DoD CIO ICT-SCRM

Information & Communications Technology Supply Chain Risk Management

Introduction

The Department of Defense uses computer hardware, firmware and software in almost every aspect of its mission. This usage continues to expand as technology improves and the research and development community identifies new ways where technology can improve the lethality of the military while also helping to support the Soldiers, Sailors, Airmen, and Marines. Very few of these systems are built from the ground up for a specific military purpose. Even where the overall system is built by or for the government, it is often constructed from commercially procured parts. The further away it is from the battlefield, the more the computer technology resembles that which is used by industry and governments across the globe. Laptops, desktops and government operated servers all use “Commercial, Off-the Shelf, Technologies” (COTs). DoD and Federal agency partners are also supported by commercial cloud providers, including implementing commercial cloud solutions on classified networks.

Cyber security professionals will tell you that if “If the adversary becomes your supply chain, you can’t defend it.” This is the reason DoD spends time and money on cyber security training, scanning of machines, and numerous other efforts to keep malicious actors from gaining access and “owning” your computer. There are locks on the doors, security check points at the entrance to the post/camp/station where your office is, standard configuration guides, and numerous other practices – all with the intention of keeping DoD’s data safe. As DoD and its partners become smarter about how to operate in a safe and secure manner, people who wish to do bad things search for innovative ways to by-pass all those safeguards to achieve their purpose. One demonstrated effective actions of our advisories is to infect the hardware, firmware or software before it comes into the possession of the DoD. The “Supply Chain” for parts, software, and whole systems can be a source of a security breach.