No surprise: in many cases there are only dotted lines (at best) connecting recommendations to actual practices at this point. That's one reason that the DOD used its research and development arm, DARPA, to launch a research program dubbed VET, to help determine what constitutes clean and verified versus "malicious" software and how can organizations quickly assess the state of thousands or tens of thousands of IP-enabled devices in their IT environment.
Despite the mind boggling complexity of verifying supply chain security, Howard of Georgia Tech said that, on the practical level, much of it still comes down to relationships. "Know who you're buying from," he said. "You're not going to solve the problem, but you can mitigate your risk by buying from trusted suppliers," he said.
After that, there is plenty of low hanging fruit to be picked: assessments of device security and software security that involve basic device scanning and manipulation.
And, as with so many other topics: the Internet is a great source of information on products. "Information is power," Howard said. Customer forums and other online hangouts can provide information on the products you use. Customers can easily do firmware checks to make sure that the firmware running on their device is up to date and matches what the manufacturer is distributing. Beyond that, the sky is the limit. "Open your router and get the manufacturer and model number for the chips, then Google it to see where they came from," Howard suggested. "It's all about risk mitigation and, with the right technical staff, it's easy to do."