Tag Archives: supply chain

Navy COVID-19 Procurement Acceleration And Troubleshooting

Standard
Image: U.S. Navy

DEFENSE SYSTEMS

The Navy has spent the past two years building systems that can provide real-time visibility into its supply chain, where there were gaps for major programs.

They’ve now overlapped that capability with hot-spot data, indicating where companies have shut down or there’s been an influx in cases.”

______________________________________________________________________________

“The Navy has been awarding contracts faster since the start of the coronavirus pandemic, but one of the biggest gains have been systems that can assess supply chain weaknesses, according to James Geurts, the Navy’s acquisition chief.

Geurts said doing that allows the Navy to “see what suppliers are at risk. When we understand that, we can start managing those potential delays into our supply system.” That information is then used to inform continuing operations, move supplies if needed and understand when suppliers are back online.

Geurts also said the Navy has geographically networked all of its 3D printers, which provides insight into where the need is on the local levels, “ensuring that we’re not competing or conflicting with each other.” Many organizations are using 3D printers to fabricate parts for medical devices and other needed materials that are not readily available through existing supply chains.

With contracts going out faster than anticipated, Geurts also said the Navy has been examining its business practices, learning how to better collaborate, reduce backlogs and not duplicate functions. All of that will hopefully aid in a faster recovery from the coronavirus, he said.

“Ships still have to come out on time, we’ve got to do the maintenance and continue to supply lethal capabilities to our sailors and Marines, and we can’t afford to lag the recovery.”

OMB Wants Public Input To Improve Federal Acquisition And Supply Practices.

Standard
Image courtesy blueoceanacademy.com

FCW

Ideas from supply and acquisition experts outside government can help the government modernize its $575 billion supply chain and acquisition functions.

____________________________________________________________________________

“Margaret Weichert, the deputy director of management at the Office of Management and Budget, teed up the effort in a document released Jan. 27 after the White House Summit on Federal Acquisition and Supply Chain Management.

“We want to hear from private sector organizations, researchers, academic institutions, good government groups, the public, and others on the vision and concept for a mechanism to facilitate curated conversations between the federal government and external supply chain and acquisition experts on a variety of issues and questions that support the government’s acquisition modernization effort,” said Weichert in a statement following the summit.”

https://fcw.com/articles/2020/01/28/omb-input-acquisition-rockwell.aspx?oly_enc_id=

Federal Government Supply Chain Needs Work Against Foreign Influence

Standard
Image: JULIA.M/SHUTTERSTOCK

“CYBERSCOOP”

Fortinet settled allegations under the False Claims Act it sold the U.S. military technology it falsely labeled as American-made.

Tech titan Cisco agreed to pay $8.6 million to settle claims it knowingly sold surveillance equipment with cybersecurity vulnerabilities to the government. Aventura, was charged weeks ago with selling vulnerable Chinese-made technology to the U.S. military.

____________________________________________________________________________

“Although the U.S. government is working to prevent foreign telecommunications firms like Huawei from building 5G networks in the U.S. and abroad, there are still few answers on how to secure the government’s technology supply chain, according to federal Chief Information Security Officer Grant Schneider.

“Could [a company] come under the influence of a foreign adversary in any way shape or form? Is there quality where we need it to be? … How do we ensure their supply chain and the parts that they’re taking in and putting inside their box are actually the parts they’re expecting?” Schneider said at the Fortinet Security Summit, produced by FedScoop and StateScoop. “I don’t think we have an answer on what are the solutions to all those [questions.]”

The administration also isn’t clear yet on whether the government itself should be assessing which contractors are meeting requirements, or whether that assessment should be completed elsewhere, according to Schneider.

“As we look at our supply chain and we look at what our supply chain programs need to have, there’s going to be a variety of due diligence,” Schneider said. “And I think one of the things we’re looking at in the government is how much of that do we put on our providers.”

As far as whether the pendulum is swinging in the direction of government involvement or contractor control over supply chain decisions, Schneider does not think the government is in a position to presume suppliers and subcontractors are meeting supply chain requirements upfront.

“I’m probably not going to directly trust you’ve done them all,” Schneider told CyberScoop on the sidelines of the event.

