Countermeasures for Preventing Malicious Infiltration on the Information Technology Supply Chain

Supply chain security continues to be an overlooked field with consequences that can disrupt industrial complexes, cause irreparable harm to critical infrastructure services, and bring unparalleled devastation to human lives. These risks, once constrained to physical tactics, have advanced to undetectable cyber strategies as in the case of the infamous third-party attacks on Target and SolarWinds (Wright, 2021). Moreover, no one sector appears to be immune, as a study by the Government Accountability Office (GAO) found that federal agencies also lag in complying with their own standards as published by the National Institute of Standards and Technology (NIST) (Eyadema, 2021).  Throughout this research study, malicious infiltrations propagated by nefarious actors were explored to identify countermeasures and best practices that can be deployed to protect organizations. Often, the lack of defense strategies is not from an absence of information, but from overly complex procedures and a lack of concise requirements. In a recent survey of Department of Defense (DoD) suppliers, 46% of respondents claimed that the supply chain requirements were too difficult to understand, thus reaffirming the importance of creating tools and techniques that are pragmatic and easily implementable (Boyd, 2020).

The research study presented offered notable safeguards through a literature review of prior studies, standards, and a document analysis of three prominent Information Technology (IT) companies who have made considerable advances in the field of IT supply chain. The results of the research led to the creation of the Roberts Categorization Pyramid which follows a zero-trust framework of “never trust, always verify” (Pavana & Prasad, 2022, p. 2). The pyramid is then further broken down into a formidable six-layer support structure consisting of governance, physical security, sourcing security, manufacturing, hardware security, and software security best practices. Finally, the importance of persistent vigilance throughout the life cycle of IT is highlighted through a continuous monitoring defense strategy layer that engulfs the entirety of the pyramid.  Through this compilation of pragmatic countermeasures, supply chain practitioners can become more informed, leading to more mindful decisions and protective requirements in future solicitations and supplier flow-downs.