The U.S. Cybersecurity and Infrastructure Security Agency (CISA) has issued an alert to urge critical infrastructure organizations to scope their environments for communications equipment deemed to pose high risk.
The Federal Communications Commission (FCC) maintains a list of equipment and services covered by Section 2 of The Secure Networks Act for communications equipment and services that have been determined by the U.S. government to pose an unacceptable risk to national security or to the security and safety of United States persons pursuant to the Secure and Trusted Communications Networks Act of 2019.
"CISA reminds all critical infrastructure owners and operators to take necessary steps in securing the nation's most critical supply chains. CISA urges organizations to incorporate the Covered List into their supply chain risk management efforts," CISA notes.
Here are some comments on the alert from cybersecurity vendor experts.
Timothy Morris, Chief Security Advisor at Tanium:
"While it seems like common sense that every enterprise, especially critical infrastructure, would not use devices on the 'covered list,' the fact is that new devices are added to the list. These are to protect U.S. national security. Sadly, most organizations do not have accurate inventories of all the devices connected to their networks, so the ability to identify everything in their supply chain can seem elusive.
Every security and IT program has to begin with accurate inventory (i.e. NIST 101). Once that is done identifying riskier devices becomes easier. Supply chain risk can be reduced by scanning the environment to discover and remove those on the list. It is not a one and done operation. It has to be continuous and part of every process. This includes identifying procurement channels to avoid acquiring those items, robust hardware/software management, vulnerability scans, etc. The Cybersecurity Supply Chain Risk Management Practices outlined by CSRC/NIST can be part of a comprehensive third-party risk management program."
"To minimize threat risks from fourth and fifth parties in the supply chain, organizations should implement robust vendor management practices, including due diligence, security posture monitoring, and clear communication channels. Additionally, vendors should be required to disclose their use of open source code and provide a Software Bill of Materials (SBOM) to identify potential vulnerabilities and dependencies. Contractual agreements with vendors should address security requirements and hold them accountable for their supply chain security. Adopting a risk-based approach to supply chain management, prioritizing high-risk suppliers and components, and regularly reviewing and updating risk management strategies will help organizations stay ahead of emerging threats and vulnerabilities."
RELATED: Deron McElroy, Chief of Cybersecurity for CISA, will speak at SecureWorld Houston on May 18th on "Becoming Cyber Resilient with CISA." Alex Joves, Region 5 Regional Director for CISA, will present to attendees at SecureWorld Chicago on June 8th, providing information on CISA services, partnerships, and updates on the threat landscape from the agency's perspective.
To learn more about CISA's supply chain efforts and to view resources, visit its page about the sixth annual Supply Chain Integrity Month, which was in April.