re: letter of attestation for supply chain security...
TRANSCRIPT
August31,2016
DarylCromer
ChiefProductSecurityOfficer
Lenovo
1009ThinkPlace
Morrisville,NC27560
RE: LetterofAttestationforSupplyChainSecurityProgram
DearMr.Cromer:
Asrequested,ChainSecurityisprovidingLenovowiththisletterofattestationtoattest
thatChainSecurityhasreviewedcertainaspectsofLenovo’sproductsecurityprogram
(“Program”).Wedescribehereinourfindingsandconclusionsbasedonthisreview.
ChainSecurityisanoutsideadvisoryfirmretainedbyLenovo.Weanticipatethat
Lenovowillprovidethislettertocustomersandinterestedparties,andwearehappytobea
resourceforsuchpartieswhowishtogetourthird-partyviewonthestateofLenovo’s
Program.(AnoverviewofChainSecurity’squalificationsandexpertisecanbefoundin
AttachmentAtothisletter.)Weanticipatethatcustomersmayhavequestionsorwantmore
detailregardingthehigh-leveldescriptionscontainedherein,andChainSecuritywillsupport
Lenovotoprovidethoseadditionaldetailsanddescriptionsasneeded.
EXECUTIVESUMMARY
ChainSecurityhasgatheredinformationfromLenovothroughmultiplemeetings,
interviewsandtelephoneconversationswithLenovoofficersandemployees,aswellasfrom
reviewofdocumentationprovidedbyLenovo.ChainSecurityhasdirectedtheinformation
gatheringprocessandmadespecificrequeststoLenovoforinformationthatrelatesto
Lenovo’sProgram.ThisinformationgatheringprocesshasbeenguidedbyChainSecurity’s
expertiseandexperienceinsecurity-relatedmatters,stemmingfromserviceinU.S.
Governmentpositionsandseniormanagementandengineeringpositionsinthecommercial
sector,aswellasstrongengineeringandproductdevelopmentexpertise.Weassessthat
Lenovohasbeencooperativeandhasreadilyprovidedtherequestedinformation.
OurinquiryhasfocusedonthefollowingcomponentsoftheProgram:(1)Lenovo’s
corporatecommitmenttotheProgramanddelegationofauthorityfortheProgram
(“CorporateGovernance”);(2)integrationoftheProgramintoLenovo’soperationsand
processesgenerally(“SecurityProcesses”);(3)securityrelatedtoLenovo’scomponentand
subcomponentsuppliers(i.e.,traditionalsupplychain)andtheimplementationofLenovo’s
TrustedSupplierProgram(“TrustedSupplierProgram”);and(4)anintensiveinitiativeto
Mr.DarylCromer
August31,2016
Page2
scrutinizethesecurityofpre-loadedsoftwareassociatedwiththelatestreleaseoftheWindows
10operatingsystem,whichrunsonLenovoproducts(“Windows10Pre-Load”).
Thefollowingisanexecutivesummaryofourfindingsandconclusionsregardingthese
fourcomponentsoftheProgram:
CorporateGovernance• Lenovo’sCEOhasdirectedeachbusinessunittoimplementtheProgram,with
supportfromtheLenovoProductSecurityOffice(“PSO”),acrossLenovo’sglobal
operations,underthedirectionoftheChiefProductSecurityOfficer(“CPSO”).The
CPSOaswellasthePSOandallofitsemployeesarelocatedinMorrisville,North
Carolina,butthePSOdrawsoncompany-wideresources.
• Lenovo’sCEOhasdelegatedfullauthorityfortheProgramtotheCPSO.
• TheCPSOandthePSOareactivelypromulgatingandimplementingpoliciesand
proceduresforcomponentsoftheProgramandaretrainingLenovoemployeeson
theProgram.
SecurityProcesses• UndertheProgram,LenovoimplementssecurityrequirementsthroughitsOffering
DeliveryTeams(“ODT”),whichareresponsibleforthedesign,developmentand
productionofLenovoproducts.
• EachODTmustdevelopandcomplywithaProductSecurityProfileforeachproduct
theyproduce.TheProductSecurityProfileincludeseachcomponentoftheProgram
initsrequirements.
• ODTleadsareultimatelyresponsibleforsecuritycomplianceandareassistedbykey
ODTteammembers,andthePSO.ODTsmustreporttothePSOatkeyproduct
developmentprocessgatesorcheckpointsintheprocessregardingcompliancewith
theirProductSecurityProfilerequirements.
• LenovohasprovidedtrainingontheProgramandtherequirementforusingProduct
SecurityProfilesforallODTleadsforthefollowingproductlines:ThinkPad,
ThinkStation,ThinkCentre,LenovoNotebook,Desktop,andServers(ThinkServerand
Systemx).
