Supply Chain Risk Management
Definition: Supply Chain Risk Management (SCRM) is a discipline that addresses the threats and vulnerabilities of commercially acquired information and communications technologies within and used by government information and weapon systems. Through SCRM, systems engineers can minimize the risk to systems and their components obtained from sources that are not trusted or identifiable as well as those that provide inferior material or parts.
Keywords: advanced cyber threat, configuration management, emerging threat, materiel, program protection plan, risk management, supply chain, systems engineering process
MITRE SE Roles & Expectations: The expansion of the global economy, increased use of outsourcing, and development of open standards are some of the modern day factors that present new challenges to the security of government systems. These factors have resulted in emerging threats and have made protection of the supply chain increasingly difficult . All MITRE systems engineers must understand these emerging threats and why SCRM is necessary to ensure the protection and viability of all government systems.
Why SCRM Is Important
The National Security Presidential Directive 54, Homeland Security Presidential Directive 23, and Defense Authorization Act 254 have made SCRM a national priority [2, 3]. In accordance, the Department of Defense (DoD), Department of Homeland Security, and other departments have begun to review and refine their SCRM practices and procedures. The goal of one of the Comprehensive National Cyber Initiatives (CNCI) is to provide the U.S. government with a robust toolset of supply chain assurance defense-in-breadth and defense-in-depth methods and techniques. The CNCI effort conducted a pilot program and produced a Key Practices Guide to provide systems engineers with key practices that can help manage supply chain risk. All MITRE systems engineers should become familiar with ongoing efforts within their sponsors organization and materials like the key practices guide. A summary of best practices is contained below.
Supply Chain Analysis
To determine the applicability of SCRM to a MITRE systems engineering project or initiative, the MITRE engineer must comprehend or become educated on supply chain materiel management processes, the emerging threat, and the current supply chain challenges. This background will assist the engineer in assessing which systems, components, software, organizational processes, and workforce issues have vulnerabilities or weaknesses that can be exploited.
The term "supply chain" has different meanings to commercial, government, and commercial entities. The military has extensive processes for structuring supplies (materiel management) to their units and organizations (refer to DoD 4140.1-R) . Historically, the DoD has assessed the logistical tail of supply chain by focusing on the distribution and shipment of equipment, but this does not address the complete "chain." To address the emerging threat, the "supply chain" analysis must address all parts and components of a system early in the program, including firmware and software. It must also analyze the impact of people, purchase of substitute parts, and automated processes (e.g., software patching) on the supply chain processes.
Therefore, an accurate SCRM assessment includes an evaluation of the origin of the materiel, how it is distributed, and the government decision-making process in the selection of the product. The MITRE systems engineer role is to ensure that the systems engineering process is applied to all components and parts of a system throughout their life cycle.
A systems engineer should be prepared to apply SCRM at any point of a system's life; it is never too late nor too early in a system life for a systems engineer to incorporate the SCRM process. SCRM is currently being applied to materiel supply during the logistic phases, but a more effective systems engineering process should include addressing SCRM as early in the program as possible.
The DoD CNCI SCRM pilot program produced an implementation guide that offers detailed suggestions on how and when SCRM should be integrated into the life cycle of a system. This guide was developed to assist systems engineers and explains how these engineers can incorporate SCRM prior to design and throughout its life. A summary of some key steps identified in the guide that a MITRE systems engineer should understand include:
- Determine system criticality.
- Determine the supply chain threat.
- Select build versus buy.
- Select SCRM key practices and determine sufficiency.
- Understand the Risk Management Plan adopted by the government efforts they support.
- Understand the likelihood and the consequence of insufficient SCRM practices.
Systems Engineering and SCRM
The core systems engineering process used to protect the supply chain is risk management (refer to the topic on Risk Management within the Acquisition Systems Engineering section of the guide). Pilot programs that have been selected by the DoD to help refine SCRM policy are using the Information and Communication Technology Supplier Risk Management Process. The concept of operations for the DoD Comprehensive National Cybersecurity Initiative Supply Chain Risk Management Pilot Program describes this process .
While risk management establishes the core for an effective SCRM process, a systems engineer should also understand the relationship of other systems engineering disciplines and processes to SCRM . Standard program documentation addressing software engineering practices and procedures should include applicability to their SCRM process. Another process that supports the protection of the supply chain is configuration management. Through configuration control and management, the systems engineer can ensure that the system's baseline is tightly controlled and any changes to it are in accordance with appropriate systems engineering rigor and review (refer to the topic on Configuration Management within the Acquisition Systems Engineering section of the guide).
Systems engineers should ensure that acquisition, sustainment, disposal, and other program documentation are properly updated to include SCRM. At a minimum, the following kinds of documents should incorporate the SCRM process and findings: Program Protection Plan, Systems Engineering Plans/Procedures, and Life Cycle Management Plans. In addition, systems engineers should work closely with contracts and legal staff to verify that SCRM is included as part of the acquisition documentation, source selection criteria, and contractual clauses. The systems engineer should also ensure that the SCRM practices are included as part of the sustainment documentation, supplier selection criteria, purchasing clauses, incoming inspection, quality verification testing, acceptance for inventory, and disposal processes.
References & Resources
- Mirsky, A., May 4, 2009, Supply Chain Risk Management (SCRM).
- National Security Presidential Directive 54/Homeland Security Presidential Directive 23, January 8, 2008, National Cyber Security Initiative, paragraph 45.
- Extract from Public Law 110-417, October 14, 1008, "Duncan Hunter NDAA for Fiscal Year 2009."
- Office of the Deputy Under Secretary of Defense for Logistics and Materiel Readiness, May 23, 2003, DoD 4140.1-R DoD Supply Chain Materiel Management Regulation.
- SCRM PMO Globalization Task Force OASSA(NII)-CIO/ODASD(IIA), April 24, 2009, Concept of Operations for the DoD Comprehensive National Cybersecurity Initiative Supply Chain Risk Management Pilot Program, Version 2.0.
- National Defense Industrial Association System Assurance Committee, October 2008, Engineering for System Assurance, Version 1.0.