Mitre Corp. recently released a report supported publicly by the Department of Defense (DoD) that details the only suitable path forward for the federal supply chain: secure it and reward it. The strategy, coined "Deliver Uncompromised", is centered around suring up the security seams of the DoD ecosystem at every level so that soldiers, their resources, and their critical information are not compromised. Most notably, a "4th Pillar" is proposed to be added to the original three (cost, schedule and performance) in the acquisition process.
The report begins by explaining the present and future paradigm of war, where the most damage can be inflicted on the cyber front with far less enemy casualties, capital, and attribution. Therefore, DoD must now take a more deliberate stance on cyber security and the technical risk mitigations required to thwart foreign perpetrators. This stance, however, comes with an expense to the Government and to its suppliers.
DoD, Congress, and the White House have yet to explicitly explain 'how' and 'when' they will begin to enforce true technical compliance. It is well known in industry that all new DoD RFP's require DFARS 7012 compliance, but there are no official audits taking place or explicit mandates to demonstrate actual security. This new strategy changes all of that.
The report states: "Risk-based security should be viewed as a profit center for the capture of new business rather than a “loss” or an expense harmful to the bottom line." Mitre suggests "[DoD] use its purchasing power and regulatory authority to move companies to work with DoD to enhance security".
The report breaks it down this way:
- Require businesses to incorporate new security measures
- Reward superior security measures in the source selection process
- Include contract terms that impose security obligations
- Use contractual oversight to monitor contractor accomplishments.
All of this leads to one thing - proof. In the old Jerry Maguire dialect, "Show me the compliance!!"
If the Government chooses this direction, contractors will soon be required to show proof of ACTUAL implementation of technical controls NOT simple documentation that they will address it down the road. To clearly show "superior security measures" and to effectively "monitor accomplishments", contractors will need proof. A list of to-do's will not work.
Several suggestions are made throughout the document, and the most viable mode of assessing businesses is through a third-party auditing organization with the use of an independent scoring system. The report also proposes the Government provide contractors incentives such as tax breaks to embrace supply chain security. Exact terms and types of tax breaks are not clearly defined in the report, but some money is better than no money.
"In the competitive source selection process, DoD should incentivize bidders to make demonstrable and independently verifiable improvements"
Here are some interesting comments to the Washington Post article about this report.
Finally, a list where Huntsville is on top of Silicon Valley!
This take is not fond of incentives or breaks, but on the enforcement. There is a balance that must be struck. Let’s hope that we not only ensure that we conduct source selection ethically but they we are building our future systems securely – seems like common sense to me.
There is a common misconception that DFARS compliance is a $3-5,000 investment and a sheet of paper. Unfortunately, implementing the actual technical controls require a budget similar to the one described by Mr. Melnyk here. There are ways to break it up, nevertheless.
Recorded Discussion with One of the Authors of "Deliver Uncompromised"
Other direction is given in the Mitre report to the Government on how it should internally share knowledge and how it should treat software providers; however, we've spared our assessment of these two areas to share the most salient points with our audience.
"Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War", by MITRE Corporation
Original article source
"Pentagon is rethinking its multibillion-dollar relationship with U.S. defense contractors to boost supply chain security" by Ellen Nakashima of the Washington Post