Insight by KPMG

ODNI shows how to modernize, protect the supply chain

State of Supply Chain Security

I think now [supply chain risk] is a topic that has transitioned from esoteric to exoteric as it's more accessible to the public. COVID has made supply chain a dinner table conversation topic, so it's a combination of organizations learning more about third party risk and operational risk, and realizing the consequences of not attending to that risk could be devastating.

Using Data to Identify Risk

There's so much information out there that's publicly available, not always for free, but publicly available information from organizations that are very adept at pulling information together for commercial due diligence. I'm really pleased at how this technology has changed. In the last five years, all of these firms are now actually looking at how to apply machine learning and train their AI systems to get at a more exquisite understanding of the data that they have access to. So that's really going to be the wave of the future, being able to tune those systems to get answers to the questions that we want.

The old adage “trust but verify” is taking on new meaning with the ever-increasing focus on supply chain risk management.

From the Cybersecurity Maturity Model Certification (CMMC) program to Section 889 and the banning of certain Chinese made telecommunications products, agencies and vendors alike must do more than just say they are doing enough to protect their supply chains.

That means organizations must rely on data to prove the trustworthiness of the supply chain. That data can provide insights into everything from foreign ownership to insider threats to chain of custody.

The challenge of depending on data is how deal with the volume of information and deciding what is most valuable. That is why agencies and companies are applying analytical tools and machine learning algorithms to identify potential risks.

Joyce Corell, the assistant director for supply chain and cyber directorate at the National Counterintelligence and Security Center in the Office of the Director of National Intelligence (ODNI), said over the last three or four years, public and private sector organizations, and Congress have grasped more than ever the threats brought on by the global supply chain.

“I think now [supply chain risk] is a topic that has transitioned from esoteric to exoteric as it’s more accessible to the public.  COVID has made supply chain a dinner table conversation topic, so it’s a combination of organizations learning more about third party risk and operational risk, and realizing the consequences of not attending to that risk could be devastating,” Corell said during the Modern Government: Supply Chain Risk and Security show sponsored by KPMG. “I view this threat from a counterintelligence perspective, not so much about counterfeits in our supply chain, but rather an adversary using a company as a threat vector. That might be a company which might be complicit or not and it’s being used as a threat vector. What kind of untoward level of influence an adversary government may have is certainly a concern.”

One of the best ways to deal with the growing threat is by understanding the data. The challenge for agencies, and industry, is just how much data is available.

“There’s so much information out there that’s publicly available, not always for free, but publicly available information from organizations that are very adept at pulling information together for commercial due diligence,” Corell said. “I’m really pleased at how this technology has changed. In the last five years, all of these firms are now actually looking at how to apply machine learning and train their AI systems to get at a more exquisite understanding of the data that they have access to. So that’s really going to be the wave of the future, being able to tune those systems to get answers to the questions that we want.”

She added that the data help point users in a direction, but may not answer all the risk questions.

“These tools applied to commercially available data really point you in a direction to say, either, here’s a gap where you don’t have information, do you care, does that matter to you from a risk perspective, or, hey, here’s some data that shows that risk is trending up, or risk is trending down,” Corell said. “Those are the kind of tools that help inform your decision analysis. So that is just where I think the government broadly should go. What the government really needs is some type of commercial due diligence service as a shared service for government agencies. There’ll be organizations that are very under resourced and are not going to be able to afford the data that would help them in their decision analysis.”

The Federal Acquisition Security Council and others in government are trying to address these challenges and raise awareness about the value of information sharing.

“One of the things that that we’re doing under the Federal Acquisition Security Council is standardizing how that research is done so that there is rigor and integrity behind it,” she said. “We’re also looking at all the other regulatory regimes that have a supply chain nexus to ensure that we’re harmonizing the factors that we look at, as well as the criteria we use to evaluate what factors in what combination make us think the risk is high, medium, or low.”

Along with the FASC, Corell said there are several other supply chain related efforts, including the DNI is establishing a task force to standardize information sharing of counterintelligence risk information in the supply chain environment, and share that standardize it across the entire acquisition community of the government, and the Commerce Department working with telecommunications companies to develop an information sharing process.

“We’ve already launched work with this venue and that is the mechanism by which we are going to have move forward with a fully coordinated intelligence community position,” she said. “The statutes also required some elements that are not in the intelligence community to participate GSA, OMB’s Office of Federal Procurement Policy and a couple of others. That is a mechanism that we’re going to be able to use to drive the standardization of information sharing.”

Featured speakers

  • Joyce Corell

    Assistant Director, Supply Chain and Cyber Directorate, National Counterintelligence and Security Center, Office of the Director of National Intelligence

  • Jason Miller

    Executive Editor, Federal News Network

Sign up for breaking news alerts