Should supply chain security be part of the procurement process?
Mitre Corp. has done a study for the Defense Department and recommends ways to improve the security of the supply chain by making that part of the contract evaluation process.
In other words, supply chain security would join factors such as price, past performance and technical solution as major criteria for picking winners and losers.
As I read through Mitre’s "Deliver Uncompromised" report, one thought went through my mind, the government gets what it pays for.
I don’t mean that has a criticism. In fact, I think Mitre and DOD are onto something and it is a long time coming.
More than 15 years ago, a Hewlett-Packard executive told me that security issues can be easily solved but customers have to be willing to pay for them.
Mitre’s recommendations are right on track with that thinking.
“Risk-based security should be viewed as a profit center for the capture of new business rather than a ‘loss’ or an expense,” Mitre writes in its report.
In other words, DOD and the rest of the government have to be willing to pay for securing the supply chain. They have to recognize and value that the dangers of not protecting the supply chain outweigh the extra cost it will take to do so.
But Mitre also recognizes it isn’t just talking about paying contractors more.
“DOD must make better use of its existing resources to identify, protect, detect, respond to, and recover from network and supply chain threats,” the report says.
To do this, DOD needs to make organizational changes, increase coordination with the intelligence community, and cooperate more with the Homeland Security Department and other civilian agencies. It needs better relationships with contractors, new standards and best practices, new acquisitions strategies, and it has to motivate contractors to see active risk mitigation as a “win.”
And not to sound too cynical – motivation means money.
Mitre lays out 15 “courses of action for DOD:
- Elevate Security as a Primary Metric in DoD Acquisition and Sustainment
- Form a Whole-of-Government National Supply Chain Intelligence Center
- Execute a Campaign for Education, Awareness, & Ownership of Risk
- Identify and Empower a Chain of Command for Supply Chain with Accountability for Security and Integrity to DEPSECDEF
- Centralize SCRM-TAC with the Industrial Security/CI mission owner under DSS and Extend DSS Authority
- Increase DoD Leadership Recognition and Awareness of Asymmetric Warfare via Blended Operations
- Establish Independently Implemented Automated Assessment and Continuous Monitoring of DIB Software
- Advocate for Litigation Reform and Liability Protection
- Ensure Supplier Security and Use Contract Terms
- Extend the 2015 National Defense Authorization Act Section 841 Authorities for “Never Contract with the Enemy”
- Institute Innovative Protection of DoD System Design and Operational Information
- Institute Industry-Standard Information Technology Practices in all Software Developments
- Require Vulnerability Monitoring, Coordinating, and Sharing across the Supply Chain of Command
- Advocate for Tax Incentives and Private Insurance Initiatives.
- For Resilience, Employ Failsafe Mechanisms to Backstop Mission Assurance
The Washington Post reported DOD is reviewing the Mitre report before taking any action.
DOD has been looking at the issue since at least 2010 so I wouldn’t expect widespread adoption quickly, but let me know if you hear of any pilots or demos. I can’t help but feel the market is headed in the direction, so be prepared.
Posted by Nick Wakeman on Aug 13, 2018 at 2:11 PM