Supply Chain Risk Management in the United States

June 2020

Presenters

Danielle Kriz Senior Director, Global Policy

Palo Alto Networks

Coleman MehtaSenior Director, U.S. Policy

Palo Alto Networks

● Today’s briefing is part of a series of briefings Palo Alto Networks U.S. colleagues have provided over the last few years for our Japanese government and industry colleagues about cybersecurity activities in the United States

● We typically provide these briefings in-person in Tokyo (last series was November 2019)

● During this Covid-19 crisis, we are pleased to be able to continue to share our experiences with you via VC

● A virtual discussion allows us to include additional Palo Alto Networks U.S.-based experts in the discussion

● We will present for 50 minutes, followed by Q&A (please submit via chat)

About this Palo Alto Networks Briefing

3 | © 2020 Palo Alto Networks, Inc. All rights reserved.

● How the U.S. Government Views Vulnerabilities and Threats in the ICT Supply Chain

● The U.S. Legal and Policy Framework for Government Actions

● The Role of Public-Private Partnerships: ICT Supply Chain Risk Management Task Force

● CMMC: New Certification Requirement for U.S. Department of Defense Procurements

● Current Implementation Status of U.S. Government Supply Chain Initiatives

● Palo Alto Networks’ Supply Chain Best Practices

Topics to Cover

4 | © 2020 Palo Alto Networks, Inc. All rights reserved.

● What is the Information and Communications Technology (ICT) supply chain?○ A complex, globally interconnected system of third-party vendors, suppliers, and service

providers, that manage the entire life cycle of ICT hardware and software.

● What is the risk to the ICT supply chain?○ Government officials in the United States assess that adversarial nations are seeking to take

advantage of vulnerabilities: for espionage, sabotage, or other malicious activities. ○ Malicious actors exploit vulnerabilities in third-party suppliers. By doing so, they can gain access

to sensitive information.

● In summary: ○ U.S. Homeland Security Department calls ICT supply chains a “principal attack vector” for

adversarial nations seeking to steal or disrupt U.S. intellectual property

Vulnerabilities and Threats in the ICT Supply Chain

5 | © 2020 Palo Alto Networks, Inc. All rights reserved.

● The United States has a legal and policy framework to mitigate ICT supply chain risks.

● In general, these laws and policies have two goals:

○ Identify specific risky technologies and remove or exclude them from United States IT networks, and

○ Strengthen partnerships between government and industry to collectively reduce supply chain risks.

● Examples of relevant laws and government orders: ○ SECURE Technology Act of 2018○ National Defense Authorization Act for 2019○ Executive Order on Securing the Information and

Communications Technology and Services Supply Chain, 2019

Legal and Policy Framework for U.S. Government Actions

6 | © 2020 Palo Alto Networks, Inc. All rights reserved.

● U.S. government officials may:

○ Determine whether certain technologies are too risky to be used in U.S. government IT networks. If so, exclude them from procurements or remove them from current use.

○ Prohibit the U.S. government from acquiring an IT product from any company that has shared its source code with “countries of concern.”

○ Prohibit the U.S. government from acquiring certain telecommunications equipment/services from Kaspersky Labs, Huawei, ZTE.

○ Prohibit any transaction (acquisition, transfer or use of technology) related to ICT products or services, if the transaction poses an undue risk of sabotage.

Goal 1: Identify specific risky technologies and remove or exclude them from United States Government IT networks

7 | © 2020 Palo Alto Networks, Inc. All rights reserved.

● How do industry and government in the United States partner to collectively reduce supply chain risks? U.S. government is required to:

○ Identify best practices for reducing supply chain risks.

○ Recommend policies to incentivize industry adoption of those best practices. For instance, procurement preferences.

○ Share information related to supply chain threats with industry.

○ Develop public-private partnerships. For instance, the joint government-industry Supply Chain Risk Management Task Force.

○ Cybersecurity Maturity Model Certification (CMMC): New Certification Requirement for Defense Procurements

Goal 2: Strengthen partnerships between government and industry to collectively reduce supply chain risks.

8 | © 2020 Palo Alto Networks, Inc. All rights reserved.

