Training

CISA to put out bids for supply chain predictive tool, national exercise support

A Ugandan factory worker assembles a mobile phone mother board on December 02, 2019 in Namanve, Uganda. Mapping out weaknesses and interdependencies in the information communications technology supply chain will be among several new requirements that CISA will seek to bid out early next year. (Photo by Luke Dray/Getty Images)

The Cybersecurity and Infrastructure Security Agency is planning to contract with industry next year on a pair of projects that seek to further build out the government’s national, multi-stakeholder cybersecurity exercises, and to develop new analytic capabilities to predict vulnerabilities and threats to the global supply chain.

One of the contracts, managed by the agency’s National Risk Management Center, will develop a predictive analytics tool that can leverage artificial intelligence and machine learning to spot weaknesses in the information and communications technology supply chain. In a questions and answers document released to the public this month, the agency said it is planning to issue a bid for a contract to fulfill these services in Spring 2022.

Another project will seek to contract with one or multiple vendors to assist in the “planning, conduct, evaluation and management of a broad spectrum” of cyber and physical security exercises the agency hosts with public sector governments and critical infrastructure.  The work will require a top secret clearance and agency officials are planning to issue a request for information early next year before awarding one or multiple contracts by the middle of 2022. Agency officials identified General Dynamics Information Technology and Dynamis as the incumbent contractors.

Both contracts will feed into larger cybersecurity initiatives already happening throughout the federal government.

The new predictive tool will help CISA officials further scope out the interdependencies of the software and technology supply chains. While researching such interdependencies has long been a priority for CISA, it has become an increasing focus for the Biden administration over the past year as incidents like the SolarWinds campaign, the Kaseya ransomware attack and the Log4j vulnerability all underscore the widespread damage malicious hackers can cause by corrupting code in a widely-used software product.

An executive order issued by President Joe Biden in February tasked the secretaries of Homeland Security and Commerce with delivering a report to the White House on the supply chain challenges of the information and communications technology sector, while a follow up executive order in May placed enhanced cyber incident reporting requirements on ICT vendors who do business with the government.

The National Risk Management Center was originally stood up by CISA to map out and research the impact that discrete incidents – like a cyberattack of a particular critical infrastructure entity – could have on the nation’s ability to carry out essential functions like internet service, GPS systems, banking and food supply. The center has already developed a list of more than 100 “national critical functions” that could cause larger breakdowns in society if disrupted, but the presentation makes it clear that more work is needed to make those findings actionable.

“For the National Critical Functions to translate into operational outcomes, information must be aggregated from a diverse set of public and private stakeholders and made useful for analytics and decision-making,” one slide reads. “However, integrating characteristics from physical, cyber, social, and regulatory risk analysis is complex and requires analysis of the NCFs on an individual basis in addition to an understanding of the dependencies between them.”

Meanwhile, enhancing the federal government ability to stage complex, high-concept scenarios that help federal, state, local and tribal government officials coordinate in the wake of a digital emergency has become a high priority for federal policymakers.

According to CISA, the agency runs more than 80 such exercises every year with a pool of about 5,000 stakeholders, and the most recent National Defense Authorization Act includes a provision that would create a national exercise to simulate “the partial or complete incapacitation of a government or critical infrastructure network resulting from a cyber incident.”

The upcoming bid will include requirements to help design the agency’s exercises, put together tabletop scenarios for public and private stakeholders to work through and write reports and that outline recommendations and lessons learned. The work will include partnering with divisions like the National Risk Management Center, the Emergency Communications Division and the Cyber Security Division to run virtual and in-person planning sessions and exercises to examine the nation’s collective digital and physical resiliency against diseases like COVID-19, ransomware attacks, active shooters and threats to election infrastructure.

The document cites incidents like the Colonial Pipeline and JBS ransomware attacks that resulted in widespread disruptions of the gas and food supply chains this past year as key motivators for procuring new methods of analysis. It calls for the agency to procure specific capabilities from the private sector, including automated data pattern identification, web scraping, identification of anomalous behaviors and regional modeling and mapping of risk concentration across different industrial sectors.

prestitial ad