Modern supply chain engineering and logistics can be traced back to WWII, when the U.S. government developed a system to get supplies and equipment to troops spread throughout the world quickly and efficiently. Supply chain engineering and logistics have drastically changed since, in large part thanks to e-commerce, the desire for self-service procurement, and the rapid growth of purchase order transactions. Because of these factors, consumers have become more vulnerable to data risks.
Vulnerabilities to data risks have led bad actors to pounce on weak links along the complicated supply chain. These bad actors have had long-term effects on both corporations and government entities – with recent attacks racking up nearly $100 billion in repairs. It’s imperative users constantly check risks associated with their supply chain. Without constant monitoring, entities can be left exposed.
Moving Software Procurement to the Cloud
Cloud has increased the modernization velocity at agencies, but the way software is procured has not evolved at the same pace. CIOs and developers alike want to increase the pace of cloud adoption, reduce approval times, and leverage industry-standard solutions. Finance and procurement personnel want to focus on cost effectiveness and acquisition simplicity.
However, one of the greatest hurdles to these goals is governance and compliance. Managing multiple cloud-based product subscriptions and entitlements across an agency or program is an intensive process, from obtaining the necessary security and compliance certifications to controlling costs as the number of child accounts grow.
“Many federal agencies are struggling with cloud adoption, especially finding and deploying the right mission-enabling software to run on top of the cloud,” said Mathew Soltis, vice president of cloud at General Dynamics Information Technology (GDIT).
A Secure Government Depends on a Secure Supply Chain
The recent Executive Order on cybersecurity calls for new criteria to evaluate the security practices of software developers and suppliers, and for the development of new tools to demonstrate conformance with secure practices. The Office of Management and Budget, the Cybersecurity and Infrastructure Security Agency, and the National Security Agency, have all recently released guidance around securing the software supply chain.
The private sector, which has more flexibility in procurement, has access to digital marketplace solutions that allow company IT teams to rapidly and securely introduce these solutions. These solutions are now coming to government agencies through GDIT’s AWS Private Marketplace.
“GDIT’s AWS Private Marketplace offers an end-to-end supply chain with the ability to find, subscribe, deploy and govern third-party software and solutions all in one place,” Soltis said. “Marketplace was designed for speed while also unlocking innovation with features that streamline procurement, automate provisioning, implement controls, and enable teams and their missions.”
To prevent exposure to bad actors, agencies should plan ahead and be aware of possible disruptions to the supply chain.
“Agencies need to build a strong relationship with their suppliers – it’s crucial to do this before supply chain issues start,” said Ken Bailey, senior business development manager at AWS. “If you know how your supplier operates, who they interact with, who they deliver to, and what their business practices are, you are more likely to have more visibility into potential threats. By exposing risk earlier, entities can make sure they are taking the correct steps to manage supply chain risk.”
Bringing Commercial and Emerging Tech with Government
Many agencies are already running cloud-native tools, but they need to complement those tools either with open source or third-party software. And to get that software, they need to procure it, buy it, install it themselves and manage it.
“GDIT’s AWS Private Marketplace has cloud-based solutions from thousands of independent software vendors,” said Soltis. “Procurement teams can quickly and easily refine catalogs to make agency-approved software and applications available to program teams through this Marketplace.”
Software is scanned for security compliance and billing, and metering and usage for paid software is integrated into the AWS customer bill. It allows customers to move quickly.
The platform provides a channel that documents attestations for secure development environments, such as the use of encryption, and appropriate monitoring and logging for those critical software components.
“By having identity and access management integrated into the GDIT’s AWS Marketplace, administrators can control not only who has the permission to access Marketplace, but also who has the ability to authorize procurements,” Bailey said.
Bridging Compliance with Innovation
Technology plays a leading role in the increase of cyber threats in the supply chain, but the same innovative technology is essential to driving critical agency missions forward. Governments need access to innovative technology that also focus on governance and compliance, as they relate to acquisition, in this case for software on the cloud.
To adhere to federal acquisition regulations (FAR), GDIT evaluates suppliers and subcontractors for risk, including cyber security risk, prior to point of procurement, Soltis notes. This enables appropriate monitoring and preventive action throughout the supplier life cycle.
The cloud by itself has several benefits to offer: it’s elastic, scalable and gives agencies the enhanced capabilities to accomplish goals.
“Treat cloud as a mission enabler to enhance your core capabilities, and you start to see all the components necessary to ensure you are leveraging cloud to its fullest potential for your agency,” said Bailey.