“It’s fairly easy to go into your procurement databases and see where you’ve bought something directly from a contractor and you can go locate that and remove it as you need to,” said Donald Davidson, DoD chief information officer deputy director of cybersecurity risk management, during an Oct. 19 AFCEA event in Arlington, Virginia. “It’s very difficult when you start going to the lower tiers in the supply chain and you have embedded components and embedded software because there isn’t a bill of materials for the products you buy.”
Davidson said if he had a peanut allergy, he could go to the grocery store and look at the list of ingredients and see what he needed to avoid. The Pentagon is unable to do that when it buys software because some programs may be embedded into that software. Those programs may be developed in foreign countries that are interested in taking information from the U.S.
The Department of Commerce’s National Telecommunications and Information Administration is looking into the feasibility of requiring a bill of materials now. NTIA already hosted one workshop on the issue and will host at least two more.
“Should we be requiring a bill of materials for things we buy in the federal government?” Davidson asked. “How deep do you go in that world? Do you flag certain things? How do you list that bill of material? Is it only for software or is it for hardware? What would that mean for us? Would it cost more? Those are all things of consideration, but something we have to look at as a government and as a holistic society. Are we concerned about what we build into our own enterprises as we outsource more and more every day and we buy commercial-off-the-shelf products that may not have been designed for our particular use?”
Supply chain communication is needed
While the Commerce Department is working out if a bill of material is necessary, dealing with supply chain risks as they are happening is another area where DoD and the government as a whole feels unprepared.
The U.S. does not have a comprehensive way to see threats to the supply chain, said Maj. Johanna Wynne, intelligence planner at Army Futures Command.
“We don’t have the interagency standards and practices for dialogue for sharing and communicating the information that we need,” Wynne said. “The risk assessments that we do receive are often late, they do not provide adequate visualization of trends or patterns and situational awareness. Nor do they support appropriate DoD responses.”
Wynne said the Army is advocating for contextualizing the supply chain as the battlefield and having a common picture that gives warnings DoD needs.