Supply Chain Risk Management (SCRM) is the process of assessing and mitigating the risk of vulnerabilities within the acquisition supply chain from being exploited. Within the Federal Government, specifically, supply chains may be targeted by foreign military/intelligence, corporations, terrorists or criminal organizations seeking any information that could weaken the United States' economic and national security. Information targeted could include, but not limited to:
- Classified Information
- Controlled Unclassified Information
- Trade Secrets
- Research & Development, etc.
How Is The Government Applying SCRM?
FAI offers a helpful video describing SCRM in relation to the Federal Government. This video urges Government Employees to focus on two major components to strengthen their agencies against potential supply chain exploitation:
- Involve procurement & acquisition teams into their integrated defense system
- Ensure due diligence in assessing supply chain risk when procuring products or services
The first recommendation refers to the team of government officials that investigate and respond to potential or active threats against their agency. In most cases, this team involves representatives from their security, information assurance and insider threat teams but they do not include members of their acquisition teams. This model leaves a gapping hole in the defense assessment because it fails to investigate potential threats coming through the products or services in use. Agencies, therefore, should include acquisition into their integrated defense system.
While, the scenario above addresses how to investigate a potential supply chain exploit once it has occurred, the second component focuses on preventing such products or services from coming into the agency to begin with. An agency's acquisition and procurement team needs to be mindful in the types of products and services they are procuring and the various threats they could potentially bring into the agency.
Government-Wide Supply Chain Risk Management Guidance
"Many federal departments and agencies have limited [Cyber Supply Chain Risk Management] C-SCRM capabilities, resources, governance, guidance, and training; especially in acquisition of information and communications technology (ICT). Executive Order #14028, “Improving the Nation’s Cybersecurity,” mandates enhanced C-SCRM contracting requirements and guidance that holds vendors accountable for assessing the risk of their supply channels, particularly in the area of embedded software.
GSA Kicks Off Government-Wide Cyber Supply Chain Risk Management Acquisition Community of Practice
While supply chain risks are by no means limited to only cyber attacks, this statement reflects the importance the U.S. Government places on enhanced SCRM. While, the requirements for enhanced SCRM contracting efforts are not set in stone, agencies need to be planning for such mandates. The government offers a few pieces of guidance to help agencies build their Supply Chain Risk Management Plans, including:
- NIST's Cybersecurity Supply Chain Risk Management
- DoD's Supply Chain Material Management Policy
- NCSC's Supply Chain and Cyber Directorate (SCD) Resources
- Federal Acquisition Supply Chain Security Act of 2018,
- Executive Order on America’s Supply Chains
- National Counterintelligence Strategy of the United States 2020-2022's focus to Reduce Threats to Key U.S. Supply Chains.
Government Contractors & Supply Chain Risk Management
If the above policies, resources, EOs, and directorates are any indication, all organizations that do business with the Federal Government need to be assessing and mitigating their own supply chain risks sooner rather than later. As you investigate your own supply chain, you need to continually be examining:
- The potential threats to your supply chain
- Your unique vulnerability to those threats
- The likelihood of an attack on your vulnerabilities
- The potential impact such an attack would have on your and your customers' businesses
What Changes May Occur In The Procurement Process?
As agencies continue to emphasize SCRM efforts, you can expect the procurement process to start incorporating more specific risk mitigation questions. As a contractor, you need to be prepared to answer questions such as:
- Who are your strategic partners and subcontractors?
- Who are you purchasing parts and services from?
- Are any of the organizations you do business with associated with organizations deemed as adversarial or competitive with the United States?
Additionally, you will likely need to provide insight into your own supply chain risk management efforts.
One thing to keep in mind, these questions do not mean that the Federal Customer expects solutions that hardened against every potential threat (not possible) but they do expect to do business with organizations that understand the potential risk they are exposed to and are passing along to the Government through their products or services. They also expect these customers are consistently reviewing their threat landscape and looking for ways to reduce their risk.
How To Start Examining Your Supply Chain Risk
As an IT product company it is important that you are examining every aspect of your supply chain and understanding your vulnerability exposure. Some questions to start with include:
- Where are the chips sets manufactured?
- Where are those product assembled?
- Who developed the Basic Input/Output System?
- Who is developing the operating systems?
- Who are their strategic partners and subcontractors?
- Are they associated with organizations that are competitive or adversarial with the U.S.A.?
- How do they manage their own supply chain risks?
This is by no means a comprehensive list, but it can get you started. Ultimately, the government needs to know if there could be an adversary to compromise the integrity of the products or components of those IT products being delivered and added to the information network at all levels of government. Any weak link is a possible risk or vulnerability to compromise the data secured within the confines of those networks.
Remember, while you will certainly benefit by understanding and reducing your supply chain risk, the goal of SCRM in the federal space is understanding the risks your company's technology presents and how you can help safe guard the national security of the United States by working to mitigate it.
Do You Need Help Showcasing Your SCRM Efforts?
Use the form below to request your FREE Federal Sales Consultation and learn how we can help tailor your Federal Sales process to highlight your supply chain risk assessment and mitigation.