​Supply Chain Risk Management (SCRM) Is More Than Just An American Problem.

The Defense Industrial Base (DIB) and Federal Supply Chain (FSC) are Global. 

SCRM Requires A Global Solution That Can Adapt & Scale To Meet This Challenge.

MetaSCRM - Focused On Operationalizing Supply Chain Risk Management (SCRM)

According to the National Counterintelligence Strategy of the United States (years 2020-2022), the strategic objective for supply chain security is to: “Reduce threats to key U.S. supply chains to prevent foreign attempts to compromise the integrity, trustworthiness, and authenticity of products and services purchased and integrated into the operations of the U.S. Government, the Defense Industrial Base, and the private sector." 

There is a lot of invaluable information on the Internet about what SCRM is from authoritative sources, such as the US National Institute of Standards and Technology (NIST), the US Department of Homeland Security (DHS), the Cybersecurity & Infrastructure Security Agency (CISA), the US National Counterintelligence and Security Center (NCSC) and many others. "Meta SCRM" simply means "about SCRM" and this site is designed to be a form of neutral clearinghouse for SCRM-related material. The issue we are trying to solve is how to operationalize SCRM practices, so that organizations have actionable plans that can be implemented to both secure their internal processes and assess/mitigate risks within their supply chain. The goal is for organizations to be both secure and compliant with their obligations.

At the heart of SCRM are nation-state "bad actors" and the United States Trade Representative’s Special 301 Report Priority Watch List identifies 10 countries (including China and Russia) on its Priority Watch List, as well as an additional 23 countries on its Watch List. This list of countries sets the stage for identifying potential geography-based threats that can directly or indirectly impact the confidentiality, integrity, availability and safety of an organization's supply chain. Additional scrutiny is required for products and services (1) produced by entities located within those countries or (2) by organizations that have ownership or other Conflict of Interest (COI) concerns with governments listed on those watch lists. 

SCRM Graphic - Watch List.png

SCRM Is A Perception Problem Where False Assumptions Have Real-World Implications

Provenance is the technical means to maintain evidence-based integrity of products and services across an asset's lifecycle. It is the chronology of the origin, development, ownership, location, and changes to a system or system component and associated data. It may also include personnel and processes used to interact with or make modifications to the system, component, or associated data. Provenance helps eliminate false assumptions by governing the integrity of the asset across its lifecycle.

SCRM - Perception vs Reality - Made In U

Currently, the are no clear US laws or regulations that mandate suppliers provide multi-tier transparency of supply chains. The closest requirements are narrowly-focused on Controlled Unclassified Information (CUI) as part of several Defense Federal Acquisition Regulation Supplement (DFARS) clauses and Federal Acquisition Regulation (FAR) 52.204-21(2). 

SCRM is the process of identifying, assessing, and mitigating the risks to the integrity, trustworthiness, and authenticity of products and services within the supply chain. This is often directed at Information and Communications Technology (ICT) that scopes:

  1. Primary suppliers (e.g., direct contract with the acquiring organization);

  2. Tiers of suppliers that support prime suppliers by providing products and services, and

  3. Any entities linked to those tiered suppliers through commercial, financial or other relevant relationships.

A properly scoped SCRM program assesses (1) internal risks that are native to every organization and (2) external risks that stem from the third-parties that produce products and/or provide services that make up the acquiring organization's supply chain.

 

For example,  an Internet enabled "smart meter" has more than just software that can be configured, but firmware and hardware that includes microprocessors. Therefore, assessing the supply chain risks associated with smart meters is more than evaluating the functionality and features of the end-product, but the components that come together to make up the end-product.

A successful SCRM program is the embodiment of Zero Trust Architecture (ZTA), where there is no such thing as a "trusted third party" since trust is a luxury that SCRM cannot afford. ZTA's goal is to minimize the negative impact of any product or service from being used in a malicious manner. While, C-SCRM relies on ZTA principles to architect, build and maintain secure systems, applications, services and networks, SCRM also relies on the concept of "provenance" where every system and system component has a point of origin and may be changed throughout its existence.

Fundamentals - Understanding The Supply Chain Lifecycle

All products and services have a lifecycle and at each stage of that lifecycle exist unique risks and threats. Understanding those phases can help identify the appropriate stakeholders to ensure sure practices are designed by default and by design.

The Supply Chain Lifecycle (SCL) has five (5) distinct phases that covers the entire lifecycle of a product or service:

  1. Design & Classification

  2. Manufacturing & Integration

  3. Production Deployment

  4. Maintenance & Monitoring

  5. Migration & Decommissioning

SCRM Phases.jpg
Phase 1 - SCRM.png

SCRM Phase 1 - Design & Classification

In this phase of the supply chain lifecycle, it is the origin of the product/service. This involves establishing the context of the business case, includes system criticality and data sensitivity determinations. Prototyping and Proof of Concept (POC) testing will occur in this phase.

