Supply Chain Risk Management Capabilities Center
While many cybersecurity officials strive to achieve “no risk” when it comes to cyber risk management, officials from NASA this week explained that’s just not possible and suggested that agencies instead focus on managing risks that are important to the mission.
At the NASA SEWP (Solutions for Enterprise-Wide Procurement) SCRM Hybrid Forum 2022 on May 24, Joanne Woytek, program manager for the NASA SEWP program, explained how cyber risk management does not mean achieving zero risk.
Viasat to begin integration of long-delayed Link 16 military communications satellite
Source: Space News
Published: April 21, 2022
Viasat is rushing to complete the integration of a small communications satellite for the U.S. military that is years behind schedule due to supply chain delays. The satellite is designed to serve as a data relay in space for the network of Link 16 tactical radios used by the U.S. military and allies. The Air Force Research Laboratory awarded Viasat a $10 million contract in 2019 to integrate a cubesat with a Link 16 communications terminal. The original target launch date was in 2020.
NIST Official: Revised Cybersecurity Supply-Chain Guidance Imminent
Source: Nextgov
Published: April 27, 2022
The National Institute of Standards and Technology is about to publish guidance for securing enterprises against supply chain hacks following the SolarWinds event and other major third-party attacks targeting critical infrastructure. “The flagship cybersecurity supply chain risk management guidance is [Special Publication 800-161],” NIST’s Angela Smith said. “We’re going to actually be releasing the first major revision—revision one—by the end of next week, so everybody should be on the lookout for that if you’ve not already had a chance to review some of the public drafts that have come out.”
April 28, 2022
See Press Release
Representatives Tom Malinowski (D-NJ) and Andrew Garbarino (R-NY) introduced legislation to protect space systems, especially those that support critical infrastructure, from cyberattacks that threaten American national security and economic prosperity. The bipartisan Satellite Cybersecurity Act requires the Cybersecurity and Infrastructure Security Agency (CISA) to develop a set of standards and recommendations that the commercial satellite industry can use to protect its networks. The bill also requires the Government Accountability Office (GAO) to evaluate the effectiveness of government efforts to strengthen cybersecurity for the commercial satellite industry, and to identify vulnerabilities that might place critical infrastructure at risk. Full text of the legislation can be found here.
Senators Gary Peters (D-MI) and John Cornyn (R-TX) are leading companion legislation, which recently advanced through the Senate Homeland Security and Government Affairs Committee. Their companion bill, S. 3511, the “Satellite Cybersecurity Act” introduced on January 13, 2022, would require a report on Federal support to the cybersecurity of commercial satellite systems, and for other purposes, to include the development of commercial satellite system cybersecurity recommendations for (G) Management of supply chain risks that affect cybersecurity of commercial satellite systems.
“The Satellite Cybersecurity Act will enable CISA to fulfill its duty as the Sector Risk Management Agency for the Communications Sector and work with private sector owners and operators to mitigate threats to U.S., Ukraine, and other international satellite communication networks.”
U.S. Chamber of Commerce Announces Cyber, Space, and National Security Policy Division
Source: HSToday
Published: April 30, 2022
The United States Chamber of Commerce has announced a new Cyber, Space, and National Security Policy Division under the continued leadership of Senior Vice President Christopher D. Roberti. Formerly the Cyber, Intelligence, and Supply Chain Security Division, the new division now includes the Chamber’s Defense and Aerospace Council (DAC) and will provide enhanced advocacy in cybersecurity, intelligence, supply chain security, space and aerospace, and procurement, acquisition, and innovation. Roberti is responsible for managing the Chamber’s relationships with key U.S. Government interlocutors across the national security, intelligence community, and law enforcement sectors.
Wider use of software bills of materials (SBOM) requirements represents a key building block in software security and software supply chain risk management that Federal agencies need to increasingly rely on going forward, an official from the Cybersecurity and Infrastructure Security Agency (CISA) said today.
Allan Friedman, a senior advisor and strategist for CISA, explained that software packages typically include an extensive number of third-party components, and that Federal agencies must actively watch and manage each one to preserve security and functionality.
