Over the last five years, agencies have realized the importance of protecting their supply chains. What was a niche area for federal acquisition and cyber experts has grown into a full fledge governmentwide effort.

There is the Federal Acquisition Security Council, which is still trying to unify more than 30 different initiatives across the government.

The National Institute of Standard and Technology kicked off the National Initiative for Improving Cybersecurity in Supply Chains about a year ago.

And of course, the Defense Department and Intelligence Community have their share of initiatives. These range from the Cybersecurity Maturity Model Certification (CMMC) to the Office of Director of National Intelligence’s task force to standardize information sharing of counterintelligence risk information in the supply chain environment.

At the heart of all of these efforts, of course, is the data.

Agencies need better, more capable tools to sift through and analyze the information. They need a better approach to understand that information to drive decisions in real time.

NIST identified six critical success factors for any supply chain risk management (SCRM) program. These include integrating SCRM into acquisition, sharing supply chain information and ensuring ongoing capability implementation measures.

Matthew Halvorsen, the strategic program director for the National Counterintelligence and Security Center’s Supply Chain and Cyber Directorate for the Office of the Director of National Intelligence, said their goal is to find ways to develop actionable information on the threats to the government’s critical supply chain areas.

“We’re working in a couple of ways to help develop that piece of the puzzle. We’re looking for ways to develop new sources of information, increasing analytical capabilities to help understand those foreign threats and the capabilities to exploit those supply chains. We’re also looking at ways to help develop new processes to identify suspect or high risk vendors, products, software services that really are pose a risk to our supply chain and our national economic future,” Halvorsen said during the discussion Building the Supply Chain of the Future. “We at the NCSC are really working now to help develop an integrated strategy for supply chain risk management and capabilities across the IC that really helps synergize those strategies from the government with the private industry because the U.S. government doesn’t, generally speaking, own factories with a purchase it from private industry.”

ODNI’s supply chain risk management task force is developing an “integrated strategy” that will set baseline capabilities across the intelligence community and detail initiatives to continue to advance SCRM.

The Army Material Command is taking a more operational approach to supply chain risk management through its acquisition strategies.

Deacon Maddox, the director of supply chain management for the Army Materiel Command, said their organization is integrating data and tools into contracting activities to give the Army the best understanding possible.

These tools include digital twins and a data analytics platform.

“Our commanding Gen. Edward Daly has undertaken an initiative to standardize some of our major procurement processes at our lifecycle management commands. This optimization effort that we’ve have begun really lays the groundwork to do some of the supply chain risk management from a standardized way across the command that allows us to conserve resources where we can and allows us to be more efficient in how we manage the supply chain,” Maddox said. “But it also opens up opportunities for us to look at our own internal organic industrial base to supplement some of the supplies that may be at risk.”

The Army is using digital twins for individual weapon systems, where it is breaking down each piece of that weapons system and modelling it.

“We have efforts ongoing right now to pilot this technology. Then there’s also a digital twin of our facilities where you can take a facility and create a digital model of it and then run efficiency scenarios through it,” Maddox said. “From a SCRM perspective, the digital twin allows you to anticipate where you may have problems in the future. If you’ve got sensor data coming off of your weapon systems and that is feeding into this model and you’re able to understand what your future requirements are going to be with the lead times. It allows you to get ahead of those lead times so that you’re not waiting 18-to-24 months with deadline systems and not having mission capable systems ready to go.”

Retired Navy Rear Adm. John Polowczyk, the government supply chain leader at Ernst & Young, said public and private sector organizations need to have a deep understanding of their industrial base’s capabilities and capacities, the inherent risks, whether it be cyber hardening or foreign influence as well as diminishing manufacturers and sources of supply.

“Some of this is enabled by industry 4.0 like technologies and processes. People are relooking their operating model where they have things and where they manufacture items. They certainly are working on alternate sources of supply and geographic diversity,” Polowczyk said. “That’s what bit us during COVID where we were wholly reliant on Asia for manufacturing of personal protective equipment and a lot of other durable medical goods. You also need a resilient workforce, a trained workforce because one day you’re operating this machine and the second the next day because of an illness or an outage, you’re able to operate this machine. You really have to have a resilient and agile workforce. Finally, there is all of the cyber hardening, the data sharing and securing those things in your ecosystem.”

The goal for most organizations is to manage and understand their supply chain all the way down through the lowest levels.

Polowczyk said there are commercial firms and some elements of the federal government who are using end-to-end visibility tools through commercial products or some homegrown things to really understand what their supply chains look like.

“I do think the data architectures and working across clearance systems, being able to have the visibility needed at all levels is a key in this area, which I don’t think we’ve solved yet,” he said. “I’ve always viewed the vendor vetting intelligence piece is critical, but maybe not on every box of pencils. But when you’re talking about weapons systems and some very critical sensitive technologies, I think that the blend of intelligence-based data, analytics and the tools that they’re using, and there are a suite of things that everybody, including EY, has data analytics and off the shelf tools in this area. How we blend that with the acquisition workforce who are just trying to get the deal done in the most cost effective manner for the federal government. That is where the hard part is.”

Halvorsen said the IC is looking for better tools to increase their visibility using publicly available data as well as sensitive information.

“One of the things we deal with at the NCSC when we talk to our civil agency sector quite a bit is the understanding that acquisition professionals, generally thinking outside of the IC, don’t work in a secure world, meaning they don’t have security clearances and aren’t working on classified systems. So analytical tools that really bring in that publicly available data are really something we are always looking at,” he said. “As part of the efforts with the FASC are tools that have that information sharing component so that we can share information across the federal enterprise to help each agency with their risk management decisions.”

Learning Objectives:

• Supply Chain Risk Management Overview
• Processes and Tools to Evaluate Supply Chain Risk Management
• Data Strategy Towards Supply Chain Risk Management

Complimentary Registration:

Please register using the form on this page or call (202) 895-5023.
This program is sponsored by