It’s not just the tech that the government needs to worry about.  When it comes to a recent case of two former Twitter employees who were charged with spying on Saudi dissidents on behalf of the Saudi Kingdom, Schneider indicated the private sector has a large role to play. When asked what the Trump administration should be doing to thwart tech companies being allegedly used for foreign espionage, Schneider pointed to Twitter.

“I think everyone has … a responsibility for their workforce and to know the actions that their workforce is taking and need[s] to have ways to be sure that they … have the proper controls in place,” Schneider said.”

Supply Chain Risks And Your Government Contracting Business

Standard
Image: “Eft.com”

“WASHINGTON TECHNOLOGY” By By Jodi Schatz

An end-to-end approach to supply chain risk management, also called SCRM, examining technology trends, emerging threat vectors, and what vendors new to the federal government must keep in mind to mitigate supply chain risk.

______________________________________________________________________________

“As technology advances, supply chain risk management challenges are going well beyond the world of producing physical products such as IT hardware. While ISO-based standards provide clear guidance on supply chain management in the private sector, federal government suppliers must think more broadly.

To become a trusted supplier to the federal government, vendors must understand supply chain risk management trends affecting manufacturing.

Technology evolution and globalization

As technology has continually evolved from hardware to software, it has introduced new aspects of supply chain management. While software innovation offers new capabilities, it also brings vulnerabilities that are more easily exploited than with hardware. That exploitation introduces supply chain risks (more on this later).

Of course, hardware is still a significant part of infrastructure, including government services. Most hardware is built for a long lifecycle, and once deployed this legacy technology is not likely to be unseated, because of the capex costs tied to its original implementation.

With globalization, the main hardware risk comes through offshore contractors and suppliers. The widespread acceptance of globalization makes it harder to be certain of the integrity of your hardware supply chain.

What’s more, as software attack vectors become more sophisticated, they are also likely to be adapted to hardware. The installed hardware base is large, and therefore attractive to bad actors. The evolution of technology may provide a false sense of security that existing hardware is not susceptible to new forms of supply chain risk.

For federal government agencies, where data security is paramount, vendors will encounter more stringent compliance requirements than in the private sector. The supply chain must be protected to ensure product quality, and to protect against the ever-evolving onslaught of cybersecurity threats.

Shift towards software

With cloud replacing traditional hardware infrastructures, and software becoming more cloud-based, SCRM needs to shift focus from tracking physical components to the programming code used in cloud-based applications.

Cloud service providers all have some form of shared responsibility model for security, in which users are still responsible for securing their individual applications and services; the CSPs are responsible for the security of their infrastructure and the code used in their services.

Without tightly controlling the supply chain, malicious code could be introduced into cloud services. Most software applications, whether cloud-based or not, utilize significant open source code. A strong product development lifecycle ensures that open source code in a CSP’s infrastructure or cloud service offerings will be handled securely.

To that end, there are two best practices to apply to meet security responsibilities in the cloud:

  • Establish a technology import process that allows software to be imported in a trusted manner, and to be used securely in products and service applications. Discovery and inspection processes must deliver a baseline understanding of what the technology is doing, how it is structured, and its level of maturity. Architecture review, code analysis and a security design review are also recommended. These factors would feed into a risk assessment of potential threats, including known vulnerabilities. Only if these threats are deemed acceptable would a piece of technology be pulled into an application or service released to the market.
  • Securely manage risk in software and cloud-based applications with a software bill of materials (BOM). The BOM should outline all components feeding into a software application. Using this documentation, CSPs can list the tools used in their application development – as well as any third-party components. Both the IT and R&D departments therefore can apply software patches and updates more efficiently and effectively.

The four main classes of supply chain threat

With government agency purchases becoming more software-based, associated threats can be harder to recognize. This is particularly true of cloud-based software solutions, where communication channels are truly borderless and information can flow seamlessly from anywhere in the world.

A comprehensive approach to SCRM addresses four classes of threats:

Intentional Threats. These are deliberate actions, intending to be malicious or to gain an unfair competitive advantage. Competitors may inject malware or viruses to undermine your product or to attack your end customer. Prohibited or pirated software may be used to keep production costs down. Black market or counterfeit components may also be used instead of OEM to cut costs and time to market.

