April is National Supply Chain Integrity Month.

In partnership with the Office of the Director of National Intelligence (ODNI) and other government and industry partners, the Cybersecurity and Infrastructure Security Agency (CISA) is promoting a call to action for a unified effort by organizations across the country to strengthen information and communications technology (ICT) supply chain.

The ICT supply chain powers national security missions, critical infrastructure sectors and private industry security and innovations. As more organizations undergo digital transformations to streamline operations, the supply chain becomes more complex and interconnected, encompassing the entire lifecycle of ICT hardware, software, and managed services and various entities — including third-party vendors, suppliers, and service providers. Adversaries target third-party vendors and suppliers for this very reason, representing a way to target the government and critical infrastructure. 

Acting CISA Assistant Director Mona Harrington says, “Government and industry must continue to work together to protect our critical infrastructure and the associated supply chains that underpin the very fabric of our nation and economy.” 

Here are a few steps organizations can take to enhance the security and resilience of their ICT supply chain, according to security leaders:

Jasmine Henry, Field Security Director at JupiterOne: There is no solution currently, only tactics to reduce risk. Using knowledge graphs to map critical asset dependencies on third-party code is helpful. Software bill of materials (SBOMs), vendor consolidation, and retiring legacy systems can also mitigate supply chain risk.

Joseph Carson, chief security scientist and Advisory CISO at Delinea: At the moment, the global supply chain is extremely fragile. Organizations have less control and visibility over the actual security that supply chains have put in place. For the most part, this tends to only be covered in legal contracts rather than a true security risk assessment. Organizations must prioritize privileged access security to reduce the risks exposed in their supply chain security.  

Yaniv Bar-Dayan, CEO and co-founder at Vulcan Cyber: It is unfair to blame the software supply chain vendor considering how bad actors often use known, unaddressed vulnerabilities that IT security teams should have mitigated well before the software supply chain hack became a reality. Cybersecurity teams need to do more than just scan for vulnerabilities. We need to work together to better measure, manage and mitigate cyber risk, or we will be crushed by a growing mountain of vulnerability debt.

Throughout April, CISA will promote resources, tools, and information, including those developed by the public-private ICT Supply Chain Risk Management (SCRM) Task Force, to help organizations and agencies integrate SCRM into their overall security posture. To view online resources, visit CISA.gov/supply-chain-integrity-month.