Reports last year that Chinese spies had placed illicit microchips on the motherboards of servers sold by a company that worked with U.S. intelligence agencies and the military and spread concern through the federal IT community.
Though the computer company and its customers all denied the report, it sparked a new interest in supply chain security, especially at the Defense Department.
The DOD is considering new steps to help lower-tier suppliers tighten their cybersecurity and may even begin spot checks to make sure that suppliers are meeting security regulations that apply to defense vendors and their subcontractors.
“If you look at what it takes today to do good cyber-hygiene to stay ahead of the adversary, we know many of the second- and third- or fourth-tier supply base simply doesn’t have the wherewithal to do that,” DOD CIO Dana Deasy told the Senate Armed Services Committee in January, according to FedScoop.
Controlling the DOD supply chain will be a major undertaking. The Pentagon contracts with thousands of companies, which subcontract out some of their work as well. Lockheed Martin — the DOD’s largest contractor, according to 24/7 Wall St. — has 16,000 different suppliers of its own.
The defense industry “is very tiered,” said Mike Gordon, Lockheed’s deputy CISO and chairman of the Defense Industrial Base Sector Coordinating Council, Fifth Domain reports. The DOD does not always have direct contracts with its Tier-1 suppliers’ suppliers, which often don’t want to share information with each other, he added, so “Tier 1 doesn’t necessarily know who in Tier 4 is working on a particular program, and the government does not necessarily know that either.”
Security for Small Contractors Remains a Challenge
The major supply chain risks facing all federal agencies, according to a 2018 report by the Government Accountability Office, include:
- Harmful hardware or software, whether intentionally installed or counterfeit
- Failure to manufacture or distribute critical products, or disrupting manufacturing and distribution
- Reliance on malicious or unqualified service providers for technical services
- Hardware or software containing unintentional vulnerabilities, such as defective code
The DOD’s supply chain management abilities have actually been on the GAO’s High Risk List since 1990. After the 2017 report, however, the DOD improved enough that supply chain management was taken off the list this year.
“DOD made key improvements, such as reducing on-order excess inventory by about $600 million and addressing each of our high-risk criteria, resulting in demonstrable and sustained improvements,” the 2019 report says.
Yet supply chain security for the smaller contractors remains a challenge. According to FCW, fewer than 60 percent of small and medium-sized defense contractors responding to a survey conducted by the National Defense Industrial Association had read the Defense Federal Acquisition Regulation Supplement, which provides minimum security standards.
“Nearly half of those who did said they found it hard to understand,” FCW reports.
Pentagon Task Force Plans New Certifications for Contractors
This is a critical issue because the largest defense contractors — which include Boeing, General Dynamics, Lockheed Martin, Northrop Grumman and Raytheon in addition to Lockheed — subcontract some of their work to smaller companies that then send some of that work to another set of companies, FCW reports. The DOD admits that it’s difficult to keep track of the supply chain under those circumstances.
A new Pentagon task force is reexamining the DOD’s relationships with suppliers, encouraging subcontractors to conduct a cybersecurity self-certification that the agency can rely on, creating a “closed-loop system where we can go out and validate what it is they sell us assessed against,” Deasy said, according to FedScoop. “This problem is not necessarily a Tier-1 supply level.”
The DOD and its major contractors also recognize the need to deliver a clearer message about cybersecurity practices to smaller and nontraditional DOD suppliers (those who do not specialize in selling to the military and may lack the experience to meet tough DOD cybersecurity standards), increasing the amount of education around cyber policies.
“A first step is communicating and spreading awareness to the supplier base that cybersecurity is both a national and economic security issue within the supply chain,” says John DeSimone, vice president of cybersecurity and special missions at Raytheon Intelligence, Information and Services.
Big Contractors Boost Supply Chain Security Awareness
Raytheon, which regularly assesses its suppliers for security issues, focuses on those at the greatest risk, “assessing their environment and providing recommendations for how to build an efficient, affordable and DOD-compliant security posture,” DeSimone says. In some cases, the company uses its own personnel to help suppliers develop better security, he adds.
The DIB SCC is developing methods to assess a supplier’s ability to protect controlled unclassified information, as well as a model for assisting small and midsized suppliers develop and deploy cyber programs that protect CUI within the supply chain, Gordon says.
“The most significant challenge to small suppliers is that they have limited resources, thus the cost and complexity of deploying and maintaining cyber capabilities must be lowered,” he says.
To address this challenge, the task force is exploring new detection capabilities for smaller companies, the selective use of cloud technologies to provide affordable cyber protection and selective implementation of digital rights management, Gordon says.
DRM embeds code in digital assets that prevents copying, specifies the time period within which the content can be accessed and limits the number of devices that can use the media.
Technologies such as artificial intelligence and predictive analytics could also be employed in a spot-check strategy, since these technologies can perform risk assessments across the supply chain and flag the most critical suppliers and hot spots for review.
“We need to ensure that our partners are establishing resiliency across their hardware and software systems,” says DeSimone. “Securing the DOD supply chain is a national security imperative that requires collaboration and partnership with the DOD, our suppliers and our competitors.”