Software development and hardware manufacturing has become increasingly globalized over the last 10 years. A single application can contain hundreds, or even thousands, of software components sourced from just as many vendors located all over the world. And each one of these components presents a potential entry point for attack.
As evidenced by the Solar Winds hack, the lack of transparency in our supply chains represents a significant impediment to securing the United States' IT systems . The Biden Administration said as much with last year's Executive Order 14028, "Improving the Nation's Cybersecurity".
Now, a year later, federal agencies are beginning to roll out new requirements and guidelines for contracting firms to improve the integrity of these IT supply chains and reduce systemic risk. As with much of cybersecurity, this will require comprehensive efforts throughout the federal technology ecosystem, and a careful balancing of security and ease of use.
This week, The Buzz is joined by Leo Alvarez, Principal at Baker-Tilly and member of ACT-IAC's Cybersecurity Supply Chain Risk Management (C-SCRM) Working Group. He shares some insights on what effective C-SCRM strategies look like and how these new requirements will affect the acquisitions process.
Referenced in this episode:
CISA C-SCRM Task Force
NIST C-SCRM Practices
ACT-IAC Acquisitions C-SCRM Working Group
Subscribe on your favorite podcast platform to never miss an episode! For more from ACT-IAC, follow us on Twitter @ACTIAC or visit http://www.actiac.org.