• TheCPSOhasauthoritytostopshipmentonanyLenovoproductthathasnotmet
Programrequirements.
TrustedSupplierProgram• LenovohasdevelopedaTrustedSupplierProgram,wherebyeverysupplierof
“IntelligentComponents”thatareincludedinLenovoproductsmustbevettedand
approvedfromasecurityperspective.
• ThePSOandprocurementpersonnelsubmitsecurityquestionnairestoeach
prospectivesupplier.ThesuppliersmustprovideaccurateinformationtoLenovoon
Mr.DarylCromer
August31,2016
Page3
matterssuchasthelocationandownershipofthesupplierandthesupplier’s
internalsecuritypracticesandprocedures.
• Lenovohasdevelopedcontractuallanguageforsuppliersthatrequiressuppliersto
warrantandrepresentthattheinformationthatthesupplierhasprovidedis
accurate.
• ThePSOconductsariskanalysisoneachsupplierusingtheinformationprovided.
AnysupplierthatreceivesahighriskratingisexcludedfromLenovo’sTrusted
SupplierListunlesstheCPSO(ortheCPSO’sdesignee)grantsanexception.
• TheODTscanonlysourcecomponentsfromsuppliersontheTrustedSupplierList.
Windows10Pre-Load• InFebruary2015,Lenovoimplementedaprocesstoconductasecurityreviewof
everysoftwareapplicationthatwastobeincludedaspre-loadedsoftwarein
connectionwiththereleaseofproductscontainingtheWindows10operating
system(“Windows10Pre-Loads”),whichreachedthemarketinlatesummer2015.
Thisprocesswasimplementedtofulfilthe“CleanerandSafer”initiativethatwas
publicallyannounced.(http://news.lenovo.com/news-releases/lenovos-promise-for-
cleaner-safer-pc.htm)
• ThisWindows10securityreviewandpre-loadvettingprocess(“Win10Process”)
wasestablishedbyandfunctionsunderthedirectionoftheCPSO,withsupportfrom
thePSO.TheCPSOestablishedasoftwaresecurityreviewboard(“SSRB”)consisting
ofpersonnelfromLenovobusinessunitsthatproduceLenovoNotebooks,Desktops,
ThinkPads,ThinkCentresandThinkStations.
• Lenovoengagedtwoprominentthirdpartysoftwaresecurityfirmstoprovidethird
partyreviews.
• ThroughthefiscalyearendingMarch31,2016,Lenovohadsubjectedover430
softwareinternalandthird-partyapplicationstotheWin10Process.Firmwarewas
outsidethescopeofthereview.Aspartoftheprocess,Lenovoconductssecurity
reviewsincludingtheuseofinternalandexternaltoolsandsendssoftware
applicationswithhigh-levelsecurityvulnerabilitiesto3
rd
partysecuritygroupsfor
furtherreview.Allhighandmediumriskissuesidentifiedwereremediatedaspart
oftheprocess.Ifanyapplication’sriskcouldnotberemediated,thenthe
applicationwasremovedfromthepreloadorverylimitedexceptionswere
approved.
• UnderthedirectionoftheCPSOandthePSO,Lenovohasmanagedtheprocessof
screeningapplicationsforitsfinal“golden”pre-loadsoftwareimages(i.e.,theimage
senttomanufacturingtobeloadedontoharddrives)toincludeonlyapplications
thatwereapprovedintheWin10Process.
WehavealsoreviewedothercomponentsoftheProgramthatarestillindevelopment.
Forexample,LenovoisintheprocessofimprovingsecurityforLenovo’sfirmwareforitsbasic
Mr.DarylCromer
August31,2016
Page4
input/outputsystem(BIOS)andunifiedextensiblefirmwareinterface(UEFI)(“BIOSSecurity”).
Lenovoalsointendstopursueadditionalsecurityrequirementsgoverningthefullsoftware
lifecycleforallsoftwareloadedonLenovoproducts,beyondtheWindows10Pre-Loadeffort
(“SoftwareLifecycle”).ChainSecuritywillre-issuethisletterofattestationwithupdatesas
dictatedbyLenovo’sprogressonprogramssuchasBIOSSecurityandtheSoftwareLifecycle.
