The Cybersecurity and Infrastructure Security Agency (CISA) is taking a multi-faceted approach to supply chain security, and chief among them is putting in place strong public-private partnerships to maintain supply chain resilience and maintaining high awareness about the sources of supply chain threats.
That was the word from Mara Winn, Associate Director of CISA’s National Risk Management Center (NRMC), who provided updates on the NRMC’s work at FCW’s NASA SEWP SCRM Hybrid Forum 2022 on May 24.
“This emphasis on importance of public-private partnerships when tackling some of the most important issues facing our country is what led CISA to establish the ICT [Information Communication Technology] supply chain risk management task force in 2018,” said Winn.
“The taskforce is the focal point for public-private supply chain risk management partnership and allows industry and government subject matter experts to jointly examine and develop recommendations and policy initiatives to address key strategic challenges to identifying and managing risk associated with a global supply chain and related third-party risk,” she said.
The task force includes 60 organizations, and now also includes two state-level associations. The task force’s focus areas include taxonomies to talk about the supply chain threat landscape in a more standardized manner.
Having a common language on security then allows organizations to have an “apples-to-apples conversation with your vendors” that are especially useful because different groups have different tolerance for risk, she said.
Winn also emphasized the importance of agencies constantly looking for where threats are coming from, and understand the trustworthiness of their own supply chain. She highlighted that everyday risks to the supply chain are “more than just ships having trouble in ports.”
“There are cascading effects and impacts that may not be immediately apparent and … could impact many different segments of the population,” said Winn. “So, we are constantly looking at where the threats are coming from because you have to understand the threats, your vulnerabilities, and what are your consequences to make your appropriate decisions.”