Unintentional Threats. These are poor quality control practices or events beyond the vendor’s control. Enforcement of quality standards may be lax. Information with outside contractors may be unclear or incomplete. Human error around data security may make the supply chain vulnerable to future cyberattacks. Poor work conditions could disrupt network operations and throw the process into chaos.

Internal Threats. These may be either intentional or unintentional. Disgruntled or turncoat workers may undermine your production from the inside. The same is true of careless workers, through human error or lack of awareness of data security practices. Weak policies and procedures to control access and grant privileges for sensitive data.

External Threats. These deliberate, well-targeted threats come from outside your organization. Downstream supply chain partners may try to steal IP to disrupt production, often prompted by competitors. Individual hackers may find a vulnerability in your supply chain, which could lead to malware, phishing, fraud, extortion, ID theft, and more. You may even be exploited by state-sponsored actors on behalf of hostile governments.

SCRM means balancing cost and supply chain vulnerabilities

The wide range of supply chain vulnerabilities described here adds up to a risk profile that goes well beyond conventional hardware manufacturing. As production of software and software-based hardware becomes more decentralized, the supply chain becomes more complex and convoluted.

Globalization may create cost benefits for vendors, but creates an interconnected ecosystem where supply chain threats can be almost impossible to detect or control. Vendors, therefore, must apply SCRM best practices, balancing the benefits of globalized software production with the attendant risks caused in developing a federal business practice.

In becoming a trusted supplier to federal government agencies, vendors must align with the requirements in NIST’s Cybersecurity Framework. More specifically, for IT decision-makers, vendors need to follow NIST’s Cyber Supply Chain Risk Management processes (https://csrc.nist.gov/Projects/cyber-supply-chain-risk-management). This will help mitigate risk pertaining to data security applications.

Compliance with long-standing ISO certifications does not translate into airtight security with federal government agencies. An end-to-end approach to SCRM will be needed to succeed in this sector going forward.”

https://washingtontechnology.com/articles/2019/09/30/insights-schatz-supply-chain-security-management.aspx

About the Author:

Jodi Schatz is chief product officer of SafeNet Assured Technologies LLC. She can be reached at Jodi.Schatz@SafenetAT.com.



Government Seeks Technology To Improve DOD’s Complex Supply Chain And Logistics

Standard
Air Force Senior Airman Jeremy Kosick guides a K-loader loading cargo onto a C-17 Globemaster III before an airdrop mission at Bagram Air Field, Afghanistan, May 10, 2018. (U.S. Air Force / Staff Sgt. Keith James)

FEDSCOOOP

DARPA [has] posted a solicitation for proposals  for a program it’s calling LogX.

Specifically, the program wants software that can provide real-time logistics and supply chain situational awareness “at unprecedented scale and speed.” ______________________________________________________________________________

“Imagine trying to coordinate hundreds of airplanes charting the globe on a daily basis, as United Airlines or FedEx do. Multiply that several times, and you have the logistical workload for the U.S. military.

It takes special tools to track all those aircraft and the related supply chains, and the Defense Advanced Research Projects Agency is now reaching out to industry for ideas on upgrading the military’s existing technology, which is managed through the Joint Logistics Enterprise.

“The DoD Joint Logistics Enterprise is immense,” John Paschkewitz, DARPA program manager in the Strategic Technology Office, said in a news release announcing LogX in May. “The supply chain inventory to sustain the Air Force fleet has been estimated to be as large as multiple Fortune 500 companies combined. Add the Army, Navy, and Marine Corps’ needs, and you see how enormous the department’s global logistics and supply systems are, dwarfing any commercial logistics system.”

The logistics enterprise still uses legacy technology, according to the request. LogX is looking for research approaches “that enable revolutionary advances in science, devices, or systems,” the request states.

The request goes on to describe the logistics enterprise as a triple-decker layer of networks. There is the physical supply chain, information networks that inform the physical mobilization of supplies and finical networks. LogX will focus on improving the information network, according to the request.

