Webinar: One Year In: The Executive Order and Securing Software Supply Chains Webinar

One Year In: The Executive Order and Securing Software Supply Chains Webinar held on May 12, 2022 is now available for viewing. During the event, experts discussed the role of the software bill of materials (SBOM) in securing software supply chains as well as key insights from the latest Executive Order on Cybersecurity.

The entire event is available to view here: https://learn.atarc.org/e/315131/X0MyS0qfGBY/jq1p2/1760163334?h=6zjEdpU6R9W6cJWI_SSm4iNfw2nY26D7ngmVTkAIuLk

SolarWinds Public Sector Cybersecurity Survey Report 2021

SolarWinds released the findings of its seventh Public Sector Cybersecurity Survey Report. The Public Sector Cybersecurity Survey Report includes responses from 400 IT operations and security decision makers, including 200 federal, 100 state and local, and 100 education respondents.

“These results demonstrate that while IT security threats have increased—primarily from the general hacking community and foreign governments—the ability to detect and remediate such threats has not increased at the same rate, leaving public sector organizations vulnerable,” said Brandon Shopp, Group Vice President, Product Strategy, SolarWinds. “But the data also shows an increased awareness and adoption of zero trust, as well as a commitment to invest in IT solutions and adopt cybersecurity best practices outlined in the Administration’s Cybersecurity Executive Order. It’s through these steps that public sector organizations can enhance their cybersecurity posture and fight the rising tide of external threats.”

Press Release: SolarWinds – For the First Time in Five Years, External Threats Overshadow Internal Threats as the Greatest Cybersecurity Concern for the Public Sector

On the Feasibility of Detecting Software Supply Chain Attacks

Published in: MILCOM 2021 – 2021 IEEE Military Communications Conference (MILCOM)

Date of Conference: 29 Nov.-2 Dec. 2021

Abstract

The Supply chain attack is the stealthy and sophisticated cyberattack that aims to compromise a target by exploiting weaknesses and vulnerabilities in its supply chain. Recent supply chain attacks (e.g., SolarWinds attack) have compromised some of the most secured IT infrastructures of government agencies and enterprises. The European Union Agency for Cybersecurity, ENISA, has predicted that there will be 3 times more supply chain attacks in 2021 than in 2020. In this paper, we look into the problem of supply chain attacks, the challenges of defending software supply chain attacks. We analyze what it takes to effectively prevent software supply chain attacks, and show that it is indeed feasible and practical for the customers to detect certain software supply chain attacks. We propose an information flow based detection approach that enables end users to detect many software supply chain attacks without dealing with any of the underlying software suppliers.

Cybersecurity Reference and Resource Guide

2019 Cybersecurity Resource and Reference Guide_DoD-CIO_Final_2020FEB07

The purpose of this document is to provide a useful reference of both U.S. and International resources, in order to develop cybersecurity programs and to build and maintain strong network protection. Extensive reference materials exist that support efforts to build and operate trusted networks and ensure information systems maintain an appropriate level of confidentiality, integrity, authentication, non-repudiation, and availability. The resources compiled here support security cooperation and shared best practices to help achieve collective cybersecurity goals. This guide provides readily available and unclassified information pertaining to cybersecurity norms, best practices, security cooperation, policies and standards authored and adopted by the United States (U.S.) government, the U.S. Department of Defense (DoD), and recognized international institutes and workforce development training resources provided by government, industry, and academia.

Aspects related to Cyber Supply Chain Risk Management in the document:

Cyber Supply Chain Risk Management (SCRM) is the process of identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of information and operational technology product and service supply chains. It covers the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction) as supply chain threats and vulnerabilities may intentionally or unintentionally compromise an information and operational technology product or service at any stage.

Website: https://csrc.nist.gov/Projects/Supply-Chain-Risk-Management

NIST SP 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, April 2015

Federal agencies are concerned about the risks associated with information and communications technology (ICT) products and services that may contain potentially malicious functionality, are counterfeit, or are vulnerable due to poor manufacturing and development practices within the ICT supply chain. These risks are associated with the federal agencies decreased visibility into, understanding of, and control over how the technology that they acquire is developed, integrated, and deployed, as well as the
processes, procedures, and practices used to assure the integrity, security, resilience, and quality of the products and services. This publication provides guidance to federal agencies on identifying, assessing, and mitigating ICT supply chain risks at all levels of their organizations. This publication integrates SCRM into federal agency risk management activities by applying a multi- tiered, SCRM-specific approach, including guidance on supply chain risk assessment and mitigation activities.

