The newest US laws and measures that support secure supply chains
In Part 1 of this three-part series on supply chain security, we looked at several of the forces weakening the global supply chain discussed at RSA Conference 2021. First, we broke down the largest attack on the United States’ supply chain to date, the SolarWinds breach. Then it was on to discuss the impact of geopolitical conflict, the pandemic and the increased volume and sophistication of cyberattacks on the supply chain.
After combing through the supply chain vulnerabilities and risks organizations faced over the past 14 months, it’s time to examine the latest US legislation and regulations discussed at RSA Conference that support stronger supply chain security. Finally, in Part 3, we’ll explore how the security industry can prepare for compliance and incorporate forward-thinking supply chain security measures in the months and years ahead.
Buckle your seatbelts. Let’s dive into Part 2 of “Supply Chain Security Awareness.”
Legislation
At RSA Conference, Director of Cybercrime at INTERPOL Craig Jones remarked that when people experience a real-world crime, they know to call the police. But if they’re victims of cybercrime, they typically avoid law enforcement in favor of their IT guy. When it comes to supply chain security, how do we bring together the cyber first responders?
One way is through legislation. While the US government has historically lagged on technology regulation, the pace has quickened recently with several new state and federal laws introduced to improve cybersecurity and data privacy, as well as bring together disparate groups for better security alignment—particularly for those devices and software used in supply chains. Here are some of the bills that were discussed at RSA Conference.
On May 12, President Joe Biden signed an Executive Order (EO) with sweeping proposals to upgrade federal cybersecurity, including massive changes to its procurement processes, such as requiring that suppliers provide a software bill of materials (SBOM) to help organizations manage risk and learn which vulnerabilities exist in the products they use.
In addition, the EO includes a set of criteria to evaluate the security practices of developers and suppliers. It proposes a labeling system to identify vendors that have gone above and beyond the baseline, essentially codifying resilience as a competitive edge.
The IoT Cybersecurity Improvement Act, meanwhile, aims to tighten up standards for IoT devices owned or operated by the federal government. The bill directs the National Institute of Standards and Technology (NIST) to draft and publish IoT standards with a focus on secure development, identity management, patching and configuration. After NIST publishes standards and guidelines, contractors and vendors must follow up by publishing coordinated vulnerabilities disclosure policies.
Other relevant regulation recently introduced includes various state data privacy laws, such as the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA) and Virginia’s Consumer Data Protection Act, which passed in February 2021. Since the CCPA was introduced in 2018, 29 other states have proposed data privacy bills mostly centered on consumer data rights.
In March 2021, a federal data privacy law was introduced that, if passed, would provide organizations with a consistent, comprehensive national data privacy infrastructure for consumers. In preparation for these data privacy laws, organizations should begin a dialogue with their data teams to assess risk and ensure compliance. How companies organize and protect their consumer data impacts data access, storage and transfer across the enterprise.
Regulations
In the crossroads between the global weaponization of cyber and trade are the technologies used by suppliers and the organizations that employ them. As we learned in Part 1 of this series, a major risk factor for sharing data across technology platforms with suppliers is the unknown degree to which that data is secure and private—especially at the sub-tier level.
That risk is further elevated when sharing data with international entities known to use digital information technology to surveil, repress and manipulate domestic and foreign groups. Recent regulations and sanctions by the Departments of Defense, Treasury and Commerce on industrial suppliers (primarily in China) therefore help to reduce digital supply chain risk, as well as physical.
According to Andrea Little Limbago, Ph.D., Vice President, Research and Methodology at Interos, in her presentation, “Supply Chain Resilience in a Time of Techtonic Geopolitical Shifts,” the US is increasingly employing industrial policy as a tool of economic statecraft. In 2019, the Department of Defense levied prohibitions on five Chinese companies and their affiliates. That same year, the Department of Treasury doled out financial penalties exceeding $1 billion.
Between 2019 and 2020, the Department of Commerce added over 350 Chinese-based companies to a list of those not allowed to be in the supply chain for such violations as creating weapons of mass destruction, human rights concerns and tech surveillance. In 2021, expect more companies to be added from countries outside of China, such as Russia and Saudi Arabia.
Thankfully, over the past year, US organizations have begun shifting business away from China to more resilient locations. Fifty percent of companies are looking for alternative or backup suppliers, and 24 percent are relocating their supply chains.
Between federal and state laws regulating procurement processes, data privacy and access management, and even secure development, organizations will have their hands full with domestic compliance alone. Add to that keeping an eye on the Department of Commerce, Treasury and Defenses’ lists of prohibited suppliers, and it’s looking to be another insane year for enterprise cybersecurity.
However, it’s important to keep in mind that the standards put forth by these bills and regulations often represent a minimum-security requirement for organizations. For a more comprehensive look at which measures industry experts recommended at RSA Conference to strengthen supply chain security, tune in for Part 3 of our series on “Supply Chain Security Awareness.”