show notes, right? We’ll include an outline of what a good supply chain risk management program would look like. Some of those elements you want to really key in on at a high level. And then obviously as your particular organization, you take it to the depth that is necessary for you.

Well, John, I really enjoyed this conversation. I think it was extremely valuable and that our listeners will really benefit from it. So just want to say thanks again for sharing your time and your expertise.

John Santore:

No, thank you. These are always fun to be on and hopefully everybody was, I don’t know if entertained is the right word, but at least learn something, has got some take-aways to think about and hopefully we’ll do another one of these soon.

Cole French:

Absolutely. Thanks again, John.