The supply chain is about much more than products as that complex web of factors also includes software, security, people, partners and processes. Those factors are crucial to business success.
At one time, talking about the supply chain focused on stuff -- moving it from the plant to the warehouse to the distributor to the seller and then delivering it the user.
That’s still a relevant model but today's supply chain is also about software, security, compliance, partners, and people.
We gathered a group of executives from across the government market to talk about the supply chain and how threats and risks to that supply chain affect their businesses. The virtual discussion is part of a series of roundtables that Washington Technology is conducting.
We convene a group of top executives in the market to share their insights on a particular topic. The discussion is on the record, but we operate under Chatham House rules in that comments will not be attributed to the individuals nor their companies. See the list at the bottom of this story to view who attended our discussion.
Our roundtable began with a discussion about how the thinking around the supply chain has evolved. Securing the supply chain has been a rising issues for several years, but that has become particularly acute as the COVID-19 pandemic has disrupted manufacturing and pushed substantial numbers of people to work from home.
The focus used to be on optimizing the supply chain because companies wanted keep inventories low.
“It was about efficiency,” one executive said. “Not it is as much about resilience and security.”
Company supply chains now include what executives called third-party entities.
“You have to include anything that is necessary to make your company operate,” another executive said.
In delivering anything to a customer, companies have to look at every step in the process and weigh the cybersecurity risks. Even a process that is very low risk.
“You have to bring that lens to it,” one participant said.
Around 50 percent of one company's revenue goes through its supply chain, an executive from that firm said. No other participants questioned that number.
Much of the supply chain for government contractors is labor provided by their partners and subcontractors, executives said.
“If you look at the Washington Technology Top 100, I would say for the majority of the larger companies, the number one thing they’re procuring is labor from other companies,” one executive said.
The tight labor market has been exacerbated by the “great resignation” and is as much a supply chain issue as it is a human resources challenge, they said.
Interestingly, these executives don’t see the current supply chain challenges as a place to gain an advantage over one another.
It isn’t unusual for executives to call their peers at other companies and talk about issues and concerns they have.
“We call each other and ask, how are you guys interpreting this? What are you looking at,” one executive said. “Because this impacts us as a community more than it impacts us individually.”
Companies across the market compete in some instances and partner in others, so they want each other to have strong reliable supply chains. After all, they are part of each other’s supply chains.
“It is just too important to be insular,” one said. “Nobody’s going to be successful if you’re insular.”
One of the government’s biggest attempts to address supply chain security has been the Defense Department’s Cybersecurity Maturity Model Certification initiative. CMMC has been scaled back from its first iteration and has yet to be implemented.
But many of the executives at the roundtable are not big fans of CMMC. Version 1.0 was too ambitious and while version 2.0 is a scaled back and should be less costly, it still relies on third-party assessors and annual audits that put the focus on compliance, which doesn’t always translate to security. They also complained about the many delays and changes in direction that CMMC has gone through.
“The whole process has been a cluster,” one executive said.
Several questioned the need for third-party assessors and believed that self-attestation can work. Plus, there is policing going on right now through the vetting process as companies form partnerships.
“I can’t tell you how many of the companies on this roundtable have come to me with questionnaires and forms asking, how do you comply with NIST 800-171,” an executive said.
Some may ask, how does one know a company has secured their supply chain?
“Well, its an existential threat for companies,” one participant said. “We want a secure supply chain because it is a core part of our business.”
With the pandemic driving so many workers home, a new supply chain vulnerability also was exposed.
“Maybe you had 100 or so threat vectors before but now you multiply that by your number of employees that are working from home,” an executive said.
The FBI has warned about an exponential increase in ransomware attacks since the pandemic began. While large businesses can weather those attacks, small businesses are particularly at risk and struggle to recover.
“It’s a huge, huge deal,” one participant said.
Having a mostly-remote workforce means that companies need to consider bandwidth demands and availability, as well as access to cloud environments and tools. Those considerations can then have an impact on how data is managed across the enterprise.
“The impact of a remote workforce is going to go on for a long time after COVID is resolved,” an executive said. “It is one of the biggest issues with new hires. It’s the first question they ask, Do I have the ability to work remote?”
Remote work requires trust and that brings in culture.
“We have the systems; we have the tools, but none of them are completely bulletproof,” one participant said. “So, at the end of the day, you’re forced to rely on culture, and training and reminding employees that there is no perfect system. You always have to be vigilant.”
With so many factors being considered part of the supply chain today, companies need to think of it differently.
“We’re recognizing now that what we really have is a supply network; it’s more than an integrated chain,” one said. “We’re seeing a ton of external factors; it’s multi-dimensional. It has fundamentally changed how we think about it.”
Bob Gemmill, chief procurement officer, Leidos
Ronald “Fog” Han, executive vice president, strategic growth, Amentum
Alexis McGuire, staff VP, deputy supply chain officer, GDIT
John Mendez, senior director, federal business enablement, Dell Technologies
Joe Niehaus, director, supply chain management, LMI
Paul Ott, federal supply chain practice lead, Accenture Federal
PV Puvvada, CEO, NetImpact Strategies
Larry Senger, VP, supply chain sustainability, Dell Technologies
Dirk Smith, SVP, corporate services, Serco Inc.
Jeremy Wensinger, chief operating officer, Peraton
NOTE: Washington Technology Editor-in-Chief Nick Wakeman led the roundtable discussion. The November virtual gathering was underwritten by Dell Technologies, but both the substance of the discussion and the published article are strictly editorial products. Neither Dell nor any of the participants had input beyond their comments.