The U.S. Government's Battle Plan to Fortify Supply Chains | Focal Point – Tanium

Answer questions with high-fidelity data you never knew you could get, in seconds, to inform critical IT decisions.
Leverage Tanium’s suite of modules with a single agent.
See why organizations choose Tanium.
Tanium empowers teams to manage and protect mission-critical networks with complete, accurate and real-time data.
Trust Tanium solutions for every workflow that relies on endpoint data.
Track down every IT asset you own instantaneously.
Automate operations from discovery to management.
Find and fix vulnerabilities at scale in seconds.
Index and monitor sensitive data globally in seconds.
Hunt for sophisticated adversaries in real time.
Explore solutions for your industry.
The world’s most exacting organizations trust Tanium to manage, secure and protect their IT environments.
See what we mean by relentless dedication.
Hear why customers choose Tanium.
Enhance your knowledge and get the most out of your deployment.
Get support, troubleshoot and join a community of Tanium users.
Engage with peers and experts, get technical guidance.
Read user guides and learn about modules.
Create and follow support cases.
Get the expertise you need to make the most out of your IT investments.
Tap into the power of Tanium partners.
Confidently evaluate, purchase and onboard Tanium solutions.
Gain operational efficiency with your deployment.
Integrate Tanium into your global IT estate.
Purchase and get support for Tanium in your local markets.
Leverage best-in-class solutions — through Tanium.
Get the full value of your Tanium investment with services powered by partners.
Explore the possibilities as a Tanium partner.
Bring new opportunities and growth to your business.
Access resources to help you accelerate and succeed.
the latest Tanium content.
Thought leadership, industry insights and Tanium news, all in one place.
Access digital assets from analyst research to solution briefs.
Find the latest events happening near you — virtually and in person.
and make the most of your IT investments.
Enhance your knowledge and get the most out of your deployment.
Validate your knowledge and skills by getting Tanium certified.
Contribute to more effective designs and intuitive user interface.
from a community of experts.
Explore and share knowledge with your peers.
Solve common issues and follow best practices.
Ask questions, get answers and connect with peers.
A flurry of guidance from the federal government has galvanized the attention of agencies and organizations. Here’s what security executives need to know.
Toyota Motors supplier Kojima Industries faced a reported cyberattack in February that forced the suspension of 28 Toyota production lines across 14 plants, severely interrupting the supply chain. Four months later, in yet another supply chain disruption, Japanese automotive hose maker Nichirin reported that a U.S. subsidiary had fallen victim to a ransomware attack, forcing the manufacturer to take its network offline and limit the number of specialized components it produced.
Supply chain attacks like these are on the rise, research shows—and the U.S. government is taking notice.
In May, the National Institute of Standards and Technology (NIST) released a 326-page framework on securing supply chains against cyberattacks, while the Cyber Safety Review Board (CSRB) issued a report in July with cybersecurity recommendations based on a review of the Log4j vulnerability. Most recently, the Office of Management and Budget (OMB) published guidance to ensure that federal agencies use software that has been built following common cybersecurity practices. And in a related move, the SEC has proposed that top executives at public companies, and their boards, would have to quickly disclose cybersecurity incidents and bolster their organization’s’ oversight for security.
Austin calling: Last chance to register for Tanium Converge 2022, November 14 – 17, 2022.
The recent avalanche of government recommendations is noteworthy, says Kate Ledesma, senior director for partnerships and government affairs at cybersecurity ratings company SecurityScorecard. The guidance comes on the heels of a number of significant cybersecurity incidents over the past few years—including the Log4j and SolarWinds hacks. These events have galvanized executive- and board-level attention about the importance of secure software development and other digital security practices, she says.
The products that are used by the government will have this baseline of security built in, which helps everybody who is buying, even outside the government.
“Now the government is saying that in order to do business with us, we want to see these things from you, which is really moving the entire industry forward,” Ledesma says. “The products that are used by the government will have this baseline of security built in, which helps everybody who is buying, even outside the government. They’re signaling that everyone in the ecosystem—not just the public sector—is watching and dealing with these issues, and they’re moving the needle on security for everyone.”