Part of the information network changes the DOD hopes to implement is a migration to cloud-based data storage. LogX is expected to be implemented during the next 10 years, over which new technologies will further change the logistical landscape.”

People Are Key To Securing The Defense-Industrial Supply Chain

Standard

(metamorworks/Getty Images)

FIFTH DOMAIN

Successfully targeting a single component of the defense industrial base can cause a ripple effect that can significantly impact everything from data centers to war fighters in theater.

DoD is telling its contractors to engage in “security-by-design,” not “security-as-an-afterthought.” Companies that do not adhere to this policy will no longer be considered trusted partners.

___________________________________________________________________________

” Infiltrating the defense supply chain is one of the most insidious means by which attackers can compromise our nation’s communications and weapons systems. 

The Department of Defense’s new “Deliver Uncompromised” security initiative is designed to tackle this problem at its root cause: third-party suppliers. In essence, the DoD is requiring its suppliers to bake security into their applications from the beginning of the production process. A “good enough” approach that just clears the bar for minimal security criteria is no longer good enough. Security must be ingrained in the very fabric of the entire production process.

Security starts with people

The process starts with people. They are responsible for ensuring that the solutions that comprise the supply chain work as designed and are inherently secure. They work closely with highly sensitive and proprietary information that is attractive to enterprising hackers. They are the first line of defense.

Unfortunately, those same factors make people the most attractive attack vector. When a malicious actor wants to gain access to a component or system, it’s often easier to just steal someone’s credentials than it is to try and find their way around a firewall. Obtaining a simple password is often enough to gain access to a critical system that can then be compromised, or information that can be exploited.

Consider the well-publicized Sea Dragon hack. In that incident, Chinese hackers obtained sensor data, signals data, an electronic warfare library and more. The hackers targeted a contractor of the Naval Undersea Warfare Center, a research and development organization that is part of the Defense Industrial Supply Chain. They used that person’s credentials to access the treasure trove of data on the NUWC network, and the supply chain was compromised.

Behavioral analysis can mitigate risk

The incident may have been avoided had there been a mechanism in place to monitor users’ behavioral patterns. Being able to detect a change in human patterns — unusual access to sensitive information, for example, as was the case with Sea Dragon — can help suppliers prevent unauthorized access to information and systems. It’s an added layer that can help the supply chain remain clean and less susceptible to vulnerabilities.

The supplier can set up a system that monitors risk based on user behaviors, which can be measured against an established baseline. For example, a person might ordinarily access a particular subset of information, or have rights to make certain modifications to a solution within the supply chain. A deviation from this normal pattern of behavior could set up a trigger that signals that an anomaly has been detected. That anomaly could indicate a potential security threat — for instance, perhaps the user’s credentials have been compromised. In this scenario, the user could be automatically blocked from accessing information or performing further actions that could compromise the supply chain.

Being able to detect anomalous user behavioral patterns can be essential in protecting Controlled Unclassified Information, which many contractors are using to create new defense programs and solutions. CUI is information designated as unclassified information that must be protected from public disclosure.

For example, a supplier could be working on key components for a new aircraft. The information pertaining to those components may not be classified, but it may also not be something that the Air Force wishes to disclose for public consumption. An enterprising hacker could potentially access the credentials of a user working on this program and obtain its CUI data. They could then infiltrate the supply chain network that feeds into the program, potentially putting the entire effort at risk — even the pilots who will eventually be operating the plane.

Security: the top supply chain priority

A risk-adaptive behavioral analysis approach exemplifies the type of extensive effort that Deliver Uncompromised proposes. Deliver Uncompromised warns against doing the bare minimum when it comes to security. Indeed, it elevates security as a “4th pillar” of the acquisition process, making it equivalent to cost, schedule and performance.

In fact, the collective message the DoD is sending out with Deliver Uncompromised and its counterpart, the Defense Federal Acquisition Regulation Supplement, is that securing the supply chain must be a top priority.