SCOPEOFREVIEW
Asofthedateofthisletter,ChainSecurityhasconductedin-depthinterviewswitha
widevarietyofLenovopersonnel,includingofficersandmanagersandtheirdirectreports,all
ofwhomarecurrentlylocatedatLenovo’sNorthAmericanheadquartersinMorrisville,North
Carolina.Theseinclude(butarenotlimitedto):
ChiefProductSecurityOfficer
ChiefQualityOfficer
ChiefSecurityOfficer
DirectorofSecurityArchitecture
DirectoroftheProductSecurityOffice
SeniorProgramManagerintheProductSecurityOffice
ProgramManagerforSecureDevelopment
ProgramManagerforSupplyChainSecurity
GlobalCommodityManagers
OfferingDeliveryTeamLeadsforspecificproducts
DirectorofSoftwareDevelopment/Pre-LoadManager
SSRBlead
WehavealsorevieweddocumentsprovidedbyLenovoandhavehadaccesstoandviewed
internalLenovonetworksanddatabases.Whilewebelievewehaveperformedsufficient
diligenceanddatagatheringtoprovidethisletterandtoreachthefindingsandconclusions
herein,ChainSecurityhasnotindependentlyverifiedeveryfactprovidedbyLenovo.Chain
SecurityandLenovohavebeenengagedindevelopingandimplementingtheProgramforover
twoyearsandcontemplateanongoingreviewandenhancementofLenovoprocessesoverthe
comingmonths.
PARAMETERSOFTHEATTESTATION ChainSecurityhasrequestedandreviewedinformationfromLenovoregardingits
productdevelopmentandsupplychainprocessesinconnectionwiththeProgram,withafocus
onthesecurityofthoseprocesses.Wearenotprovidinginthisletterafulldescriptionof
Lenovo’sprocessesnordoweattempttodetaileveryfactthatwehavegatheredduringthe
reviewprocess,butinsteadareattestingtoandrecountingonlythosehigh-levelfactsand
Mr.DarylCromer
August31,2016
Page5
conclusionsthat,inourprofessionaljudgment,arelikelytointerestLenovocustomers,
includingtheU.S.Government,whoarefocusedonthesecurityofLenovo’ssupplychainand
developmentprocesses.Asnotedabove,westandreadytoanswerquestionsandprovide
furtherdetailsasrequestedbyrelevantthirdparties.
ChainSecurityapplaudsLenovo’sfocusonsupplychainandproductdevelopment
security.WeencourageacomparisonofLenovotoothervendorsandcompetitors(including
U.S.-basedcompanies)onsupplychainandproductdevelopmentsecuritymatters.Weassess
thatLenovoislikelyaheadoftheindustryintermsofitsfocusonandcommitmenttothese
issues.
KEYFINDINGS
ThefollowingisasummaryofChainSecurity’skeyfindingsregardingtheProgram.As
notedabove,wearerecountinghereinonlyasummaryoffactsthatarerelevanttoour
findings:
CorporateGovernance
In2014,LenovocreateditsPSOtodevelopandimplementtheProgram,whichis
intendedtobeabroadproductsecurityprogramthatspansacrossLenovoproductlines.The
PSOisbasedinandstaffedbypersonnelinLenovo’sNorthAmericanheadquartersin
Morrisville,NorthCarolina.ThePSOworkswithanddrawsupontheexpertiseandresourcesof
productteamsthroughoutLenovo’sglobaloperations.
ThePSOisunderthedirectsupervisionofLenovo’sCPSO.Inaninternalpolicy
documentissuedonFebruary2,2016(CorporatePolicy#21–LenovoProductSecurityPolicy),
whichisattachedheretoasAttachmentB(“February2016Policy”),Lenovo’sChiefExecutive
OfficergrantedtheCPSOfullcorporateauthority,withtheresourcesofthePSO,toimplement
andberesponsibleforproductsecurityacrossLenovo’sglobaloperations(i.e.,toimplement
theProgram).TheFebruary2016Policystatesthat“[a]llLenovoemployeesandstakeholders
areexpectedtocomplywiththeProductSecurityProgram,andtoberesponsivetothe
Programrequirements.”ThePolicyalsostatesthatLenovo“expect[s]Partnersandsuppliersto
makecommitmentsinsupportoftheSecurityProgramasaconditionofdoingbusinesswith
[Lenovo].”ThisPolicyhasbeenmadeavailableoninternalLenovosystemstoLenovo
employeesandcurrentlygovernsLenovo’sglobaloperations.
OnAugust3,2016,Lenovo’sChiefExecutiveOfficerissuedarevisedversionof
CorporatePolicy#21–LenovoProductSecurityPolicy,whichisattachedheretoasAttachment
C(“August2016Policy”),followingcorporateorganizationalchanges.TheAugust2016Policy
reflectsthesamecommitmenttotheProductSecurityProgramasindicatedintheFebruary
Mr.DarylCromer
August31,2016
Page6
2016PolicyandcontinuestoplaceresponsibilityfortheProgramintheCPSO.Lenovo
anticipatesthattheAugust2016PolicywillbepubliclyavailablethroughLenovo’scompany
website.Thewebsiteiscurrentlybeingrevisedandupdated.OncetheAugust2016Policyis
postedonthewebsite,itwillreplacetheFebruary2016Policy.
