The U.S. federal government has one of the biggest supply chains in the U.S., if not the world. The United States government is dependent on contractors, using upwards of 4 million contractors to outsource tasks, provide services, and both develop and manufacture products. That number fluctuates, depending on whether the country is at war or in peacetime (during the Iraq War, for example, the number of federal contractors more than doubled).
One thing does not change, however: as with private organizations, government contractors are often targeted by cybercriminals. Earlier this year, for example, a supplier for several major defense contractors was targeted by a ransomware attack. Such attacks can be disruptive: sensitive documents can be made public, the supply chain can be disrupted, and — as with attacks on the vendors of private companies — a data breach of a contractor is usually an attempt to get at the main organization itself.
Contractors aren’t the only ones under fire during the pandemic — government agencies in the U.S. and abroad also saw an uptick in attacks since March as workers have attempted to work from home, and criminals have attempted to take advantage of the security vulnerabilities this has created.
The Pentagon has attempted to reign in cyberattacks for their defense contractors by introducing new cybersecurity standards in January: the Cybersecurity Maturity Model Certification (CMMC), standards incorporate the 110 security requirements of NIST SP 800-171 while adding practices and processes specific to the Department of Defense’s (DoD) requirements. These standards, however, only apply to defense contractors. So how can all government agencies operate more securely despite lean budgets and bad actors intent on disrupting the supply chain?
Best practices for government cybersecurity and supply chain risk management
Tight budgets, classified information, and rapidly evolving threats mean that cybersecurity is often a challenge for government agencies and their supply chain. Below are some best practices for securing your data and managing contractor risk.
1. Secure your site
Can visitors make an unencrypted connection to any of the pages on your site? What about your contractors’ sites? In June, the U.S. government announced that all .gov sites would be HTTPS, or “secure HTTP.” The government also wants its web servers publicly committed to using HTTPS by default. There’s not a firm deadline on these requirements, however, so each agency may be feeling their own way when it comes to switching over to this more secure option.
2. Know your assets
When you’re building a cybersecurity strategy, it’s important to know what assets you’re protecting. Build a list of the assets you do not want to be breached. This list might contain data, devices, or networks. How severe is the risk associated with each asset, if were breached? Would you lose classified information? Would you lose productivity? What people and entities have access to each asset? Once you understand your risks, then you can start to develop a cybersecurity strategy to protect them.
3. Know your contractors
One of the problems in private companies is that organizations often don’t know who their vendors are. This may be a problem in large government organizations as well. Create a list of your contractors, and make a note of all the information and systems each has access to so that you know what impact a breach would have on your agency if one of your contractors were subject to a cyber attack.
4. Automate your cybersecurity operations
Lean cybersecurity budgets and a pared-down staff may mean that your agency is stuck in reactive mode, constantly responding to threats, rather than proactively monitoring the threat landscape. By streamlining your operations and automating some of the more time-consuming tasks associated with security (some of the more onerous tasks associated with managing contractor risk and relationships, for example, or monitoring for compliance) your team can do more with less. This will let you be more proactive in your cybersecurity strategy. You can step away from dealing with whatever the problem of the day is, and plan for the future.
How SecurityScorecard automates cybersecurity processes
Continuous monitoring of an organization’s cyber health is critical to its security. SecurityScorecard’s easy-to-read Security Ratings, based on an A-F scale, monitor your agency’s security posture across 10 risk factor groups, giving you an outside-in view of your IT infrastructure. For example, if any of your sites are not using HTTPS, we can show any non-encrypted sites. Whenever you fall out of compliance in a risk factor group, your agency’s score will change. You’ll know as soon as it happens, so you can address it.
This goes for your third parties as well. Our security ratings allow you to monitor your contractors’ scorecards. And our intelligent tool, Atlas, uses advanced artificial intelligence to streamline the third-party risk management process. Using our platform, your agency can upload contractors’ responses to questionnaires. Our machine learning compares those answers to previous questionnaires and our platform’s own analytics, verifying their responses almost instantly.
