You are here

Cyber Supply Chain Risk Management


TECHNOLOGY AREAS: Information Systems, Sensors, Electronics, Weapons


The technology within this topic is restricted under the International Traffic in Arms Regulation (ITAR), which controls the export and import of defense-related material and services. Offerors must disclose any proposed use of foreign nationals, their country of origin, and what tasks each would accomplish in the statement of work in accordance with section 3.5.b.(7) of the solicitation.

OBJECTIVE:  Develop and demonstrate innovative tools, techniques or decision support frameworks for the identification, tracking, and mitigation of risks associated with malicious attacks on critical embedded information and communications technology (ICT) within a weapon system supply chain lifecycle.

DESCRIPTION: As DOD has become increasingly dependent on embedded information and communications technology (ICT) to conduct mission operations, the need for assurance of ICT processing assets has grown. The industrial base for these capabilities is composed of global—and, largely, non-U.S.—suppliers that build, maintain, and upgrade these assets. This reliance upon globally sourced ICT poses unique challenges for acquisition program managers and contracting officers because it exposes DOD systems and networks to an increasing risk of exploitation. These concerns have led Congress to support DOD efforts to develop systemic approaches to managing the risk by focusing on key acquisition programs.

In January 2008, National Security Presidential Directive 54/Homeland Security Presidential Directive 23 and the National Cybersecurity Initiative (CNCI) were launched. They were mutually reinforcing initiatives with major goals designed to secure the United States in cyberspace. The CNCI includes the supply chain risk management (SCRM) initiative, which is the basis for DOD policy directing that supply chain risk will be addressed early and across the entire life cycle to manage ICT integrity within covered systems.  The policy will require the services and government agencies to put measures in place to respond to this concern. Addressing this threat to DoD systems and networks will require access to information and effective use of that information. The supplier network for a weapon system for example, can be quite large. The larger the supplier network, the larger the risk. Multiple threat vectors are possible. Being able to visualize and manage the threat based on system priority, component criticality levels, available counter-intelligence data, etc, is essential for mission assurance.

This focus of this topic is to develop tools, techniques and decision support frameworks that will assist key stakeholders in identifying, tracking, and mitigating risk throughout the supply chain lifecycle.  Weapon system critical data, hardware, software, firmware, services and system infrastructure are subject to malicious attacks and new techniques are needed to quickly, accurately and reliably identifies threats throughout the lifecycle and integrate this information in an easily understood manner so key stakeholders can make informed decisions.  Existing supply chain risk management techniques do not specifically address the unique threats associated with embedded information and communications technology. 

The goal is a global picture of the supply chain network that will provide a common interface to assimilate the relevant data and effectively manage and report on the threat within a specific system.  New tools, techniques and decision support frameworks that address the uniqueness of the information and communication technology aspects of the supply chain support this goal and will increase the likelihood of mission success.

Innovative solutions are being sought, but not limited to, the following specific areas that support the identification, tracking, and mitigation of risk associated with attacks on the information and communications technology aspect of the supply chain:

1) geospatial visualization of the supply chain network specific to a system and the ability to integrate that information from current available sources where they exist

2) component criticality identification and analysis

3) counter-intelligence information integration

4) component (i.e., bios, firmware) integrity analysis

5) secure portals and frameworks for data assimilation and integration

The technology developed or utilized for this topic should be innovative, collaborative and secure.  Collaboration is fast becoming a fundamental component in today’s solutions. The ability to share information securely and efficiently is expected.

PHASE I: 1) Research and develop tools, techniques, or decision support frameworks that assist in supply chain risk management for information and communication technology of weapon systems.  2) Provide a proof-of-concept prototype demonstrating the feasibility of the concept.

PHASE II: Based on the results from Phase I, refine and extend the design into a fully functioning pre-production prototype.

PHASE III: Develop the prototype into a comprehensive solution for the application of supply chain risk management. This capability would not only benefit DoD weapon and support systems, but also commercial organizations.

US Flag An Official Website of the United States Government