A Complexity Layer Added by DoDI 5000.90

American manufactures have deployed the use of Just-in-Time (JIT) inventory management in order to minimize inventory carrying and handling costs. While this had been a successful strategy, it is now become an “Achilles’ heel” for products requiring microchips and other products. Due to COVID-19, many manufactures reduced their demand signal to chip makers to avoid carrying inventory. As manufacturing is staring to resume, demand is far outpacing the supply – but this problem was developing prior to COVID-19.

The need for microchips has been growing exponentially due to their inclusion in products that 20 years ago did not require them.  The cost to build new factories, the cost of production, and the cost of labor has shifted most manufacturing offshore. This has led to an increased threat for the introduction of counter fit or recycles microchips into the supply chain. With the need to meet the increasing demand and cost premium companies are willing to be pay to meet production schedules, counterfeit chips could be used to meet demand.

Mitigating supply chain risks

On December 28, 2020, The Department of Defense (DoD) released DoD Instruction 5000.90, Cybersecurity Acquisition Decision Authorities and Program Managers. This new instruction provides procedures for the mitigation of cybersecurity risks in its supply chain. It requires program managers to take additional steps to identify the source of supply to verify foreign ownership, and to identify if a contractor or a supplier are owned or controlled by a foreign adversary government. This then mandates that program managers need to verify that the microchips embedded in their components meet the instructions of 5000.90.

This alone is going to add a layer of complexity to program managers and system integrators in the management of their supply chain. The work that is required to perform this level of validation down to the microchip level is labor intensive and time consuming activity, and it will be ongoing. As upgrades and reset actions introduce new versions of COTS equipment, the validation activities will need to be completed for each new component. The need for improved supply chain illumination that shines a spotlight on the products and components that do not meet the threshold of supply chain security and resiliency needs to be automated. This will not only reduce the risk to a program’s supply chain, but will also reduce the labor requirements and overall program development and sustainment costs.

A smarter supply chain

Recent advances in technology have enabled a more holistic approach to supply chain illumination. In just the last couple of years, these advances have enabled queries to be run on comprehensive and connected structured and unstructured data, with graphs of links and nodes available to help answer questions, and reveal new insights.

Utilizing this kind of technology and data can help an organization focus on the key drivers, including:

  • Real-time threat and vulnerability exploitation analyses
  • Selection and implementation of trusted security controls
  • Implementation of procurement and acquisition processes
  • Ongoing assessments of supplier transparency and their own management efforts

An example of this advanced technology is ChainShield. It enables both government and commercial clients to analyze and mitigate the risks to their supply chains by illuminating individual pieces of the chain down to the microchip.

There are real and evolving challenges that government agencies face when considering the security of their supply chains. It’s of utmost importance that agencies have complete real-time visibility into the most collaborative parts of their supply chains so they can identify changes and new risks as they arise. If you’d like more information on how NS2 or ChainShield can prevent attacks in your agency’s supply chain, contact us today!

Gary Celli

Senior Delivery Executive, SAP NS2