Biblio

Summary

• Obtain Executive Level Commitment for a Supply Chain Risk Management (SCRM) Program
• Identify Critical Systems, Networks, and Information
• Manage Third Party Risk

CISA, in coordination with the National Security Agency, and the Office of the Director of National Intelligence, as part of the Enduring Security Framework (ESF)—a cross-sector, public-private working group—released a Potential Threat Vectors to 5G Infrastructure paper. This paper identifies and assesses risks and vulnerabilities introduced by 5G.

The ESF 5G Threat Model Working Panel, a subgroup within the ESF, examined three major threat vectors in 5G­—standards, the supply chain, and threats to systems architecture—to develop a summary and technical review of types of threats posed by 5G adoption in the United States and sample scenarios of 5G risks.

Please note, this paper represents the beginning of the ESF’s research and not the culmination of it. It is not an exhaustive risk summary or technical review of attack methodologies and includes public and private research and analysis.

In a recently published document addressing supply chain risk, the Office of the Director of National Intelligence warns against “foreign attempts to compromise the integrity, trustworthiness, and authenticity of products and services purchased and integrated into the operations of the U.S. Government, the Defense Industrial Base, and the private sector.”

Attacks on the supply chain represent “a complex and growing threat to strategically important U.S. economic sectors and critical infrastructure,” the agency notes. Foreign adversaries are attacking key supply chains at multiple points: From concept to design, manufacture, integration, deployment and maintenance.

GovCon leaders say the government does well to take the risks seriously, and they point to ways in which the contracting community can work hand-in-glove with federal officials to mitigate the threat.

Exploitation of supply chains by foreign adversaries is a growing threat to America.

The National Counterintelligence and Security Center (NCSC) today released a new tri-fold document, Supply Chain Risk Management: Reducing Threats to Key U.S. Supply Chains, to help private sector and U.S. Government stakeholders mitigate risks to America’s critical supply chains.  As part of Cybersecurity Awareness Month, NCSC is working to raise awareness of supply chain attacks, including those that are cyber-enabled.

The tri-fold highlights supply chain risks, introduces a process for supply chain risk management, and establishes three focus areas to reduce threats to key U.S. supply chains.  The document also outlines key tools and technologies to protect each stage of the supply chain lifecycle, from design to retirement.

Video presentation from Carnegie Melon University "Implementing Cyber Security in DoD Supply Chains," 2020.

Video presentation "Cyber Security in Supply Chains, CAPS Research", 2018.

The purpose of this workshop is to review with participants, sponsors, and key interested parties the findings and lessons learned from a two-year long NIST and GSA-sponsored Cyber Risk Analytics project. A team composed of professionals from the University of Maryland (UMD), Zurich Insurance, and Beecher Carlson completed the following activities:

• Developed and field tested, with collaboration of NIST, a secure, online self-assessment tool, based on the Cybersecurity Framework; 
• Created a breach database for survey participants by integrating the breach datasets from Advisen, RBS , the Identity Theft Resource Center, and the Center for Business and Ethics at the University of Maryland; 
• Conducted a rigorous statistical analysis to search for significant relationships between performance results in different areas of the self-assessment tool and frequency of breaches (disaggregated by breach type). The objective was to determine specific actions initiated by the survey participants were directly associated with a reduced frequency of breach occurrence during the study period.

This is GAO’s 18th annual assessment of DOD acquisition programs. GAO’s prior assessments covered major defense acquisition programs. This year’s assessment expands to include selected major IT systems and rapid prototyping and rapid fielding programs, in response to a provision in the National Defense Authorization Act for Fiscal Year 2019.

This report (1) summarizes the characteristics of 121 weapon and IT programs, (2) examines cost and schedule measures and other topics for these same programs, and (3) summarizes selected organizational and legislative changes. GAO identified the 121 programs for review based on their cost and acquisition status. GAO selected organizational and legislative changes that it determined related to the execution and oversight of the 121 programs.

GAO reviewed relevant legislation and DOD reports, collected data from program offices through a questionnaire, and interviewed DOD officials.
Additional analyses and assessments of major IT programs are included in a companion report to be issued later this year.

The Department of Defense (DOD) currently plans to invest over $1.8 trillion to acquire new major weapon systems such as aircraft, ships, and satellites. At the same time, the department is investing billions more in information technology (IT) systems and capabilities that it expects to either prototype or field rapidly through a new middle-tier acquisition pathway. (See table.)