DoD’s Latest IT Supply Chain Directive Has a Wide Scope

The Department of Defense (DoD) recently released a DoD instruction (DoDI) focused on further assuring the security of their information technology supply chain to protect mission critical systems, networks and functions.

The directive – issued by Heidi Shyu, the Under Secretary of Defense for Research and Engineering and John Sherman, the DoD Chief Information Officer – establishes policies and assigns responsibilities to “minimize information and communications technology (ICT) supply chain and engineering risks to the DoD’s warfighting capabilities, business, and enterprise information systems …” The directive will implement ICT supply chain risk management (SCRM) requirements in line with the DoD’s SCRM implementation strategy and implement the DoD’s trusted systems and networks (TSN) strategy.

DoD Casts a Wide Scope for Covered Systems and Components

The scope covers “all DoD information systems, networks, and weapon systems,” including National Security Systems (NSS); DoD systems with a high impact level for confidentiality, integrity, and availability; and DoD systems determined as “critical to directly fulfilling military or intelligence missions, which may include some connections to or enclaves of the Non-classified Internet Protocol Router Network, control systems, and business systems.”

The scope also includes DoD systems “supporting national leadership command capabilities; nuclear weapons; nuclear command, control, and communications; continuity of U.S. Government operations; ballistic missile defense; protected satellite communications; and overhead persistent infrared systems,” as well as mission critical functions and critical components, including spare or replacement parts and “high-interest commodity ICT.”

In other words, the scope covers basically every element of the DoD ICT supply chain and nearly every system that uses ICT components, including weapons platforms.

Applying Risk Management to Systems, Components and Suppliers

The directive emphasizes and elaborates on how DoD mission critical functions will be protected through the application of TSN and ICT SCRM practices. This includes addressing critical components to applicable systems and their suppliers, using “supply chain illumination capabilities as part of supplier due diligence to inform risk management decisions.”

Further, risk management processes will be used throughout the entire system life cycle, using TSN processes, tools, and techniques to reduce vulnerabilities; to assess risk, and plan and implement mitigations; and to detect and mitigate “the consequences of unknowingly using products containing counterfeit components or malicious functions.” Mission critical functions, critical components, and risk planning and management activities are to be documented in the program protection plan and in relevant cybersecurity plans and documentation.

Custom and commodity hardware and software will be assessed for vulnerabilities through “thorough use of test and evaluation capabilities, including developmental, acceptance, and operational testing.”

Procurement Impacts

The directive notes that the DoD will “implement tailored acquisition strategies, contract tools, and procurement methods for critical components in applicable systems” to include using its authorities to exclude sources that fail to meet the DoD’s SCRM standards, per Section 3252 of Title 10, U.S.C.

Further, “procurement of custom designed or manufactured integrated circuit-related products and services must be from a trusted supplier using trusted processes accredited by the Defense Microelectronics Activity (DMEA).” In cases when a trusted supplier is not available, DoD requires the procurement to be approved by the defense component head, after undergoing an appropriate risk assessment.

Contractor Implications

Due to the broad scope of the systems, networks and components covered, it is hard to see any supplier within the defense industrial base that is not impacted. Whether you are commodity IT supplier or a custom solution and/or service provider, your product or services will undergo the DoD’s SCRM scrutiny.

The challenge does not stop there. Since the DoD will tailor its acquisition and procurement strategies, methods and contract vehicles to assure that procured technologies and services meet their trusted supplier and component standards, contractors need to stay attuned to the DoD’s acquisition approaches or risk missing opportunities, even if their offering meets the SCRM technical standards.

Astute contractors will keep ahead of this multifaceted acquisition environment to understand the interplay between the technical policies and standards, the key players with direct responsibility and influence, and the relevant acquisition strategies and approaches that will determine contract award decisions. To miss any part of this puzzle will place you at a competitive disadvantage.