Ledesma shared four takeaways from the recent government guidance, as well as her own expert advice about how organizations can adapt.
Over the past few years, more organizations are experiencing a shift from prioritizing software functionality to prioritizing software security, Ledesma says. In a press release from the White House about the new security guidance from OMB, Chris DeRusha, federal CISO and deputy national cyber director, underscored this priority: “Not too long ago, the only real criteria for the quality of a piece of software was whether it worked as advertised,” he wrote. “With the cyber threats facing federal agencies, our technology must be developed in a way that makes it resilient and secure, ensuring the delivery of critical services to the American people while protecting the data of the American public and guarding against foreign adversaries.”
Not too long ago, the only real criteria for the quality of a piece of software was whether it worked as advertised.
Ledesma says that software developers should implement practices consistent with the NIST software security development framework. The framework stresses a whole-organization approach, she adds, in which secure software development is no longer the sole responsibility of developers. “Everyone—the vendors, users, and buyers—needs to work together to have the tools and frameworks to deal with this,” she says.
Organizations must prioritize documenting and demonstrating consistency in secure software development, Ledesma says. The White House, for example, recently tasked CISA and the OMB to create a common form that software vendors must use to ensure the technology they are selling to the government meets NIST security guidelines.
[Read also: We hear a lot about supply chain issues these days but your software supply chain needs special protection—here’s how to defend it]
Ledesma says this move comes as part of an effort to streamline how users and government agencies describe their security. “Organization A and organization B might say things two different ways, but are they the same thing?” she says. “Are their practices as secure as each other’s? This self-attestation is really going to help users—and especially agencies—compare apples to apples.”
The NIST framework calls for automation to reduce human effort, improve accuracy, and streamline repeatable processes. This includes tasks such as workflow tracking, signing capabilities to produce immutable record logs, continuous monitoring of tools, and logging of tool-related operational and security issues. Ledesma says that automation is the only option for organizations to operate at the scale and speed required today.
Simply operational isn’t good enough anymore—tools must be both operational and secure.
“It’s about giving both vendors and software purchasers the tools to make risk assessments and validate whether software products are secure,” she says. “Simply operational isn’t good enough anymore—tools must be both operational and secure.”
The NIST framework is focused on outcomes but isn’t prescriptive about how to achieve them. It also encourages organizations to adopt a risk-based approach and customize their strategy as appropriate. Ledesma says that while the concept of outcome-based practices isn’t new, it’s certainly not easy: “The NIST framework helps provide all organizations in the ecosystem a shared starting point and helps us all to be speaking the same language.”
[Read also: This supply-chain guidance isn’t the only way the feds are getting tough(er) on cybersecurity—here’s how boards are prepping for increased federal oversight]
The value organizations derive from the government guidance will depend on the maturity of their security practices, Ledesma adds. Less-sophisticated organizations might start by creating a foundational framework for processes and procedures, while more advanced organizations can progress through the framework to refine and develop their processes and procedures even further.
“The NIST framework is really about one thing: security,” she says. “And it’s about an ecosystem of security because, as we know, one organization’s security practices affect their partner, vendor, and customer security, since they connect. The government’s guidance raises the bar for everybody.”
Kristin Burnham is a freelance journalist covering IT, business technology, and leadership.
Dedicated to helping business executives and IT leaders effectively use technology to connect with customers, empower employees and achieve better results.
Empowering the world’s largest organizations to manage and protect their mission-critical networks.
Nov 14 – 17, 2022 | We’re back in person!
Nov 14 – 17, 2022 | We’re back in person!
© 2022 Tanium Inc. All rights reserved.



Leave a Reply

Your email address will not be published. Required fields are marked *

Back to top