“To that end, it’s critical for the Federal government to move towards frequent utilization of an SBOM to keep track of these components. This machine-readable list comprises the various dependencies and elements of a piece of software,” Friedman said at a virtual event hosted by GovExec.
An SBOM also constitutes a formal record containing the details and supply chain relationships of various components used in building the software.
The drive for SBOMs has gained steam since May 2021, when the Biden administration released an executive order emphasizing SBOMs as a way of boosting the nation’s cybersecurity. Since then, the National Telecommunications and Information Administration (NTIA) has sought comment on what to include in SBOMs, and CISA leadership has called for SBOMs to aid in system visibility and inventory management following disclosure of the Log4J vulnerability earlier this year.
Friedman said today that SBOM implementation in the Federal space remains new and emerging. And while there is no reason organizations cannot use SBOM today, “we cannot assume universal full automation and integration,” he said.
Moving forward, Friedman listed three main goals in the government’s broader SBOM initiative:
Additionally, Friedman explained that CISA will advance the SBOM work by facilitating community engagement, development, and progress, with a focus on scaling and operationalization, as well as tools, new technologies, and new use cases. He also explained that “continued industry leadership is needed to guide SBOM investment, standards, and policy.”
Friedman acknowledged that transparency will not solve all security problems, but “without transparency, it will be very hard to solve any security problems.”
Viasat is providing an overview and incident report on the cyber-attack against the KA-SAT network, which occurred on 24 February 2022, and resulted in a partial interruption of KA-SAT’s consumer-oriented satellite broadband service.
This incident was localized to a single consumer-oriented partition of the KA-SAT network that is operated on Viasat’s behalf by a Eutelsat subsidiary, Skylogic, under a transition agreement Viasat signed with Eutelsat following Viasat’s purchase of Euro Broadband Infrastructure Sàrl (“EBI”), the wholesale broadband services business created as part of Viasat’s former partnering arrangement with Eutelsat. The residential broadband modems affected use the “Tooway” service brand. This cyber-attack did not impact Viasat’s directly managed mobility or government users on the KA-SAT satellite. Similarly, the cyber-attack did not affect users on other Viasat networks worldwide.
For more, visit KA-SAT Network cyber attack overview | Viasat
Amazon is getting into the private space station business.
The company has joined the Orbital Reef commercial space station project to provide supply-chain logistics and Amazon Web Services for the private orbital outpost, which is slated to launch by the late 2020s. The Orbital Reef project is led by Blue Origin and Sierra Space, and is a partnership with Boeing, Redwire Space, Genesis Engineering, and Arizona State University. Amazon’s role in Orbital Reef, which the company announced at the 37th National Space Symposium, includes overseeing logistics using its Distribution and Fulfillment Solutions arm. And Amazon Web Services will offer networking, cloud computing and communications solutions for the station’s fight operations, development and design teams.
Source: Amazon joins Orbital Reef commercial space station project | Space
Ukrainian firm Antonov owns and operates the largest cargo aircraft in the world. A significant portion of the company’s fleet has been grounded or destroyed since Russia’s invasion of Ukraine, leaving many GEO satellites to find other rides to the launch site.
Source: Loss of Antonov Planes may have GEO Shipping Impact – Payload (payloadspace.com)
As Russia’s war against Ukraine escalates and sanctions by the U.S. and other countries intensify, so does their impact on supply chains around the world.
Going through recent events like the U.S.-China trade war, Covid-induced disruptions, followed by the major armed conflict, many firms that had been skeptical about the idea of reshoring and multi-sourcing started to reexamine their options… they are living through the era of disequilibrium, and all of a sudden ‘just-in-case’ sounds more reasonable than ‘just-in-time’…
After the jolts from these successive events…the momentum will be built towards a model of more regionalized supply chains, with weakened linkages in some areas but also strengthened ones in other corners…
Many big tech companies put facilities in Poland and Hungary are quite close to the fire now. It is forcing those companies to shift capacity and volume to safer regions, like North and South America…
Source: Forbes Supply Chain Crisis Worsens As Russia’s War Against Ukraine Continues (forbes.com)