Website: https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161.pd

Cybersecurity and Information Systems Digest

Cybersecurity & Information Systems Information Analysis Center (CSIAC)
14 DECEMBER 2021

The Digest is a newsletter intended to provide readers with a greater awareness of the latest research and development trends in the four technical focus areas supported by CSIAC while also highlighting recent CSIAC activities, services, and products.

Find the latest issue at this link:

14 DECEMBER 2021 – CSIAC

CyberLEO and CyberSatGov

The CyberSat events are dedicated to fostering the necessary discussions to
understand current threat vectors in the satellite and space industry, with the
intent to develop solutions to prioritize and mitigate risks.

MAY 11-13, 2022 | LOS ANGELES, CA
NOV. 1-3, 2022 | RESTON, VA

Based on market demand, CyberLEO will launch in May in Los Angeles, CA and address cybersecurity threats to Low Earth Orbit satellites and emerging technologies. The conversation continues in November with the flagship event CyberSatGov, focusing on
government, military, satellite, and space technologies.

For more information, visit 39937-CyberSat22-Prospectus-Update_2.pdf (cybersatsummit.com)

To register, visit CyberSat 2022 – New Registration (eventscloud.com)

Rocky Mountain Cyberspace Symposium 2022

Rocky Mountain Cyberspace Symposium 2022 (eventsquid.com)

Rocky Mountain Cyberspace Symposium 2022 AFCEA Rocky Mountain Chapter
Mon, February 21, 2022 — Thu, February 24, 2022

The Rocky Mountain Cyberspace Symposium’s theme this year is: “Securing Partnerships and Technologies.” Modern organizations, whether Federal or Commercial, are increasingly interdependent on each other for mission critical pieces of their operations.  Events in late 2020 and early 2021 highlighted some of the risks and vulnerabilities that can come with this dependence.  Whether it is supply chain risk as demonstrated by the SolarWinds hack, or more traditional exploitations like those seen against Microsoft Exchange; as we all increasingly rely on trusted partners for our success, a critical look at existing and new strategies for securing our shared requirements becomes necessary.

Register at the link above by February 24, 2022 @ 12:00 pm

Op-ed | SOS Space: Why cybersecurity and supply chain risk management must go hand in hand

Op-ed | SOS Space: Why cybersecurity and supply chain risk management must go hand in hand – SpaceNews

There is little doubt that the domains of space and cyber are currently being contested through antagonistic behavior across the globe.

Near-peer adversaries have already strategically prioritized these as preferred domains of action, both in competition and conflict. Cyber-enabled supply chain attacks are increasingly and globally being used as a hybrid warfare tactic to provide advantages. Predictably, they afford adversaries a relatively cost-effective means of engagement, plausible deniability, and avoid the political backlash that inevitably results from lethal action and physical incursion. Considering the emphasis placed on these domains, the U.S. space, defense, and intelligence communities must concentrate efforts to safeguard space assets, preserve strategic and military advantages, and solidify national security and global stability. Cybersecurity and supply chain integrity must become integral and elevated concerns for the space community, as well as space consumers and strategic stakeholders.

Webinar on Updates to NIST SP 800-161 Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations

The NIST Cybersecurity Supply Chain Risk Management Team is hosting a webinar on December 1 to provide an overview of the changes made in its 2nd public draft of Special Publication 800 – 161, Revision 1, Cybersecurity Supply Chain Risk Management Practices for Systems and Organizations. NIST seeks to engage stakeholders to provide clarity, answer questions, and get stakeholder comments and opinions that ensure Revision 1 will deliver comprehensive and relevant cybersecurity supply chain risk management practices and guidance.

There will also be a panel of experts to discuss the new APPENDIX F: A Response to Executive Order 14028’s Call to Publish Preliminary Guidelines or Enhancing Software Supply Chain Security, which seeks to provide a response to the directive outlined within Section 4(c) of the EO.

For additional information and to register, please visit: https://csrc.nist.gov/Events/2021/2nd-public-draft-sp-800-161-revision-1-workshop