Risks in Phase 1 include, but are not limited to: 

  • Inability to maintain individual accountability

  • Improper assignment of privileged functions

  • Unauthorized access

  • Data loss / corruption

  • Diminished competitive advantage or reputation

  • Data exfiltration (loss of Intellectual Property (IP)

  • Loss of integrity (unauthorized design modifications)

  • Improper scoping of requirements

Threats in Phase 1 include, but are not limited to: 

  • Hacking or other cybersecurity crimes

  • Physical crime (theft of physical assets)

  • Terrorism & armed attack

  • Utility service disruption

  • Applicable natural disasters

Phase 2 - SCRM.png

SCRM Phase 2 - Manufacturing & Integration

In this phase of the supply chain lifecycle, it is time to build the product or service. This may involve integration work to ensure a new product or service can integrate with an existing products or service. 

Risks in Phase 2 include, but are not limited to: 

  • Inability to maintain individual accountability

  • Improper assignment of privileged functions

  • Unauthorized access

  • Lost / damaged / stolen assets

  • Diminished competitive advantage or reputation

  • Data exfiltration (loss of Intellectual Property (IP)

  • Loss of integrity (unauthorized modifications)

  • Improper scoping of requirements

  • Unmitigated vulnerabilities

  • System compromise

  • Lack of roles & responsibilities

  • Lack of oversight of internal controls

  • Lack of oversight of third-party controls

  • Inability to investigate / prosecute incidents

  • Expense associated with managing a loss event

  • Inability to maintain situational awareness

Threats in Phase 2 include, but are not limited to: 

  • Hacking or other cybersecurity crimes

  • Physical crime (theft of physical assets)

  • Civil or political unrest

  • Hazardous material emergencies

  • Terrorism & armed attack

  • Utility service disruption

  • Applicable natural disasters

Phase 3 - SCRM.png

SCRM Phase 3 - Production Deployment

In this phase of the supply chain lifecycle, the product or service has passed all usability testing from a test/development/staging perspective and is deployed into an operational environment. This involves the migration or cutover from existing products or services to the solution being deployed.

Risks in Phase 3 include, but are not limited to: 

  • Inability to maintain individual accountability

  • Improper assignment of privileged functions

  • Unauthorized access

  • Lost / damaged / stolen assets

  • Diminished competitive advantage or reputation

  • Data exfiltration (loss of Intellectual Property (IP)

  • Loss of integrity (unauthorized modifications)

  • Improper scoping of requirements

  • Unmitigated vulnerabilities

  • System compromise

  • Lack of roles & responsibilities

  • Lack of oversight of internal controls

  • Lack of oversight of third-party controls

  • Inability to investigate / prosecute incidents

  • Expense associated with managing a loss event

  • Inability to maintain situational awareness

  • Loss of revenue (cancelled contract)

  • Fines & judgements

  • Inability to support business processes

  • Illegal or abusive content

Threats in Phase 3 include, but are not limited to: 

  • Hacking or other cybersecurity crimes

  • Physical crime (theft of physical assets)

  • Civil or political unrest

  • Hazardous material emergencies

  • Terrorism & armed attack

  • Utility service disruption

  • Applicable natural disasters

Phase 4 - SCRM.png

SCRM Phase 4 - Maintenance & Monitoring

In this phase of the supply chain lifecycle, this involves the production use of the product or service throughout its usable life. This includes preventative maintenance, reactive maintenance and feature upgrades. From a service perspective, this includes ongoing reviews and monitoring of service providers.

Risks in Phase 4 include, but are not limited to: 

  • Inability to maintain individual accountability

  • Improper assignment of privileged functions

  • Unauthorized access

  • Lost / damaged / stolen assets

  • Diminished competitive advantage or reputation

  • Data exfiltration (loss of Intellectual Property (IP)

  • Loss of integrity (unauthorized modifications)

  • Unmitigated vulnerabilities

  • System compromise

  • Lack of roles & responsibilities

  • Lack of oversight of internal controls

  • Lack of oversight of third-party controls

  • Inability to investigate / prosecute incidents

  • Expense associated with managing a loss event

  • Inability to maintain situational awareness

  • Loss of revenue (cancelled contract)

  • Fines & judgements

  • Inability to support business processes

  • Illegal or abusive content

Threats in Phase 4 include, but are not limited to: 

  • Hacking or other cybersecurity crimes

  • Physical crime (theft of physical assets)

  • Civil or political unrest

  • Hazardous material emergencies

  • Terrorism & armed attack

  • Utility service disruption

  • Applicable natural disasters

Phase 5 - SCRM.png

SCRM Phase 5 - Migration & Decommissioning 

In this phase of the supply chain lifecycle, it is time to retire  the product or service. This generally involves a migration of data and a cutover to a new product or service. When a migration is complete, the systems and data must be securely decommissioned. 

Risks in Phase 5 include, but are not limited to: 

  • Inability to maintain individual accountability

  • Improper assignment of privileged functions

  • Unauthorized access

  • Data exfiltration (loss of Intellectual Property (IP)

  • Loss of integrity (unauthorized modifications)

  • System compromise

  • Lack of roles & responsibilities

  • Lack of oversight of internal controls

  • Lack of oversight of third-party controls

  • Inability to investigate / prosecute incidents

  • Expense associated with managing a loss event

  • Loss of revenue (cancelled contract)

  • Fines & judgements

  • Inability to support business processes

Threats in Phase 5 include, but are not limited to: 

  • Hacking or other cybersecurity crimes

  • Physical crime (theft of physical assets)

  • Civil or political unrest

  • Terrorism & armed attack

  • Utility service disruption

  • Applicable natural disasters