{"id":112977,"date":"2020-06-26T13:45:52","date_gmt":"2020-06-26T20:45:52","guid":{"rendered":"https:\/\/www.paloaltonetworks.com\/blog\/?p=112977"},"modified":"2020-07-09T13:49:55","modified_gmt":"2020-07-09T20:49:55","slug":"policy-supply-chain-best-practices","status":"publish","type":"post","link":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/2020\/06\/policy-supply-chain-best-practices\/","title":{"rendered":"NIST Highlights Palo Alto Networks Supply Chain Best Practices"},"content":{"rendered":"<p><span style=\"font-weight: 400\">Around the world, governments as well as private sector organizations are focused on identifying and mitigating risks to the information and communications technology (ICT) supply chain. In fact, efforts to disrupt or exploit supply chains have become, in the words of a senior US Homeland Security Department official, a \u201c<\/span><a href=\"https:\/\/homeland.house.gov\/imo\/media\/doc\/Testimony-Kolasky1.pdf\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400\">principal attack vector<\/span><\/a><span style=\"font-weight: 400\">\u201d for adversarial nations seeking to take advantage of vulnerabilities for espionage, sabotage or other malicious activities. <\/span><span style=\"font-weight: 400\">In this environment, strong supply chain security practices are a differentiator for critical infrastructure organizations. But what, exactly, does a strong supply chain security program look like? Recently, the <\/span><span style=\"font-weight: 400\">U.S. Department of Commerce\u2019s National Institute of Standards and Technology (NIST) published a<\/span><a href=\"https:\/\/csrc.nist.gov\/publications\/detail\/white-paper\/2020\/02\/04\/case-studies-in-cyber-scrm-palo-alto-networks-inc\/final\" rel=\"nofollow,noopener\" > <span style=\"font-weight: 400\">case study<\/span><\/a><span style=\"font-weight: 400\"> highlighting how Palo Alto Networks uses supply chain best practices.\u00a0<\/span><\/p>\n<p><span style=\"font-weight: 400\">\u00a0<\/span><span style=\"font-weight: 400\">The case study identified several best practices that collectively contribute to the overall supply chain security efforts of Palo Alto Networks. Among them:<\/span><\/p>\n<ul>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">An organizational focus on <\/span><span style=\"font-weight: 400\">end-to-end risk management<\/span><span style=\"font-weight: 400\">. We identify supply chain risks across our entire product lifecycle \u2013 design, sourcing, manufacturing, fulfilment and service \u2013 and take proactive action to ensure the integrity of our products. Risk assessments are performed early in the product development lifecycle to help determine the feasibility of product design decisions.<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Strong supplier management<\/span><span style=\"font-weight: 400\">, focused on security requirements as well as establishing collaborative relationships to ensure a complete view of suppliers\u2019 security posture.<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Hardware manufacturing and order fulfillment processes<\/span><span style=\"font-weight: 400\"> that enable us to more easily manage personnel, facility and product security. In fact, we regularly consider geopolitical implications when making decisions to forgo suppliers and manufacturing locations, because it\u2019s simply the right decision for product security.<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Active engagement in <\/span><span style=\"font-weight: 400\">public-private partnerships<\/span><span style=\"font-weight: 400\"> designed to increase collaboration between public and private sector organizations and make recommendations for enhancing supply chain security, such as our executive committee role on the <\/span><a href=\"https:\/\/www.cisa.gov\/ict-scrm-task-force\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400\">DHS ICT Supply Chain Risk Management Task Force<\/span><\/a><span style=\"font-weight: 400\">.<\/span><\/li>\n<li style=\"font-weight: 400\"><span style=\"font-weight: 400\">Finally, overlaying these practices is <\/span><span style=\"font-weight: 400\">executive management buy-in<\/span><span style=\"font-weight: 400\">. Supply chain risk management is a team sport spanning operations, product management and other corporate functions. Strong coordination is critical to our success.<\/span><\/li>\n<\/ul>\n<p><span style=\"font-weight: 400\">As with many global manufacturers, our supply chain practices were put to the test in the face of the COVD-19 pandemic. <\/span><span style=\"font-weight: 400\">Indeed, Palo Alto Networks is both a critical infrastructure company ourselves \u2013 playing a key role in ensuring complex, interconnected digital information systems are secure against malicious actors \u2013 and a supplier to other critical infrastructure entities worldwide. The customers that rely on us to secure their networks span critical healthcare, defense, financial services, government, logistics, food and agriculture, and other entities that are playing a vital role in the response to the pandemic. In a testament to our risk management practices, our team and our manufacturing partner have done a terrific job working with our suppliers around the globe to ensure that we can meet the security needs of our customers during this time.<\/span><\/p>\n<p><span style=\"font-weight: 400\">What\u2019s next? <\/span><span style=\"font-weight: 400\">Palo Alto Networks believes governments should promote adoption of supply chain best practices by incentivizing companies that make risk-based decisions to maintain product integrity \u2013 such as through qualified procurement preferences. <\/span><span style=\"font-weight: 400\">In fact, in the United States, Congress has<\/span><a href=\"https:\/\/www.congress.gov\/bill\/115th-congress\/house-bill\/7327\" rel=\"nofollow,noopener\" > <span style=\"font-weight: 400\">mandated<\/span><\/a><span style=\"font-weight: 400\"> that the U.S. government should identify supply chain best practices and recommend legislative or other policy changes to incentivize their adoption by the private sector. The government would do well to look at NIST\u2019s work in identifying those best practices.<\/span><\/p>\n<p><span style=\"font-weight: 400\">\u00a0<\/span><span style=\"font-weight: 400\">At Palo Alto Networks, we understand what it takes to maintain a strong supply chain and ensure the integrity of our products. We believe responsible companies have a duty to keep a secure supply chain and that governments should promote the adoption of best practices like these to foster a resilient ICT ecosystem. Read the full NIST case study on our approach to supply chain risk management here: <\/span><a href=\"https:\/\/doi.org\/10.6028\/NIST.CSWP.02042020-6\" rel=\"nofollow,noopener\" ><span style=\"font-weight: 400\">Case Studies in Cyber Supply Chain Risk Management: Palo Alto Networks, Inc.<\/span><\/a><span style=\"font-weight: 400\">.<\/span><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Governments should promote the adoption of supply chain best practices to foster a resilient ICT ecosystem.<\/p>\n","protected":false},"author":663,"featured_media":108956,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[484,6769],"tags":[123,183,1794],"coauthors":[7155],"class_list":["post-112977","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-government","category-public-sector","tag-government2","tag-nist","tag-supply-chain"],"jetpack_featured_media_url":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-content\/uploads\/2020\/04\/panw-federal-TEST1-1200x627-2.png","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/112977","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/users\/663"}],"replies":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/comments?post=112977"}],"version-history":[{"count":2,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/112977\/revisions"}],"predecessor-version":[{"id":113605,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/posts\/112977\/revisions\/113605"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media\/108956"}],"wp:attachment":[{"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/media?parent=112977"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/categories?post=112977"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/tags?post=112977"},{"taxonomy":"author","embeddable":true,"href":"https:\/\/origin-researchcenter.paloaltonetworks.com\/blog\/wp-json\/wp\/v2\/coauthors?post=112977"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}