CISA Creates New Office to Help Agencies Implement Supply Chain Security Practices

The Cybersecurity and Infrastructure Security Agency is setting up a supply chain risk management office to help agencies, industry and other partners comply with the latest guidance and policies for security IT supply chains. CISA’s project management office for cyber supply chain risk management is being headed by Shon Lyublanovits, a former official at the General Services Administration.

In a recent GovExec event, Lyublanovits said some agencies find it difficult to manage supply chain risks because they do not know how the process would begin or because of funding issues that prevent them from hiring people with knowledge of managing IT risks, Federal News Network reported.

CISA is expected to launch training courses for supply chain risk management later in 2023 to help address the challenges agencies and other organizations face. It will also conduct roundtables focused on operationalizing cybersecurity supply chain risk management, Lyublanovits said.

The Government Accountability Office revealed in a 2020 report that a lack of federal guidance resulted in the failure to implement supply chain security practices at major agencies.

In view of the difficulties in employing an effective approach to managing risks, the National Institute for Standards and Technology published guidance to help organizations identify and assess malicious functionality, counterfeit components or other vulnerabilities in IT products.

The National Counterintelligence and Security Center previously released a document highlighting the importance of reducing threats to U.S. supply chains, saying that it would prevent adversaries from compromising the integrity, trustworthiness and authenticity of products and services purchased and integrated into critical networks and systems and weapon platforms.