forum presentation - piloting supply chain risk management
TRANSCRIPT
Piloting Supply Chain Risk Management Practices for
Federal Information Systems
Marianne SwansonComputer Security Division
Information Technology Laboratory
2
Agenda
Terms and BackgroundImplementing Supply Chain Risk ManagementSupply Chain Risk Management PracticesContact Information
3
Terms
Supply Chain – Set of organizations, people, activities, information, and resources for creating and moving a product/elements or service (including sub-elements) from suppliers through to an organization's customers.
Element – COTS or GOTS software, hardware and firmware and is synonymous with components, devices, products, systems, and materials.
4
Terms (continued)
Supplier – An organization that produces elements and provides them to a customer or an integrator to be integrated into the overall system; it is synonymous with vendor and manufacturer. It also applies to maintenance/disposal service providers.
Integrator – A third party organization that specializes in combining products/elements of several suppliers to produce elements (information systems.)
5
BackgroundComprehensive National Cybersecurity Initiative11: Develop Multi-Pronged Approach for Global Supply Chain Risk Management (SCRM) Provide US Government with robust toolset of supply chain methods and techniquesMulti-tiered Approach:
Cost effective procurement related strategiesIndustry input into supply chain practices and development of international standardsAbility to share supply chain threat information
6
Lifecycle Processes and Standards Working GroupDevelop guidance for civilian agencies on implementing
supply chain risk mitigation strategies.Test existing and proposed guidance during pilots in FY09 and FY10Collaborate with organizations and industry on developing supply chain standards and practices
7
Guidance
Draft NIST Inter-Agency Report (NIST IR) 7622 Piloting Supply Chain Risk Management Practices for Federal Information Systems
First Public Draft – June, 2010Final – January, 2011
Future NIST Special PublicationFirst Public Draft – June, 2011
8
Supply Chain Pilots
Department of DefenseDepartment of Homeland SecurityPiloting of guidance in NISTIR
9
Collaboration
ISO CS-1 Global Supply Chain Risk Management Ad Hoc MeetingsIT and Telecom Sector Coordinating Councils (SCCs) and Government Coordinating Councils GCCs)
10
Implementing Supply Chain Risk Management
Prerequisites for Successful SCRM ImplementationEstablish a Supply Chain Risk Management Capability (SCRMC)Roles and ResponsibilitiesSCRMC Procurement Process
11
Prerequisites for Successful SCRM Implementation
Integrate information system security requirements from inceptionEnsure funding for information security and SCRMFollow consistent, well-documented repeatable system engineering and acquisition processesProper oversight of suppliers Actively manage suppliers through Service Level Agreements/contractsFully implement the NIST 800-53 security controls
12
Establish a SCRMC
Ad-hoc or formal teamDevelop policy and procedures
When team comes togetherWho performs requirement analysis, makes risk decisions, prepares procurement related documents, and specifies any specific training requirements.
13
14
SCRMC Implementation
15
Step 1: Determine Supply Chain Risk Threshold
FIPS 199 High Impact SystemNIST Special Publication 800-53 Rev. 3 Security Control: SA-12 Supply Chain Protection
16
Step 2: Develop Requirements
Identify critical elements, processes, systems, and information across the programDetermine appropriate level of riskReview all data gathered during the pre-solicitationObtain any additional informationConsider a procurement strategyDevelop a Statement of Work (SOW)
17
Statement of Work
Detailed description of the technical, security, and SCRM requirementsPerformance measuresEvaluation criteriaMeasurement thresholds
18
Step 3: Identify Potential Suppliers
Conduct a market analysisPost a “sources sought” notificationGather information from open-sources
19
Open Sources
Central Contractor Registry (CCR)Commercial & Government Entity (CAGE)Dunn & BradstreetBusiness Identification Number Cross-reference (BINCS)
20
Step 4: Coordinate Acquisition Plan and Contract Execution
Develop an Acquisition PlanList of potential sources of suppliersDescription of how competition will be soughtDescription of various contacting considerationsStrategies for mitigating supply chain risk
Disclose any legal issuesPerform technical reviewSelect supplier
21
Step 5: Perform Continuous Monitoring
Record lessons learnedMonitor and periodically reevaluate changes in risk, suppliers, operational environment, and usage. Replacement components and maintenance should be reviewed for supply chain risk
22
Supply Chain Practices
21 varying practicesAcquirer: Programmatic and validation activities Supplier or integrator: General, technical and validation requirements
Topic areas include: ProcurementDesign/DevelopmentTestingOperationalPersonnel
23
Procurement
Maximize acquirer’s visibility into Integrators and SuppliersProtect confidentiality of element uses
24
Incorporate supply chain assurance in requirementsSelect trustworthy elementsEnable diversityIdentify and protect critical processes and elementsUse defensive design
Design/Development
25
Design/Development (continued)
Protect the supply chain environmentConfigure elements to limit access and exposureHarden supply chain delivery mechanisms
26
Manual reviewStatic analysisDynamic analysisPenetration testing
Testing
27
Protect/monitor/audit operational systemsFormalize service/maintenanceConfiguration ManagementNegotiate requirement changesManage supply chain vulnerabilitiesReduce supply chain risks during software updates and patchesSupply chain incident responseReduce supply chain risks during disposal
Operational
28
Personnel considerations in the supply chainPromote awareness, educate and train personnel on supply chain risk
Personnel
29
Contact InformationMarianne Swanson, Senior Advisor for Information System [email protected]
Civilian Pilots: Kurt Seidling, Program Manager, [email protected]
DoD Pilots: Annette Mirsky, Pilot Program Manager, OASD NII CI&[email protected]
Standards: Don Davidson, Senior Advisor StandardsOASD NII CI&[email protected]