NIST Highlights Palo Alto Networks Supply Chain Best Practices

This post is also available in: 日本語 (Japanese)

Around the world, governments as well as private sector organizations are focused on identifying and mitigating risks to the information and communications technology (ICT) supply chain. In fact, efforts to disrupt or exploit supply chains have become, in the words of a senior US Homeland Security Department official, a “principal attack vector” for adversarial nations seeking to take advantage of vulnerabilities for espionage, sabotage or other malicious activities. In this environment, strong supply chain security practices are a differentiator for critical infrastructure organizations. But what, exactly, does a strong supply chain security program look like? Recently, the U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) published a case study highlighting how Palo Alto Networks uses supply chain best practices. 

 The case study identified several best practices that collectively contribute to the overall supply chain security efforts of Palo Alto Networks. Among them:

• An organizational focus on end-to-end risk management. We identify supply chain risks across our entire product lifecycle – design, sourcing, manufacturing, fulfilment and service – and take proactive action to ensure the integrity of our products. Risk assessments are performed early in the product development lifecycle to help determine the feasibility of product design decisions.
• Strong supplier management, focused on security requirements as well as establishing collaborative relationships to ensure a complete view of suppliers’ security posture.
• Hardware manufacturing and order fulfillment processes that enable us to more easily manage personnel, facility and product security. In fact, we regularly consider geopolitical implications when making decisions to forgo suppliers and manufacturing locations, because it’s simply the right decision for product security.
• Active engagement in public-private partnerships designed to increase collaboration between public and private sector organizations and make recommendations for enhancing supply chain security, such as our executive committee role on the DHS ICT Supply Chain Risk Management Task Force.
• Finally, overlaying these practices is executive management buy-in. Supply chain risk management is a team sport spanning operations, product management and other corporate functions. Strong coordination is critical to our success.

As with many global manufacturers, our supply chain practices were put to the test in the face of the COVD-19 pandemic. Indeed, Palo Alto Networks is both a critical infrastructure company ourselves – playing a key role in ensuring complex, interconnected digital information systems are secure against malicious actors – and a supplier to other critical infrastructure entities worldwide. The customers that rely on us to secure their networks span critical healthcare, defense, financial services, government, logistics, food and agriculture, and other entities that are playing a vital role in the response to the pandemic. In a testament to our risk management practices, our team and our manufacturing partner have done a terrific job working with our suppliers around the globe to ensure that we can meet the security needs of our customers during this time.

What’s next? Palo Alto Networks believes governments should promote adoption of supply chain best practices by incentivizing companies that make risk-based decisions to maintain product integrity – such as through qualified procurement preferences. In fact, in the United States, Congress has mandated that the U.S. government should identify supply chain best practices and recommend legislative or other policy changes to incentivize their adoption by the private sector. The government would do well to look at NIST’s work in identifying those best practices.

 At Palo Alto Networks, we understand what it takes to maintain a strong supply chain and ensure the integrity of our products. We believe responsible companies have a duty to keep a secure supply chain and that governments should promote the adoption of best practices like these to foster a resilient ICT ecosystem. Read the full NIST case study on our approach to supply chain risk management here: Case Studies in Cyber Supply Chain Risk Management: Palo Alto Networks, Inc..