How federal agencies are reducing cybersecurity risk from suppliers

New technologies are accelerating the pace of digital change and the broad-scale use of automation, data analytics and the cloud. Government and public sector organizations are increasingly concerned about their resiliency capabilities and are looking to provide a safer, more secure and affordable approach to managing their systems and data. A breach from a supplier or third party could be one of the greatest risks they face.

A federal agency engaged Ernst & Young LLP (EY US) to establish its enterprise cyber supply chain risk management (C-SCRM) program, focusing on helping leaders make risk-informed supplier decisions, reduce supplier risks and meet multiple federal compliance requirements. Doing business with a supplier that provides services, products or software and – knowingly or unknowingly – could be breached presents a major risk. This may result in financial loss, intelligence leaks, stolen intellectual property or reputational harm.

With a focus on information, communication and technology (ICT) and other department services and products, the federal agency wanted a better understanding of the potential risk that a supplier could pose to the organization across multiple risk lenses, such as cybersecurity and foreign interest. By understanding the potential risk, a leader will be able to make a risk-informed decision prior to securing a procurement.

In addition to the risk elements, there are many regulations and executive actions designed to protect organizations from breaches or supply chain attacks. Both risk and regulatory compliance have driven C-SCRM to be a top concern for this entity and other federal agencies today.

EY US is recognized for its extensive risk and regulatory experience, system implementation and superior service delivery in SCRM services. It brought these capabilities to its engagement with a federal agency.

The EY approach helped the entity establish the processes and implement a C-SCRM program by driving innovation and leveraging two leading-edge technology platforms:

Supplier assessment platform

Utilizing commercial best practices honed from 15+ years of experience, EY teams developed tailored processes and implemented a supporting technology solution for this federal agency. The SCRM processes are risk-based so that the level of diligence conducted increases based on the risk the supplier presents to the organization. The established process is accompanied by the ServiceNow Vendor Risk Management application, which EY teams tailored to:

1. Meet federal requirements while driving efficiency through an easy-to-use process
2. Enable entity customization to meet the needs of a hyper-federated federal department made up of more than 50 independent entities
3. Establish a centralized data set of supplier information providing enterprise visibility

The combination of best-in-class processes and a tailored technology solution set a new standard that government agencies are able to use to establish a leading-class C-SCRM program.

Business Relationship Economic and Threat Analysis

Business Relationship Economic and Threat Analysis (BRETA) is an automated tool that enables risk scoring by culling publicly and commercially available data sources from government and public sector resources to assess risks. It provides a multidimensional overview of threats in business relationships across six categories: financial, cybersecurity, geopolitical, technical, supply chain, and regulatory and compliance.

Working with the federal agency, EY teams used BRETA in combination with government data sources and analysts, conducting a detailed C-SCRM assessment to identify potential threats, monitor suppliers and offer actionable insights for risk mitigation. 

A more resilient suppler ecosystem

From a risk perspective, the federal agency is now able to:

1. Make informed, risk-based decisions. Prior to acquiring products and services, the agency can now assess suppliers against multiple risk levels while addressing the impact on the organization.
2. Reduce risk and provide secure, quality services. By making risk-based decisions, ongoing supplier monitoring and risk remediation, the agency can negate working with suppliers that present an unacceptable risk to the enterprise. This helps improve supplier security and negate potential supplier breaches that could have a large-scale impact on the department.
3. Meet federal compliance. Due to recent breaches in the supply chain, regulators step in and introduce new regulatory requirements. The C-SCRM program is helping this federal agency meet and exceed numerous SCRM federal laws, regulations and standards while promoting transparency and better decision-making in governance, risk and compliance. 

EY teams worked with a federal agency to define what would be its end process: risk-based assessment process, entity onboarding, monitoring activities, mitigating identified risks, understanding how to handle new requests for suppliers, training users and suppliers, and integrating the service with other entities outside of the CISO. The integration helped with the change management efforts by embedding the C-SCRM services into existing procurement approval processes (e.g., the Federal Information Technology Acquisition Reform Act) and helped enrich the assessments by enabling intelligence teams to conduct a classified evaluation of high-risk suppliers.

After more than two years supporting this agency, EY teams has assessed over 2,000 supplier ICT or other department products and services. The C-SCRM assessments have helped change behavior while meeting government C-SCRM program requirements. Before the C-SCRM program, entities would have limited ability to assess a supplier and essentially would be “accepting” the risks present within the supplier – now leaders can make risk-informed decisions.

This was one of the first federal government agencies to stand up a C-SCRM program, and it is helping to set a standard for other government entities as they build their own programs to manage supplier cybersecurity risks at an enterprise level.