Those companies’ most valuable assets are their people. But those same assets can also be a vulnerable point of entry. Supply chain security must start and end with them. The DoD should consider partnering with organizations that show a commitment to securing their people as much as their technologies. “

https://www.fifthdomain.com/opinion/2019/05/13/people-are-key-to-securing-the-defense-industrial-supply-chain/


Managing Supply Chain Risks

Standard

STRATFOR WORLD VIEW By Kenneth Senser 

A thorough supply chain risk assessment will help a business identify potential weaknesses, allowing it to develop and apply mitigating action.

Mapping the supply chain, conducting a risk assessment and applying mitigating strategies is not a one-time event.”

___________________________________________________________________________

“Introduction

Starting and operating a business is difficult. This is particularly true for a small business. According to the U.S. Small Business Administration, roughly half of all establishments will fail within the first five years of operation and two-thirds will cease operations within 10 years. The reasons for business failures are varied.

Poor supply chain management is one factor that contributes to business failures. The supply chain is composed of many elements that function, in combination, to take raw material or information inputs and develop these into products that are delivered by a business to its customers. The specific makeup of the supply chain can be unique to different industries or businesses.

However, one commonality across all supply chains is that there are key elements within the chain that, if not appropriately protected, add risk to the business. Therefore, when considering all the different ways businesses might fail, experienced leaders manage risk within the supply chain, enhancing the probability that a business will not only survive, but thrive.

Assessment of Risks in the Supply Chain

Before you can manage supply chain risk, you need to identify where it exists. This is accomplished by conducting a risk assessment. The first step in the risk assessment is mapping the complete supply chain.

The supply chain will vary depending on the specific industry and business. Start with a comprehensive mapping from the acquisition of raw materials or the development of the initial intellectual property and trace the processes all the way through the delivery of the final products to the customers. This is often the most difficult part of the assessment and can appear overwhelming at first.

If the supply chain map is too large or complex to tackle in total, you can break the flow into logical parts for assessment. There are often points in the flow that serve as natural breaks, such as material or product hand-offs to different vendors, unique manufacturing processes, or movement of goods or information via traditional transportation modes or information technology networks.

There are a number of risk assessment methodologies in use by businesses and governments. Any methodology with which the organization is comfortable can typically be applied to the supply chain risk assessment.

Essentially, risk assessment methodologies all have a similar goal. That is, to identify the likelihood that an asset will be lost or compromised, and if that occurs, to identify the impact suffered by the organization.

To successfully conduct the risk assessment, it is necessary to understand the reasons that an asset could be vulnerable, the types of threats to the asset, who is threatening the asset, the probability that the threat will be successful and the value of the asset to the organization.

Application of these factors to the various supply chain elements and the flow of materials or information through the chain will allow you to identify and prioritize concerns. The assessment will also highlight where the continuity of the supply chain could be compromised from different hazards, such as a natural disaster, geopolitical upheaval or the scarcity of raw materials.

The ultimate goal of the assessment is to provide business leaders with a decision-making framework. Understanding what the business stands to lose when facing likely loss scenarios allows leaders to invest an appropriate level of resources to mitigate the potential loss.

Risk Mitigation

The organization can consider many ways to lower the supply chain risk and improve the chances that a business will successfully deliver to its customers what it promised. The universe of potential actions includes, but is not limited to, ensuring that there has been an effective due diligence process applied to crucial business partners or vendors; that contracts and purchase orders appropriately define expectations for quality, timeliness, cybersecurity protections and business continuity measures; that manufacturing facilities, warehouses, transportation modes and distribution channels have effective physical security countermeasures; and that threats from “trusted insiders” are understood and addressed.

Businesses can also engage in procurement practices such as “blind buys” to lower the risk of supply chain compromises. When conducting a blind buy, the supplier has no idea who is purchasing the materials and has no incentive to compromise them. These types of measures are only necessary in high-security contracting environments and typically are used to protect against nation-state adversaries or other sophisticated threat actors. Mitigating supply chain risk in high-security environments, such as with U.S. government contractors, can be particularly challenging.

The alleged compromise of Supermicro server components publicized in fall 2018 is an excellent example of a potential vulnerability that is beyond the capability of most businesses to mitigate. Efforts are underway to utilize various technologies such as blockchain to improve security within the supply chain.

