Hero Diamond Background

NASA

Mitigating Supply Chain Vulnerabilities with BitSight’s Third-Party Risk Management Solution

Like all government agencies, NASA takes cybersecurity very seriously, understanding that any security compromise can result in the postponement of multi-million-dollar missions and even loss of life. However, since the agency relies on more than 3,000 vendors to achieve its mission, threat actors have multiple pathways for infiltration.

Download Case Study
Button Arrow
NASA logo

Mitigating Supply Chain Vulnerabilities with BitSight’s Third-Party Risk Management Solution

Like all government agencies, NASA takes cybersecurity very seriously, understanding that any security compromise can result in the postponement of multi-million-dollar missions and even loss of life. However, since the agency relies on more than 3,000 vendors to achieve its mission, threat actors have multiple pathways for infiltration.

“BitSight has allowed us to automate our security monitoring process, resulting in about 50 percent time and efficiency savings. We can sign into BitSight and get real-time information right from the easy-to-use dashboard.”

Kanitra Tyler
Information and Communications Technology Supply Chain Risk Management Service Element Lead, NASA

To identify potential vulnerabilities, they have traditionally relied on manual risk monitoring procedures, public disclosure statements, and breach notifications—which were usually only reported by larger vendors.

According to Kanitra Tyler, Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Service Element Lead at NASA and a 30-year veteran of the space administration, the team needed more in-depth, detailed, and real-time security information. “We use Interos, one of BitSight’s valued partners for third-party risk management, which provides great insights into things like geopolitical and financial risk. But we needed to take a much deeper dive into our suppliers’ cybersecurity postures.”

In response to that need, enter BitSight for Third-Party Risk Management (TPRM). With a deep integration with Interos—a leading governance, risk, and compliance (GRC) tool—BitSight provides deeper insights into third- and fourth-party vendor risk profiles. Now, NASA can:

  • Uncover high risk vendors that may be using banned services under Section 889 of the National Defense Act.
  • Ensure vendors’ cybersecurity postures meet the administration’s specific requirements and guidance included in the NIST Cybersecurity Framework.
  • Accelerate cyber risk assessments with better focus and prioritization of supply chain risk management.
  • Work with suppliers to reduce their own risk and, as a result, pose fewer threats to NASA.
  • Measure exposure to cyber risk using data-driven security ratings.

“At NASA, we focus on what we call the three P’s—pedigree, providence, and position,” explained Tyler. “BitSight helps enormously with the first two. We can now easily identify the vulnerabilities associated with a particular vendor and how those vulnerabilities could impact our own security posture—before we begin working with them.”

NASA also struggled with taking proactive and corrective action when necessary due to the time it took to monitor its vendor portfolio. With countless vendors and the need to reassess and remediate vendor security issues, NASA needed a more efficient process.

Through BitSight, NASA was able to improve its processes dramatically with daily alerts and easy-to-understand metrics on changes to vendors’ security postures – to help them prioritize risk. Per Tyler, “BitSight has allowed us to automate our security monitoring process, resulting in about 50 percent time and efficiency savings. We can sign into BitSight and get real-time information right from the easy-to-use dashboard.”

But for Tyler, BitSight’s technology and data is only the beginning of what makes NASA’s relationship with BitSight so valuable. The service and support BitSight provides is equally important and has helped the agency remain protected from potential threats.

“I can think of at least three instances where BitSight alerted us to major security issues that could affect NASA so that we would be better prepared,” she said. “In each instance, BitSight provided us with detailed reports and advice that allowed us to make better decisions while protecting our supply chain.”

As Tyler put it: “Flying to space is our primary mission and core area of expertise, not cybersecurity. For that, we want to partner with someone who understands that discipline and how to manage it well. BitSight is that partner.”

“Flying to space is our primary mission and area of expertise, not cybersecurity. For that, we want to partner with someone who understands that discipline and how to manage it well. BitSight is that partner.”

Kanitra Tyler
Information and Communications Technology Supply Chain Risk Management Service Element Lead, NASA