The U.S. Government’s current model for cybersecurity framework has a weak point. The model is called the NIST-NICE Cybersecurity Workforce Framework.
This framework is laid out in seven domains with 31 roles that attempt to describe all of the functions that are required to secure information. To be fair, the model seems to get most of those roles, functions and activities right. Where it fails however, is in its lack of acknowledgement of the role that supply chain risk and the presence of a secure acquisition process plays in ensuring the overall security of information.
Most of the attacks in the SANS top 25 originate from defects in the computer code. A lack of rigorous testing and analysis coupled with a reliance on a global supply chain leaves a gapping hole in the oversight of secure software integration. And, given the old adage about chains and weak links, it will take only one incompetent–or even worse, malicious–supplier to turn a safe system into one that is seriously exploitable.
• Microsoft issued 106 specific updates for security in 2010 and by the first two quarters of 2011 it had already issued 52 others
• Capers Jones indicates that there are roughly 4,500 – 7,500 defects in the average commercial application that are unfound and unfixed, 900-1,500 of which could be considered to be “show stopper” avenues of attack for hackers
• On average there are 5 defects per FP in a commercial application (4 in a Web app., 7 in a military app.)
In the Cybersecurity/Information Systems Security Management role, within the Operate and Maintain domain, there is nothing more than a passing reference to “procurement duties”. That short phrase amounts to everything the model has to say about how to protect against supply chain risk. Given the importance of ensuring the security of acquired products and services and the wealth of commonly accepted knowledge available, it is not too late to do the right thing.
Are You CyberReady?
This blog helps with real world insights on the cyber threats.