There are also process-related and regulatory approaches to managing supply chain risk, such as the Customs-Trade Partnership Against Terrorism (CTPAT) and corollaries within other countries, including the authorized economic operator (AEO) schema. Both CTPAT and AEO serve as public-private partnerships between governments and the international trade community. Through collaboration, the international supply chain is strengthened, and security processing time is reduced at ports of entry.

Conclusion

A chain is only as strong as its weakest link. The same is true for the supply chain. Effective management of supply chain risk requires constant evaluation and vigilance.”

https://worldview.stratfor.com/horizons/managing-supply-chain-risks

Supply Chain Security: The Subcontractor Risk

Standard
Image: “Bolt Insurance”

“DEFENSE SYSTEMS”

“Vendors that don’t fully understand federal cybersecurity contracting standards along with the inability of large defense contractors to monitor into their own supply chains have led to widespread targeting and theft of U.S. economic and national security secrets by nation-state hackers, industry experts told Congress. “

_____________________________________________________________________________

“Less than 60 percent of small and medium-sized defense contractors responding  to a survey conducted by the National Defense Industrial Association said they read the Defense Federal Acquisition Regulation Supplement (DFARS) that lays out minimum security standards for contractor information systems. Nearly half of those who did said they found it hard to understand. About 45 percent of respondents hadn’t read National Institute of Standards and Technology guidelines for protecting controlled unclassified information.

The research found that many small and mid-sized contractors tend to have “uneven awareness of cybersecurity risks and prevention” and are more likely to view requirements as just another regulatory box to check to win government business. There is also a perception of uneven enforcement of DFARS regulations, with complaints that poor metrics for measuring compliance do not do enough to reward companies that align their practices to DFARS over those that don’t.

Christopher Peters, CEO of the Lucrum Group and co-author on the NDIA report, told lawmakers at a March 26 Senate Armed Services Committee that while large defense contractors typically have “robust” security measures in place, the smaller and medium-sized companies with whom they subcontract do not, making them “prime targets” for nation states. This is particularly true when it comes to industrial control systems and software that run machinery on the plant or shop floor.

“Manufacturers have to have confidence that their investments in cybersecurity are going to meet DOD requirements,” Peters told the committee. “Large manufacturers also need a means to quickly and cost effectively assess the cybersecurity readiness of each manufacturer in their supply chains. That requires the establishment of meaningful metrics that can be readily certified, whether by a customer, the government or an independent third party.”

The big five defense contractors — Boeing, General Dynamics, Lockheed Martin, Northrop Grumman and Raytheon — frequently subcontract out portions of their work to smaller firms, who in turn subcontract further with other entities. At a certain point, prime contractors lose visibility into who their third-, fourth- or fifth-tier subcontractors are, a challenge that the Office of the Director of National Intelligence has encountered while examining supply chain security threats.

Michael MacKay, CTO for defense contractor Progeny Systems, told the committee there were a variety of reasons for that lack of visibility, ranging from a reluctance of prime contractors to lay out the details behind their proprietary supply-chain business strategies to a lack of transparency inherent in a contracting field that is often fluid and opaque.

“If I hand a document over to somebody to create a part, then I have to make — I have to ask them how they are going to managing that document and who they are going to give it to,” said MacKay. “They could lie to me … they could say, yes, we’re going to do this and at that last minute, hand it off to somebody that came in at a lower bid and not tell me.”

Policymakers have long fretted over the potential for adversarial nations to steal U.S. secrets by targeting contractors. However, two incidents over the past year have spurred greater urgency around the topic: reports that in 2018, Chinese hackers stole “massive” amounts of sensitive data from the unclassified networks of a contractor working for the Naval Undersea Warfare Center, and a 2019 internal review by the Navy that found Chinese hackers were pilfering so much Intellectual property and classified secrets from the defense industrial base that it was “materially eroding” U.S. economic and military advantages.

Sen. Joe Manchin (D-W.Va.) called the lack of visibility down the supply chain “absolutely unbelievable” and said Congress needed to rewrite contracting standards to ensure subcontractors are held to the same security requirements as primes.

