While the future of the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) initiative is in “wait and see mode,” the Pentagon is far from sitting still when it comes to protecting its supply chain.
Publicly, DoD announced a new supply chain resiliency working group on Sept. 3, “to address systemic barriers currently limiting supply chain visibility, conduct resiliency assessments and develop effective mitigation actions.”
And privately, Federal News Network has learned DoD is asking vendors for feedback about how to establish a new blanket purchase agreement for supply chain data and information sharing.
In late July, DoD’s Office of Acquisition and Sustainment sent out a request for information asking for feedback on how best to “provide DoD and affiliated federal agencies with illumination of critical defense industrial base (DIB)-related technology and other sector supplier networks (private and publicly-held companies) along with single network illuminations on affiliated companies and personnel deemed critical to the federal government, on an on-going basis. Data should be collected on the suppliers, their capabilities, their financial and operational health, among other factors deemed relevant by the federal government.”
Industry sources say DoD is collecting recommendations from different defense agencies and military services, including the Defense Contract Management Agency, the Defense Counter Intelligence Security Agency, the assorted military department and agency chief information officers and others about what they would want in a BPA vehicle.
“These would be pre-vetted suppliers and vendors around supply chain risk data. Part of the deliverables of these commercial providers will be artifacts that can be collected once and shared across the military,” the industry source said. “The goal is to make sure the Army, the Navy, the Air Force and the defense agencies are not paying for the same thing over and over again.”
Eight industries under analysis
The RFI is seeking broad information from eight different industries, including pharmaceuticals, aerospace and defense, semiconductors, biotechnology and others.
It wants the information to live in the cloud and have artificial intelligence and machine learning tool to do risk analysis of about 100,000 firms, including the Fortune 1,000.
DoD wants all of this data in “a commercial due diligence software platform for automated vendor vetting, supply chain vendor vetting, and affiliated entity vetting to continuously and dynamically inform supplier health. The software must be immediately deployable, ready to immediately run industrial health assessments and supplier vetting at the execution of the award, for enterprise use in vetting the vendors, associated personnel, and supplier networks associated with companies that will provide services, supplies, goods, and materials under this authority. The software must compile, process and display information of relevance based on pre-configured risk events relevant to the supply chain risk management (SCRM) use case. All content returned must have its provenance and date/time captured and fully auditable.”
More specifically, among the capabilities the Pentagon wants the platform to provide is the ability to:
Identify any companies with foreign ownership, control and influence (FOCI) concerns to include adversarial finance risk indicators, and be able to vet and continuously monitor foreign personnel to inform FOCI risk.
Continuously monitor for supply or production shortages within the supply chain.
Automatically flag and compile in one report industrial health risk and derogatory issues on companies and people to include, but not limited to, criminal proceedings, civil offenses, reputation/brand issues.
Continuously monitor companies and associated entities and people for industrial health risk or derogatory flags impacting trustworthiness and eligibility for continued access to government information on up to a daily basis.
Christine Michienzi, the chief technology officer for the Deputy Assistant Secretary of Defense (DASD) for Industrial Policy in the Defense Department, said the need for an enterprise view of the risk and resiliency of the defense supply chain was part of the reason to establish the new working group.
“The services have their efforts. [The Office of the Secretary of Defense] has their efforts. But there needs to be this collaborative, coordinated response,” Michienzi said at the recent Intelligence and National Security Summit sponsored by AFCEA and the Intelligence and National Security Alliance. “The supply chain resiliency working group is going to be looking at things like how do we get greater visibility into the supply chain? How do we better identify risks and issues before they happen? How can we be proactive? How can we put remedies in place? And so that activity is ongoing for the next two years. And the tools and the data are going to be a big focus of that activity.”
Supply chain task force recommendation
This RFI and potential blanket purchase agreement is trying to address what Michienzi said is the big problem for DoD — a lack of visibility across the supply chain.
“From a DoD perspective, we have to understand the interdependencies because a certain company may know who’s in their supply chain, but they don’t understand which other companies are, which other systems are also using that same supply chain, and therefore makes it more vulnerable than they realize,” she said. “At the DoD level, at the Office of the Secretary of Defense level, we have that visibility into all the systems that use all these suppliers, if we could just get the data down to the lower levels of the supply chain. So we’re starting with some of these illumination tools that use AI. Those are a good starting point, but they’re not the end-all-be-all. That information needs to be there verified and validated. And then we need to understand, okay, what are their capabilities? What are their issues? Are they financially healthy? How much capacity and capability do they have, et cetera, before we can do a complete risk assessment? So we are definitely working toward that goal.”