What is Supply Chain Security? Learn about the Risks

Today's organizations struggle with a paradox: we live in the most technologically advanced period of history. Yet, while we all use technology to make our personal and professional lives better, our trust in those technologies has never been lower.

This is a major problem for government contractors who are handling classified or controlled unclassified information (CUI) - especially those in the defense industrial base (DIB). Targeted cyberattacks, ransomware, and foreign espionage are just a few of the security threats they must fend off on a daily basis.

As the cyberthreat landscape advances, Epoch Concepts is committed to providing our clients with high-trust solutions and employing supply chain risk management (SCRM) principles from development through implementation. To explain how, first we must explain what supply chain security is and why it matters so much to modern federal contractors.

Supply Chain Risk: A Primer

2021 has been a major year for cyberattacks across every category, some of them orchestrated through common software vendors. The unprecedented scale of these attacks has drawn much needed attention to supply chain security and third-party risk.

Today, government agencies and enterprises alike depend on hundreds of third-party suppliers to drive business functionality and essential processes. But it doesn't stop at software: physical hardware like servers, networking and communications equipment requires third-party manufacturers, resellers and technicians too.

So, what’s the problem? At the point of manufacturing, design oversights can lead to out-of-the-box security flaws. Before a product reaches customers, it can also be compromised through the introduction of rogue chips and the injection of malicious code.

Top Risk Drivers

The incidence of supply chain attacks has risen dramatically in recent years, leading to increased vigilance from legislators and industry professionals. At least three factors are largely responsible for this rise:

• Reliance on global suppliers – in a 2018 presentation for Lockheed Martin, the MITRE corporation asserted that: “Most [off-the-shelf] electronics used in [Department of Defense] systems are fabricated overseas” – this creates a “significant risk from tamper“ for products en route to the U.S.
• Substandard design – in competitive industries, products are often rushed to market leading to major security oversights. The Cybersecurity and Infrastructure Agency (CISA) lists poorly designed hardware as the second greatest supply chain threat – this has become a particular concern for “Internet of Things” (IoT) devices.
• Increased connectivity – today’s organizations include more networked devices than ever before, exacerbating the impact of a single vulnerable device. Cyber actors can use a weak entry point to move laterally through an otherwise secure system (sometimes called “island hopping”).

Ultimately, just like one vulnerable device can cause a weak link in an organization’s IT ecosystem, a single poor vendor can become the weak link in your hardware or software supply chain.

Recent Legislation

Prior to 2020, the U.S Government Accountability Office (GAO) issued a series of recommendations regarding supply chain security in 2018. Later that year, the Federal Acquisition Supply Chain Security Act passed into law, requiring that government agencies assess and meaningfully address supply chain risks.

In December 2020, the GAO issued another 145 recommendations to 23 government agencies – but as of summer 2021, none of the agencies were in full compliance. This prompted the Biden administration to issue Executive order 14028, titled ‘Executive Order on Improving the Nation’s Cybersecurity’.

Under the new order, government agencies must exercise greater vigilance in protecting their software supply chains. In response, the National Institute of Standards and Technology (NIST) produced guidelines for software testing and use, which will likely become federal policy. Until then, supply chain security is the order of the day – and Epoch Concepts is one step ahead.

How We Protect Our Supply Chain

To ensure compliance with security specifications and quality standards, we vet our partners carefully and monitor our technology components as they pass hands from manufacturing to final delivery.

Choosing Vendors

The single most important principle of SCRM is trust. We do not partner with a product vendor or OEM unless they demonstrate a commitment to manufacturing quality, secure product design, and delivery. Important criteria include:

• Security controls – we expect our technology components to be tamper-resistant until they reach our assembly floor. This can be achieved through controls like high-security encryption, UEFI mode for computer components with OEM software, chassis intrusion detection, and more.
• Cybersecurity compliance – we look for vendors who are compliant with supply chain security legislation and more general cybersecurity standards, including the Defense Federal Acquisition Regulation Supplement (DFARS), Federal Information Security Modernization Act (FISMA) and more.
• Direct delivery –we expect hardware to reach us directly from the manufacturer or reseller, without middlemen or unnecessary stops.

Responsible Handling

As value-added resellers, we hold ourselves to the same strict standards that we apply to our partners.

1. Integration and assembly
   We receive all technology components at a dedicated and secure integration facility. There, we begin assembly and preparation of technology solutions. Based on client request, we may load custom, secure software images onto servers and other computer equipment.
   After assembly, we test devices for faults and hardware failures through system burn-in, which involves powering up and extensive testing. Ahead of delivery, we replace any failed components and ensure our solutions are in perfect working order.
2. Protected access
   While they are still on the assembly floor, we continuously monitor technology components to prevent unauthorized access through an active security team, CCTV footage and other automated security controls. When assembly is completed, the components move straight to shipping.
3. Tamper-free delivery
   We provide our clients with direct shipping on sealed trucks to prevent unauthorized access between departure and arrival. Before delivery, we take high-definition pictures of cargo and use tamper-evident tape to ensure that it arrives exactly as it was sent. We strive for total transparency throughout the delivery process to build trust and maintain our high standards of security.
4. ISO 900:2015 compliance
   Epoch Concepts is certified under International Standards Organization (ISO) 9001:2015, Quality management systems. Sections 8.4-8.5  of ISO 9001:2015 include regulations for vendor selection and approval, control of external providers and preservation of outputs during handling and transmission. Our training and expertise ensure that we deliver the highest industry standards for service provisioning and customer satisfaction.

Conclusion

At Epoch Concepts, we design, source and integrate solutions to empower our customers. From storage to infrastructure, cybersecurity and cloud solutions, we architect fully customizable IT solutions and offer continual customer support. Above all, we put the security of our customers first and work to create an impenetrable supply chain they can trust. In a cybersecurity landscape full of risk, Epoch Concepts is here to give you peace of mind and help you every step of the way. Contact us to learn more.