“Somebody has to be held accountable,” Manchin said. “A blind person can follow this. We wonder why we’ve been hacked so much, why they’ve copied everything? You all just explained it. There’s no checks and balances .… It looks like to me that we’re … protecting a business model more than we are the security of our country.”

https://defensesystems.com/articles/2019/04/03/supply-chain-threats.aspx?s=ds_040419

Supply Chain Must Deliver Uncompromised Systems

Standard

Deliver Uncompromised

Image:  Mitre Corp

“NATIONAL DEFENSE MAGAZINE”

“Deliver Uncompromised?” It is a strategy to improve cyber and supply chain security of the Defense Department and intelligence community. 

It involves suggested courses of action that quantify risk, dismantle intra- and inter-government information silos, and prioritize threat mitigation.”


“Warfare is no longer limited to either the physical or digital theater. Instead, adversaries ranging from script kiddies to nation-state sponsored advanced persistent threats have evolved to simultaneously launch asymmetric attack campaigns along digital, kinetic and hybrid vectors to undermine democracy, challenge moral values, alter public perceptions, compromise critical infrastructure, steal valuable intellectual property and exfiltrate sensitive information.

These malicious campaigns are achieved predominately through the exploitation of existing vulnerabilities in vendor supplied hardware systems and software applications that were not developed with security at each stage of the developmental lifecycle, or that were not adequately penetration tested before release.

This failure to secure the supply chain is perhaps one of the greatest national security threats facing the nation today. The public and private sectors can no longer afford to support negligent vendors that fail to develop their offerings with layered inherent security before release. The “deploy now, patch later” culture of the vendor market shifts risk and liability onto buyers and results in significant resource waste and harm to organizations and average consumers alike.

Past attempts to adopt security-by-design have been hobbled by the opportunity loss resulting from the rush-to-market created by this ubiquitous culture. Leadership is needed to impose an incentive or penalty enough to incite a shift in vendor behavior. The “deliver uncompromised” proposal under consideration by the Pentagon offers short-term, mid-range and long-term courses of action designed to improve national security by enhancing supply chain security in the defense industrial base.

“Deliver uncompromised” places emphasis on the security of systems, data, communications, supply chain and information in general, regardless of medium or vehicle. In effect, contract deliverables must be provided in a state that is uncompromised by hacking, the inappropriate sharing of data, or contamination of the data throughout the entirety of the product lifecycle.

“Deliver uncompromised” establishes security as a fourth pillar in defense acquisition and incentivizes the defense industrial base to embrace security as a major factor in their competitiveness for U.S. government business rather than as a cost burden. Market leaders, whose every decision is emulated by lower-tier firms, depend on public sector contracts. Consequently, if adopted, “deliver uncompromised” will empower the Pentagon to leverage powerful market forces to incentivize comprehensive and lasting security reform within leading vendor operations, which will have a cascading effect on lower-tier firms which exist within the defense acquisition ecosystem.

The proposal suggests that to protect national security and to improve the cybersecurity and resiliency of critical infrastructure systems, defense contracts should be awarded based on security assessments in addition to cost, performance and schedule. The initiative integrates foundational concepts of risk management and security-by-design into the acquisition process. The strategy ensures mission resilience by instituting a deliberate, inherent elevation of integrated risk management from concept through the retirement of a project within the department and its contracting base. And it directly addresses its need to secure that innovation from compromise.

Delivering uncompromised software systems is not hard, said Rob Roy, an Institute for Critical Infrastructure Technology fellow and chief technology officer at Micro Focus Government Solutions.

“There are many ways to accomplish this goal. It requires an established and well documented process, effective policy, tools and training. What makes it difficult is when providers are told how to do it, rather than specifying an objective outcome,” Roy said.

MITRE’s proposal suggests 15 courses of action that range from increased security and cyber-hygiene awareness to elevating security as a deterministic metric in the acquisition process to advocating for litigation reform and liability protections to increasing supply chain security at the national level.

By adopting “deliver uncompromised,” the Defense Department will send a clear message to its suppliers that including security-by-design and operational continuity measures in vendor solutions are expected in future products; else, contracts, deals and business will be ceded to firms that are willing to adapt to the realities of the evolving threat landscape and include inherent security at each layer of their product lifecycle. By adopting the strategy, the department will define, shape and standardize the responsible conduct of its suppliers.

