The ICT Supply Chain Risk Management (SCRM) program has been implemented in the DoD to secure the DoD’s cyber supply chain against adversary manipulation to ensure trusted systems and networks. Within the acquisition community, the SCRM program focuses on programs of record. The Risk Management Framework (RMF) has a series of controls (SA-12) which are focused on the highest risk systems (e.g., Nuclear Command and Control, Continuity of Government, etc.). Currently, most of the IT assets of the DoD are in systems categorized as medium or low under the RMF. These systems are not covered by specific requirements where the system owner might evaluate the supply chain risks of the products that they buy and install in support of the DoD mission. Changing the policy to require that systems owners take ICT SCRM into account would not really address vulnerabilities because those system owners typically do not have the resources necessary to conduct meaningful analysis of the components of their systems.
Despite informal knowledge being shared that there may be risks from hardware or software obtained from these and other sources, many system owners have continued to procure these products. The use of this technology could place the DoD local level systems user’s information at risk. Additionally, where these systems are used as clients to access a higher risk category system, these technologies could impact the security of systems that are subject to the current SCRM process requirements. For example, the DoD Public Key Infrastructure (PKI) is part of a formal program of record and has an RMF rating of high. The primary system components are subject to all the SCRM processes. However, the users of the PKI access these components from workstations in local enclaves, which typically have an RMF rating of medium or low. The PKI itself requires some minimal supply chain protections for the special workstations (those used by registration authorities) but, in general, the systems are procured through the normal channels used by the enclave. If there is a supply chain issue in that local environment, it could propagate to a compromise of the PKI, possibly causing issuance of rogue certificates or improper revocation of existing certificates.
Current government resources dedicated to identifying ICT Supply Chain Risks are barely capable of meeting the demand from the high-risk systems. There may also be specific legal constraints (e.g., Title 50 restrictions on information sharing) to making information more broadly available. System owners need information and they need it is an easily consumable form or format. The technical details of supply chain risk are also likely to be ignored if they prove too difficult for the system owner to use in purchasing to needed IT equipment.