Software & Supply Chain Assurance

crookpatedspongySoftware and s/w Development

Dec 2, 2013 (3 years and 11 months ago)

107 views

KDP
-
1:
Integrate supply chain knowledge into
secure solutions concepts


Evaluate supply chain threats with respect to the set of possible solutions under consideration.


Make
decisions about the level of acceptable supply chain risks and acceptable costs of
security.


Align the acquisition roadmap with the key decision points and require SCRM assessments
.

Example Laws
, Regulations, and/or Standards:
FISMA (
§
3544(b)(2)(C)) makes system owners accountable for information security throughout
the lifecycle; FIPS 200 (3) requires minimum security standards for acquisitions; SP
800
-
37 (3.2
) designates security selected
based on the
system risk; KDP
-
1 maps to the SDLC Initiation phase
as
outlined
in
Section 3.1
of NIST SP
800
-
64.


KDP
-
2: Incorporate SCRM into Acquisition Requirements


Determine the costs of supply chain security; maximize the requirements for low
-
cost, high
-
risk
-
reduction security measures. Com
ply
with decisions from KDP
-
1.


Make decisions about specific SCRM requirements (in context of KDP
-
1 decisions).


Incorporate adequate SCRM into requirements to assure that responses address SCRM.

Example Laws
, Regulations, and/or Standards:
SP
800
-
70 (4.1):
designates a
requirements
analysis (including
security requirements)
before
selecting an information systems product; IR 7622 (4) designates supply chain controls; KDP
-
2 maps to the SDLC
Development/Acquisition phase,
as outlined

in Section 3.2 of NIST
SP
800
-
64.


KDP
-
3: Evaluate Proposals for SCRM Capabilities


Evaluate proposals against supply chain security
requirements from KDP
-
2.


Determine
the extent to which proposals satisfy
SCRM
-
related
acquisition
requirements.

Example Laws
, Regulations, and/or Standards:
SP
800
-
53 (SA 12): The organization conducts a due diligence review of suppliers prior to
entering into contractual agreements to acquire
ICT
components;
KDP
-
3
maps to
the SDLC
Development/Acquisition phase, as outlined in
Section
3.2 of NIST SP 800
-
64
.


KDP
-
4:
Incorporate Threat Assessments and Evaluate Capability to Mitigate Residual
Risks


Specify
requirements for and incorporate
threat
assessments that provide the acquiring organization with information that
guides
the
selection,
with
mitigations, or the elimination of
proposals.


Make decisions to reduce the risk that an offeror will expose the organization to ICT supply chain
threats (based on KDP
-
3 results and
threat assessments),
by putting
contracts
, controls, and security in place that will monitor and add adequate resilience in spite of
residual supply chain
risk.

Example Laws
, Regulations, and/or
Standards: SP
800
-
53 (SA 5): Incorporate
SCRM assessments into
all
requirements
and
processes
to
protect
acquirer
mission/business practices against
compromise
;
KDP
-
4
maps to
the SDLC
Development/Acquisition
and
Implementation/Assessment phases,
as outlined in S
ections 3.2 and 3.3
of NIST SP 800
-
64
.


KDP
-
5: Incorporate SCRM Measures into Overall ICT Security


Ensure that metrics
and
information
sharing protocols
can identify
threats with supply chain
nexus.


Perform acceptance testing and develop continuous
certification and
testing processes for maintenance, upgrades, and system
augmentations.


Ensure that systems
acquisition and designs can be available to incident response or forensic teams investigating supply chain risks
.


Ensure proper disposal so that disposed items do not intentionally or inadvertently make their way back into the supply chain
.

Example Laws
, Regulations, and/or Standards: SP 800
-
39 (2.1)
As risks of advanced
persistent
threats become
more
pronounced, organizations
establish practices for sharing
information related to the system development; KDP 5 maps to the SDLC Operations and Maintenance, and
Disposal phases as outlined in Sections 3.4 and 3.5 of NIST SP 800
-
64.

… But The Risks Can Be Mitigated at Key Decision Points (KDPs)

Supply

Chain

Risk

Management

(SCRM)

is

a

decision

making

process

that

can

reduce

risks

associated

with

ICT

throughout

the

acquisition

process
.

A

lifecycle
-
based

approach

to

SCRM

requires

risk

decisions

at

key

decision

points

in

the

acquirers’

system

development

and

acquisition

process
.

These

KDPs

are

plotted

on

the

ICT

lifecycle

in

Figure

5

and

summarized

below
.

Each

KDP

addresses

specific

governance

and

operations

across

the

lifecycle

to

cost
-
effectively

manage

supply

chain

risks
.

To

be

effective,

acquirers,

suppliers,

service

providers,

and

other

stakeholders

must

share

information

about

KDP

outcomes

to

manage

risk
.

T
ools

are

created

to

implement

these

methods,

reduce

total

lifecycle

costs,

and

share

information
.

Figure 5. KDPs extend consideration
of SCRM concepts
to earlier stages of the lifecycle to
more effectively integrate systems risk and security operations

RETURN ON SCRM INVESTMENT

Early
-
in
-
lifecycle investments in SCRM decrease cyber risks that result from poorly/maliciously designed hardware and software,
and will
ultimately result in decreased expected costs of response, retrofit, and network reconstitution. Conversely, avoidance
of SCRM costs in early
system development stages
will
require more sophisticated monitoring and cyber intelligence capabilities to avoid loss of essential functions.
To achieve best return on investment, SCRM activities must be embedded and aligned with overall network security strategy and

op
erations.

Software & Supply Chain Assurance

1

2

3

4

5

As of Jan 2013

For more information see DHS NPPD CS&C SECIR Software & Supply Chain Assurance resources at
https://buildsecurityin.us
-
cert.gov/swa