Forum Presentation - Piloting Supply Chain Risk Management

Piloting Supply Chain Risk Management Practices for

Federal Information Systems

Marianne SwansonComputer Security Division

Information Technology Laboratory

2

Agenda

Terms and BackgroundImplementing Supply Chain Risk ManagementSupply Chain Risk Management PracticesContact Information

3

Terms

Supply Chain – Set of organizations, people, activities, information, and resources for creating and moving a product/elements or service (including sub-elements) from suppliers through to an organization's customers.

Element – COTS or GOTS software, hardware and firmware and is synonymous with components, devices, products, systems, and materials.

4

Terms (continued)

Supplier – An organization that produces elements and provides them to a customer or an integrator to be integrated into the overall system; it is synonymous with vendor and manufacturer. It also applies to maintenance/disposal service providers.

Integrator – A third party organization that specializes in combining products/elements of several suppliers to produce elements (information systems.)

5

BackgroundComprehensive National Cybersecurity Initiative11: Develop Multi-Pronged Approach for Global Supply Chain Risk Management (SCRM) Provide US Government with robust toolset of supply chain methods and techniquesMulti-tiered Approach:

Cost effective procurement related strategiesIndustry input into supply chain practices and development of international standardsAbility to share supply chain threat information

6

Lifecycle Processes and Standards Working GroupDevelop guidance for civilian agencies on implementing

supply chain risk mitigation strategies.Test existing and proposed guidance during pilots in FY09 and FY10Collaborate with organizations and industry on developing supply chain standards and practices

7

Guidance

Draft NIST Inter-Agency Report (NIST IR) 7622 Piloting Supply Chain Risk Management Practices for Federal Information Systems

First Public Draft – June, 2010Final – January, 2011

Future NIST Special PublicationFirst Public Draft – June, 2011

8

Supply Chain Pilots

Department of DefenseDepartment of Homeland SecurityPiloting of guidance in NISTIR

9

Collaboration

ISO CS-1 Global Supply Chain Risk Management Ad Hoc MeetingsIT and Telecom Sector Coordinating Councils (SCCs) and Government Coordinating Councils GCCs)

10

Implementing Supply Chain Risk Management

Prerequisites for Successful SCRM ImplementationEstablish a Supply Chain Risk Management Capability (SCRMC)Roles and ResponsibilitiesSCRMC Procurement Process

11

Prerequisites for Successful SCRM Implementation

Integrate information system security requirements from inceptionEnsure funding for information security and SCRMFollow consistent, well-documented repeatable system engineering and acquisition processesProper oversight of suppliers Actively manage suppliers through Service Level Agreements/contractsFully implement the NIST 800-53 security controls

12

Establish a SCRMC

Ad-hoc or formal teamDevelop policy and procedures

When team comes togetherWho performs requirement analysis, makes risk decisions, prepares procurement related documents, and specifies any specific training requirements.

13

14

SCRMC Implementation

15

Step 1: Determine Supply Chain Risk Threshold

FIPS 199 High Impact SystemNIST Special Publication 800-53 Rev. 3 Security Control: SA-12 Supply Chain Protection

16

Step 2: Develop Requirements

Identify critical elements, processes, systems, and information across the programDetermine appropriate level of riskReview all data gathered during the pre-solicitationObtain any additional informationConsider a procurement strategyDevelop a Statement of Work (SOW)

17

Statement of Work

Detailed description of the technical, security, and SCRM requirementsPerformance measuresEvaluation criteriaMeasurement thresholds

18

Step 3: Identify Potential Suppliers

Conduct a market analysisPost a “sources sought” notificationGather information from open-sources

19

Open Sources

Central Contractor Registry (CCR)Commercial & Government Entity (CAGE)Dunn & BradstreetBusiness Identification Number Cross-reference (BINCS)

20

Step 4: Coordinate Acquisition Plan and Contract Execution

Develop an Acquisition PlanList of potential sources of suppliersDescription of how competition will be soughtDescription of various contacting considerationsStrategies for mitigating supply chain risk

Disclose any legal issuesPerform technical reviewSelect supplier

21

Step 5: Perform Continuous Monitoring

Record lessons learnedMonitor and periodically reevaluate changes in risk, suppliers, operational environment, and usage. Replacement components and maintenance should be reviewed for supply chain risk

22

Supply Chain Practices

21 varying practicesAcquirer: Programmatic and validation activities Supplier or integrator: General, technical and validation requirements

Topic areas include: ProcurementDesign/DevelopmentTestingOperationalPersonnel

23

Procurement

Maximize acquirer’s visibility into Integrators and SuppliersProtect confidentiality of element uses

24

Incorporate supply chain assurance in requirementsSelect trustworthy elementsEnable diversityIdentify and protect critical processes and elementsUse defensive design

Design/Development

25

Design/Development (continued)

Protect the supply chain environmentConfigure elements to limit access and exposureHarden supply chain delivery mechanisms

26

Manual reviewStatic analysisDynamic analysisPenetration testing

Testing

27

Protect/monitor/audit operational systemsFormalize service/maintenanceConfiguration ManagementNegotiate requirement changesManage supply chain vulnerabilitiesReduce supply chain risks during software updates and patchesSupply chain incident responseReduce supply chain risks during disposal

Operational

28

Personnel considerations in the supply chainPromote awareness, educate and train personnel on supply chain risk

Personnel

29

Contact InformationMarianne Swanson, Senior Advisor for Information System Securitymarianne.swanson@nist.gov

Civilian Pilots: Kurt Seidling, Program Manager, DHSkurt.seidling@dhs.gov

DoD Pilots: Annette Mirsky, Pilot Program Manager, OASD NII CI&IAannette.mirsky@osd.mil

Standards: Don Davidson, Senior Advisor StandardsOASD NII CI&IAdon.davidson@osd.mil