- The White House has announced key government-wide initiatives for the coming year that are focused on long-term domestic supply chain resilience.
- The Biden Administration released a capstone report on key actions it has taken over the past year to reduce U.S. supply chain vulnerability across a range of key sectors.
- As a complement to the capstone report, seven cabinet agencies published reports identifying weaknesses and strategies to strengthen supply chains for these sectors.
RSA Conference (RSAC) 2022
San Francisco, CA
June 6-9, 2022
The theme for RSAC 2022 is “Transform.” This conference offers a dialogue on the rapidly evolving information security industry by providing insight into trends and breaking news in information security. It is intended for military, government, academia, and industry information security experts.
Protecting Data & the Supply Chain
This track explores the cascading security requirements of the extended enterprise and the classification, tracking, and protection of data. It covers data protection regulations, DLP and threats to sensitive data, and emerging trends in software supply chain security as well as vendor and partner SLAs, supply chain mapping, continuous enforcement, and how to future-proof vendor contracts and risk assessments for evolving requirements.
For more information, follow these links:
2022 USA | RSA Conference
Trust, but Verify: Protecting Your Business from Supply Chain Attacks | RSA Conference
NIST Refreshing Voluntary Cybersecurity Framework Amid Push for Mandates
NIST Refreshing Voluntary Cybersecurity Framework Amid Push for Mandates
Source: Nextgov
Published: February 22, 2022
The National Institute of Standards and Technology wants to know how it might improve its landmark framework of cybersecurity standards and practices and streamline similar efforts related to particular issues like privacy and supply-chain security. “Every organization needs to manage cybersecurity risk as a part of doing business, whether it is in industry, government or academia,” said Commerce Deputy Secretary Don Graves in a news bulletin NIST published Tuesday. “It is critical to their resilience and to our nation’s economic security. There are many tools available to help, and the CSF is one of the leading frameworks for private sector cybersecurity maintenance. We want private and public sector organizations to help make it even more useful and widely used, including by small companies.”
New Pentagon Report Raises Alarm Over Industry Consolidation, Future of Competition
Feb. 16, 2022
Air Force Magazine
The Defense Department faces a future of high-price, sole-source contracts, reduced innovation, and possible critical shortages if it doesn’t take steps to increase competition and the number of suppliers in the defense industrial base, according to a new Pentagon report. But changing the conditions creating the situation won’t be easy, it said.
To prevent these issues, the U.S. must limit further defense industry consolidation; fix intellectual property issues; attract new businesses to the industry—especially small businesses—and put “sector-specific supply chain resiliency plans” into effect for critical items, ranging from missiles to castings, strategic metals, and microelectronics, according to the report, released Feb. 15.
Pentagon Report: State-of-Competition-Within-the-Defense-Industrial-Base
Three Ways to Enhance Supply Chain Cybersecurity
Three Ways To Enhance Supply Chain Cybersecurity
Source: Forbes
Published: February 16, 2022
It’s a familiar headline: Your supply chain may be your biggest cybersecurity risk. And for good reason. Between pressure to maintain business continuity and exceed profits amid inflation and global supply chain issues, organizations across industries have a lot to contend with. This focus elsewhere can lead to threat actors slipping under the radar more easily while also making a big splash. For instance, beyond the potential exposure of credit card data, we’ve seen a rise in ransomware and nation-state threat activity in an attempt to further disrupt stressed infrastructures. While these challenges are broad, if we approach cybersecurity as a collective whole, rather than as individual organizations, they are not insurmountable.
Cyber Attack Strikes German Fuel Supplies
Cyber-attack strikes German fuel supplies
Source: BBC
Published: February 1, 2022
A major fuel supplier in Germany is operating at a “limited capacity” after a cyber-attack disrupted IT systems at the weekend. Oiltanking Deutschland GmbH & Co. KG stores and transports oil, vehicle fuels and other petroleum products for companies like Shell. It says it discovered it had been hacked on Saturday. It has declared “force majeure” for the majority of its inland supply activities in Germany.
A cyber attack at the Patent Office led to increased eyes on supply chain risk
Many people think of cybersecurity as threats coming from the outside, but with the government relying on private companies to provide hardware and software, the very tools that agencies use could be a threat within themselves.
Supply chain issues are wracking the nation, but the government is also thinking about its supply chain in terms of what companies are providing goods and services.
The U.S. Patent Office is one organization that pays particularly close attention to supply chain issues in order to keep clients proprietary information safe. Just recently, the Patent Office found a zero day vulnerability in one of its logging libraries, according to Stephan Mitchev, director of the Office of Application Engineering and Development and acting chief technology officer at the Patent Office.
That infiltration caused the office to look harder at its supply chain to see what could have been infected.
Cybersecurity Threats in The Cloud Software Supply Chain
January 20, 2022 — Cybersecurity Threats in the Cloud Software Supply Chain
Register now for ATARC’s Cybersecurity Threats in the Cloud Software Supply Chain event on January 20, 2022, from 1:30 PM – 2:30 PM ET. High-profile software supply chain attacks, such as SolarWinds and Kaseya VSA, have shed a glaring light on the disparity between agencies’ perceptions of security within their cloud infrastructure and the reality of supply chain threats that can impact business catastrophically. Tune in to this panel to hear what topic experts have to say on threat assessment within the cloud, and how the Executive Order impacted agencies’ cloud security practices. Register here.
SolarWinds Public Sector Cybersecurity Survey Report 2021
SolarWinds released the findings of its seventh Public Sector Cybersecurity Survey Report. The Public Sector Cybersecurity Survey Report includes responses from 400 IT operations and security decision makers, including 200 federal, 100 state and local, and 100 education respondents.
“These results demonstrate that while IT security threats have increased—primarily from the general hacking community and foreign governments—the ability to detect and remediate such threats has not increased at the same rate, leaving public sector organizations vulnerable,” said Brandon Shopp, Group Vice President, Product Strategy, SolarWinds. “But the data also shows an increased awareness and adoption of zero trust, as well as a commitment to invest in IT solutions and adopt cybersecurity best practices outlined in the Administration’s Cybersecurity Executive Order. It’s through these steps that public sector organizations can enhance their cybersecurity posture and fight the rising tide of external threats.”
NIST SP 800-160v1 Revision 1 Initial Public Draft out for Review
NIST is releasing the draft of a major revision to Special Publication (SP) 800-160 Volume 1, Engineering Trustworthy Secure Systems. This publication is intended to serve as a reference and educational resource for engineers and engineering specialties, architects, designers, and personnel involved in the development of trustworthy secure systems and system components. The guidance can be applied selectively by organizations, individuals, or engineering teams to improve the security and trustworthiness of systems and system components.
In particular, Draft SP 800-160 Volume 1, Revision 1 focuses on the following strategic objectives, which drove the majority of changes to the publication:
- More strongly positioning Systems Security Engineering (SSE) as a sub-discipline of Systems Engineering (SE)
- Emphasizing that the responsibility for engineering trustworthy secure systems is not limited to security specialties and that the achievement of security outcomes must properly align with SE outcomes
- Aligning SSE practices with safety practices and other disciplines that deal with the loss of assets and the consequences of asset loss
- Focusing on the assurance of the correctness and effectiveness of the system’s security capability to achieve authorized and intended behaviors and outcomes and control adverse effects and loss
- More closely aligning systems security engineering work to international standards
NIST is interested in feedback on the specific changes made to the publication during this update, including the organization and structure of the publication, the presentation of the material, its ease of use, and the applicability of the technical content to current or planned systems engineering initiatives.
Submit comments using the comment template provided.