Since many market leaders and innovators rely on public sector contracts, the potential impact of the campaign derives from the significant influence that the Defense Department and intelligence community have over market leaders in the defense industrial base.

Incentivizing proactive action through rewards has proven as ineffective as threatening punishments. “Deliver uncompromised” proffers a realistic compromise. MITRE’s proposal prevents prime and subcontractors who are not compliant with security standards from winning acquisition contracts in the first place. With “deliver uncompromised,” the department is in effect forcing contractors to elevate cybersecurity to a requirement of doing business versus a cost of doing business.

Further, because contractors are responsible for any subcontractors it utilizes, the onus of assessing the security of each subcontractor falls onto contractors because their ability to conduct business with the department is at stake.

While “deliver uncompromised” is designed to impact the defense industrial base, it may also be the spark that will change supply chain practices across multiple critical infrastructure sectors.

Practically speaking, the defense industrial base is so massive that requirements for higher standards will certainly impact organizations who have a foot in multiple sectors.

It is almost inconceivable to imagine that once an organization is forced to improve its cyber hygiene and development practices for its defense clients, it would not extend those practices to clients in other sectors. Furthermore, the fact that the largest buyer on the planet is articulating, vocally and through its checkbook, that the pervasive culture of “deploy now, patch later” is unacceptable and will no longer be tolerated will no doubt have a ripple effect that will inspire other sector leaders to follow suit accordingly.

Change is inevitable, but stakeholders can accelerate improved security. The foundational change promised by “deliver uncompromised” is on the horizon, whether or not the specific tenets of the proposal are adopted. The concept has been considered for over a decade and has recently been a recurring mantra in the national security community. Executives are beginning to expect supply chain security from their suppliers.

Responsible buyers can help accelerate adoption of the proposal in part or whole by demanding layered security according to NIST SP 800-160 throughout the development lifecycle from their suppliers. Firms can also internally improve their security by quantifying risk through comprehensive and iterative assessments and by clearly defining security-relevant roles, responsibilities and expectations of their stakeholders.

Meanwhile, vendors can ensure that their internal operations and offerings are at least compliant with industry standard frameworks such as NIST SP 800-53, NIST SP 800-160 and NIST SP 800-171, upon which “deliver uncompromised” frameworks and legislation are likely to be based. By helping to promote the adoption of “deliver uncompromised” initiatives, compliant vendors will actually increase their market shares by imposing a significant penalty on any noncompliant competitors.

Finally, its adoption ultimately depends on the funding and support of the legislative community.

“For years, legislators have analyzed the problem and asked for numerous reports on the problem. We have analyzed the problem for over 10 years. It’s time to turn the findings into a funded program that can build, maintain and retire uncompromised systems,” said Roy. Voters, advocacy groups, publications, legislators and other stakeholders can greatly increase the chance the United States can leverage “deliver uncompromised” to improve national security and protect critical infrastructure by helping to raise awareness and support for the proposal.

Adoption of the concept is needed because the current market favors lackadaisical security. A pervasive culture of software insecurity has normalized due to developers’ focus on speed-to-market versus product security.

Incentives to develop products that are inherently secure are not powerful enough to curb negative behaviors. In fact, firms are often rewarded with lucrative contracts and exclusive deals for rapidly developing and deploying flawed solutions driven by the demands of the buyer.

The “deliver uncompromised” initiative imposes security requirements and financial disincentives sufficient to deter the release of known flawed hardware and software. By linking Defense Department acquisition decisions to inherent security, the Pentagon can inspire a pervasive culture of security consciousness among vendors in the defense industrial base who will no longer view security as simply a cost of doing business.

A product’s inability to be compromised by persistent digital threats will become a market differentiator that distinguishes dependable and innovative vendors from faux experts and unreliable third parties. In the long term, “deliver uncompromised” has the potential to improve supply chain security practices in other sectors who can learn from the recommendations gleaned from the original MITRE report and how it is being implemented throughout the defense industrial base. ”

http://www.nationaldefensemagazine.org/articles/2018/12/5/viewpoint-supply-chain-must-deliver-uncompromised-systems