To: All State Contractors and Vendors
By now you should be aware of the SolarWinds supply chain compromise that was reported on 8 December, 2020. The attack on a leading security firm, i.e. FireEye has resulted in the identification of a confirmed supply chain compromise of a network monitoring tool, SolarWinds. This tool is widely used across the globe but more importantly, by U.S. Federal, Dept of Defense, State and local government and private sector companies. The compromise is being categorized as a “grave threat” to U.S. interests and puts the safety and security of our critical infrastructure at risk.
As part of the State’s response to this incident, DIT in partnership with other state and federal resources has established the North Carolina Joint Cybersecurity Task Force. This Task Force is comprised of Federal, State, Local and Academic officials with the primary mission to develop strategies to address incidents of similar magnitude. In order for the State to access the overall impact to this incident, it is important that we get adequate feedback from our vendor partner community. Transparency is the only way we will be able to identify, protect, detect, and respond to this and future incidents that may arise.
The Joint Cyber Task Force has established a website that is used to update statewide entities on the latest alerts and advisories associated with this incident. The website also contains a questionnaire that we encourage ALL state entities, (i.e. agencies, local government and academia,) and private sector companies (especially those supporting critical infrastructure responsibilities), to complete. Again, this questionnaire will allow the Task Force to understand the level of impact statewide and address resources need to mitigate the risks. As you complete the questionnaire, please do so with the understanding that we need to capture direct and indirect impact. An example of indirect is while your core operations may NOT use the SolarWinds product, your 3rd and 4th party vendors may use it within their infrastructure and as such, is an indirect risk. We ask that all vendor partners of the state complete the questionnaire at their soonest.
Note: Information shared as part of this process will be protected from public disclosure under G.S. 132-6.1(c). Private sector entities are encouraged to report cybersecurity incidents to the Department. (2015-241, s. 7A.2(b); 2019-200, s. 6(e).)