Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of WarAugust 2018
Topics: Government Acquisition, Acquisition Management, Cybersecurity, Information Security, Contracts and Contracting, Electronics Manufacturing, National Security
Today, various parts of the Department of Defense (DoD) and the Intelligence Community (IC) are generally aware of cyber and supply chain threats, but intra- and inter-government actions and knowledge are not fully coordinated or shared. Few if any holistically consider the entire blended operations space from a counter-intelligence perspective and act on it. Risk quantification and mitigation, as a mission, receive insufficient resources and prioritization. Too little attention is directed toward protection of operational security or software assurance. There is no consensus on roles, responsibilities, authorities, and accountability. Responsibilities concerning threat information are "siloed" in ways that frustrate and delay fully informed and decisive action, isolating decision makers and mission owners from timely warning and opportunity to act.
Improved cyber and supply chain security requires a combination of actions on the part of the Department and the companies with which it does business. Through the acquisition process, DoD can influence and shape the conduct of its suppliers. It can define requirements to incorporate new security measures, reward superior security measures in the source selection process, include contract terms that impose security obligations, and use contractual oversight to monitor contractor accomplishments.
This report examines options that span legislation and regulation, policy and administration, acquisition and oversight, programs and technology. Actions are presented for the near, medium, and long terms—recognizing the need for immediate action coupled with a long-term commitment and strategy. Cyber and supply chain vulnerability extends well beyond DoD, across government and into the private sector. Nonetheless, DoD has potentially decisive influence in this space. Beyond DoD, actions in the legislative domain are critical, as our adversaries are actively exploiting seams and shortcomings in areas such as information sharing, threat detection, and acquisition transparency. Building effective deterrence to asymmetric threats will require time and deliberate planning.