1 1 00:00:00,270 --> 00:00:01,680 Let's talk for a few moments 2 2 00:00:01,680 --> 00:00:05,940 about RMF and supply chain risk management. 3 3 00:00:05,940 --> 00:00:09,390 This version of RMF incorporates an approach 4 4 00:00:09,390 --> 00:00:12,180 to manage cyber risk in your supply chain. 5 5 00:00:12,180 --> 00:00:14,460 There's good reason for this. 6 6 00:00:14,460 --> 00:00:18,960 Most organizations rely on a lot of external providers 7 7 00:00:18,960 --> 00:00:23,040 and commercial off the shelf products, systems and services. 8 8 00:00:23,040 --> 00:00:26,460 These are all referred to as third parties 9 9 00:00:26,460 --> 00:00:30,330 which is a term that comes from the contracting world. 10 10 00:00:30,330 --> 00:00:33,420 And because of this dependency on third parties 11 11 00:00:33,420 --> 00:00:36,090 cyber attackers are using the supply chain 12 12 00:00:36,090 --> 00:00:40,050 as an attack vector and as an effective means 13 13 00:00:40,050 --> 00:00:41,820 of breaking into our systems, 14 14 00:00:41,820 --> 00:00:44,790 compromising their trustworthiness and gaining access 15 15 00:00:44,790 --> 00:00:48,000 to our critical digital assets. 16 16 00:00:48,000 --> 00:00:52,110 Because attacking third parties work so well, cyber attacks 17 17 00:00:52,110 --> 00:00:55,410 or cyber disruptions to an organization's supply chain 18 18 00:00:55,410 --> 00:00:59,400 are increasing and so are the negative impacts. 19 19 00:00:59,400 --> 00:01:01,860 Let me give you a recent example. 20 20 00:01:01,860 --> 00:01:03,930 SolarWinds is the maker 21 21 00:01:03,930 --> 00:01:06,660 of remote network management software. 22 22 00:01:06,660 --> 00:01:11,660 Users of this software included 425 of the Fortune 500, 23 23 00:01:12,120 --> 00:01:14,970 the top 10 U.S. telecommunications companies, 24 24 00:01:14,970 --> 00:01:17,550 the top five U.S. accounting firms, 25 25 00:01:17,550 --> 00:01:20,340 all branches of the U.S. military, the Pentagon, 26 26 00:01:20,340 --> 00:01:23,790 the State Department, as well as hundreds of universities 27 27 00:01:23,790 --> 00:01:26,220 and colleges worldwide. 28 28 00:01:26,220 --> 00:01:28,350 The cyber attackers exploited 29 29 00:01:28,350 --> 00:01:30,990 the SolarWinds software making environment 30 30 00:01:30,990 --> 00:01:35,190 and committed a software supply chain attack. 31 31 00:01:35,190 --> 00:01:39,210 A Russian cyber exploitation group called Cozy Bear 32 32 00:01:39,210 --> 00:01:43,740 and also known as Advanced Persistent Threat 29 33 33 00:01:43,740 --> 00:01:46,890 gained access to many government and other systems 34 34 00:01:46,890 --> 00:01:50,880 through this compromised update to the SolarWinds software 35 35 00:01:50,880 --> 00:01:53,400 which resulted in massive damage. 36 36 00:01:53,400 --> 00:01:55,290 Cleaning up the SolarWinds hack 37 37 00:01:55,290 --> 00:01:59,760 may cost the American economy as much as $100 billion. 38 38 00:01:59,760 --> 00:02:01,410 As U.S.government agencies 39 39 00:02:01,410 --> 00:02:04,230 and private corporations spend months 40 40 00:02:04,230 --> 00:02:07,083 finding and removing the malicious code. 41 41 00:02:08,340 --> 00:02:12,360 And before SolarWinds, a data deleting worm called NotPetya 42 42 00:02:12,360 --> 00:02:15,810 was delivered through a compromised software update 43 43 00:02:15,810 --> 00:02:20,160 to a popular Ukrainian tax software package. 44 44 00:02:20,160 --> 00:02:24,210 NotPetya ultimately caused over $10 billion in damage 45 45 00:02:24,210 --> 00:02:26,400 as it stormed across Europe 46 46 00:02:26,400 --> 00:02:29,880 and through many countries on other continents. 47 47 00:02:29,880 --> 00:02:32,100 Supply chain risks include things 48 48 00:02:32,100 --> 00:02:37,100 like untrustworthy suppliers, counterfeit parts, tampering, 49 49 00:02:37,320 --> 00:02:41,640 theft of trade secrets, the insertion of malicious code, 50 50 00:02:41,640 --> 00:02:45,000 and poor manufacturing and development practices 51 51 00:02:45,000 --> 00:02:48,210 throughout the systems development life cycle. 52 52 00:02:48,210 --> 00:02:51,900 As a result of all these real world concerns 53 53 00:02:51,900 --> 00:02:55,380 RMF wants us to include supply chain risk management 54 54 00:02:55,380 --> 00:02:58,140 so that it's integrated with our security 55 55 00:02:58,140 --> 00:03:00,723 and privacy risk management practices.