● ICT Supply Chain Risk Management Task Force was created in 2018, bringing together industry and government (DHS), to recommend policies:

○ Understand and evaluate supply chain threats;

○ Determine how best to share supply chain risk information between government and industry;

○ Identify criteria for Qualified Bidder Lists in government procurements; and,

○ Guard against counterfeit suppliers of ICT products.

● Palo Alto Networks sits on the Task Force’s executive committee.

ICT Supply Chain Risk Management Task Force

9 | © 2020 Palo Alto Networks, Inc. All rights reserved.

● U.S. Department of Defense created a new certification requirement for safe handling of sensitive information by defense contractors: Cybersecurity Maturity Model Certification (CMMC)

○ Previously, procurements were judged based on three factors: cost, schedule, and performance.

○ Now, security is a foundational requirement. It must be met prior to reviewing these three factors.

● CMMC establishes security maturity levels for defense contractors. CMMC requires a third-party audit to attain a maturity level.

● The level of maturity required is dependent on the sensitivity of information that is handled.

CMMC: New Certification Requirement for Defense Procurements

10 | © 2020 Palo Alto Networks, Inc. All rights reserved.

● Most of these activities are not finalized - they are “In Progress”

● Goal 1: Identify specific risky technologies and remove or exclude them from United States government IT networks

○ Determine whether certain technologies are too risky to be used in U.S. government IT networks. If so, exclude them from procurements or remove them from current use. Not yet finalized.

○ Prohibit the U.S. government from acquiring an IT product from any company that has shared its source code with “countries of concern.” Not yet finalized.

○ Prohibit the U.S. government from acquiring certain telecommunications equipment/services from Kaspersky Labs, Huawei, ZTE. Partially complete. Delay in fully banning Huawei, ZTE.

○ Prohibit any transaction (acquisition, transfer or use of technology) related to ICT products or services, if the transaction poses an undue risk of sabotage. Not yet finalized.

Current Implementation Status of Supply Chain Initiatives

11 | © 2020 Palo Alto Networks, Inc. All rights reserved.

● Most of these activities are not finalized - they are “In Progress”

● Goal 2: Strengthen partnerships between government and industry to collectively reduce supply chain risks

○ Identify best practices for reducing supply chain risks. Not yet finalized.

○ Recommend policies to incentivize industry adoption of those best practices. For instance, procurement preferences. Not yet finalized.

○ Share information related to supply chain threats with industry. Not yet finalized.

○ Develop public-private partnerships. For instance, the joint government-industry Supply Chain Risk Management Task Force. Task Force recommendations expected Autumn 2020.

○ CMMC: New Certification Requirement for Defense Procurements. Autumn 2020.

Current Implementation Status of Supply Chain Initiatives

12 | © 2020 Palo Alto Networks, Inc. All rights reserved.

● More detail on the CMMC implementation.

● Industry supports the goal of more accountability for safely processing sensitive information.

● However, the auditing process for companies to certify their maturity levels is not complete.

● Industry’s perspective:

○ Certifications should demonstrate a company’s security capabilities, not be a checklist of practices.

○ If a company already has a similar certification, such as FedRAMP, that should be sufficient.

Current Implementation Status of Supply Chain Initiatives

13 | © 2020 Palo Alto Networks, Inc. All rights reserved.

● In February 2020, the U.S. National Institute of Standards and Technology (NIST) published a case study to highlight Palo Alto Networks’ strong supply chain practices.

○ Organizational focus on end-to-end risk management. We identify supply chain risks across our entire product lifecycle and take proactive action.

○ Strong supplier management.

○ U.S.-based manufacturing of our next generation firewalls, which enables us to more easily manage personnel, facility and product security.

○ Active engagement in public-private partnerships.

○ Finally, executive management buy-in ensures coordination across our business.

NIST Case Study: Palo Alto Networks’ Supply Chain Best Practices

14 | © 2020 Palo Alto Networks, Inc. All rights reserved.

https://csrc.nist.gov/publications/detail/white-paper/2020/02/04/case-studies-in-cyber-scrm-palo-alto-networks-inc/final

Thank youありがとうございます

Questions? Coleman MehtaSenior Director, U.S. Policycmehta@paloaltonetworks.com@PANWGovPolicy

paloaltonetworks.com