Supply chain vulnerabilities have leapt to national attention thanks to concerns about Chinese companies Huawei and ZTE, the subsequent ban of their products from use by the federal government, and President Donald Trump’s adding Huawei to a list of entities with whom U.S. companies are prohibited from doing business.
While those actions address some of the supply chain risks from some companies, one-off bans of problematic companies will not be sufficient to protect the country. As Federal Chief Information Security Officer Grant Schneider notes, these are merely “whack-a-mole solutions to a challenge that we need a far more systemic approach to.”
The good news is that government officials are finally starting to pay attention to the vulnerability of their supply chains. Last year, the Department of Homeland Security formed an Information and Communications Technology supply chain task force filled with representatives from both the public and the private sectors. A law passed last December led to the creation of the new Federal Acquisition Security Council, which held its first meeting last month. And the White House recently released an executive order prohibiting the acquisition or use of any information and communications technology or service coming from a company deemed a national security threat.
Read more here.
Kathryn Waldron , June 25, 2019
The first step in assessing supply chain risk is to figure out who exactly is in an entity’s supply chain. Government contractors are tiered, and large companies at the top may not be aware of the identities and risk profiles of all of the subcontractors they rely on to deliver complex systems. As Mike Gordon, deputy chief information security officer at defense contractor Lockheed Martin, said last year, “Because of contract privity and competitive advantage, the tier one doesn’t necessarily know who in the tier four is working on a particular program, and the government does not necessarily know that either.”