BuildingontheFebruary2016Policy(andreiteratedbytheAugust2016Policy),inearly
August2016theCPSOissuedaLenovo-widepolicyregardingimplementationoftheProgram
(“ProgramPolicy”),whichisattachedheretoasAttachmentD.TheProgramPolicyhasbeen
madeavailabletoallLenovoemployeesandindicatesthatallLenovoemployeesarerequired
tocomplywiththepoliciesasabindingcorporatepolicy.TheProgramPolicystatesthat“[t]he
CPSO(withthesupportoftheProductSecurityOffice)hasauthorityandresponsibilityfor
ensuringfullimplementationoftheProductSecurityProgram.”
TheProgramPolicyindicatesthattheProgramitselfwillincludethefollowingspecific
components,eachofwhichwillbegovernedbyacomponentorprogrampolicythatwill
outlinespecificrequirements:
• ProductDevelopment,whichincludesPlatformDevelopmentandSecureSoftware
Development(LenovoSecureDevelopmentLifecycle,orLSDL)
• ProductSecurityGovernancethroughtheOfferingDevelopmentTeam(ODT),which
includesSecurityResponsibilitiesofallODTmembersandIntegrationintothe
IntegratedOfferingDelivery(IOD)process
• SupplyChain,whichincludestheTrustedSupplierProgram,theTrustedSupplierList,
PartsShipment,Manufacturing,andFinishedGoodsShipping
• ProductSecurityIncidentResponseTeam(PSIRT),whichincludesOrganizationand
ManagementSystemandIncidentInformation
ThePSOhasimplementedaLenovo-widetrainingprogram,primarilythroughonlinetraining
modules,toeducateLenovoemployeesontheirobligationsundertheProgramandonsupply
chainandproductsecuritymattersgenerally.Asofthedateofthisletter,fourbasictraining
courseshavebeenpublishedbythePSO,plusanintroductionintoLenovoSecureDevelopment
Lifecycleforsoftware,aswellasfivecoresoftwarecoursesfroma3
rd
party.Additional
advancedclassesarealsoavailable.AsofMay3,2016,Lenovoemployeeshavecompleted
over9,400coursesandhavepassedtestsattheendofeachcourse.Lenovoismaintaining
recordsofallcoursescompletedbyindividualemployees.
SecurityProcesses
LenovodevelopsproductsthroughanIntegratedOfferingDevelopmentprocess(“IOD”),
whereallsourcesanddisciplinesneededtotakeaproductallthewayfrommarketingand
customerrequirementstoafinishedanddeployedproductworkasanintegratedteamthrough
Mr.DarylCromer
August31,2016
Page7
theentireproductlifecycleprocess.AttherootoftheIODprocessistheplatformOffering
DeliveryTeam(“ODT”).
EveryproductproducedbyLenovohasitsgenesisandismanagedbyaproduct-specific
ODT.EachdisciplineneededforcompletionoftheproductisrepresentedontheODT.Each
ODThasateam“lead”whoisresponsibleformanagingtheteam’sprocesses.TheODTlead
reportsuptotheseniormanagersofspecificLenovobusinessunitsandbrandteams(e.g.,
Lenovo’sDataCenterProductGroup,whichproducesLenovoservers,orthePCandSmart
DeviceBusinessGroup,whichproducesLenovoThinkPadsandPCs).Thereareapproximately
100ODTsoperatingwithinLenovoatanygiventime.Forexample,forThinkPads,thereare
nineODTleads,allofwhomreporttoanODTmanagerwithintheThinkBusinessGroup—four
inMorrisville,NorthCarolina;fourinChina;andoneinJapan.Thereareapproximately30ODTs
workingonserverproducts.
TheODTprocessbeginswithaMarketingRequirementsDocument(“MRD”),aninitial
anddetailedOfferingDefinition(i.e.,thefeaturesandfunctionalitythatwillbeincludedinthe
product),andasourceplanwithakeycomponentslistwhichisultimatelytranslatedintoabill
ofmaterials(“SourcePlan”).Thesedocumentstogetherconstitutethefullsetof
“requirements”whichmustbemetinordertodesign,developandproducetheproduct.
UndertheProgram,theODTnowplaysapivotalroleinsecurityofeachproduct.Ina
policydocumententitled“IntegrationofProductSecurityWithinTheIODProcess,”issuedin
August2016bythePSO,undertheauthorityoftheCPSOandpublishedtoLenovo’sODTs
(“SecurityProcessPolicy”),theODTforeachproductmustcreateaProductSecurityProfile
(“Profile”).TheProfilelistseverysecurityrequirementoftheProgramthatmustbefollowed
and/orincludedintheproductitselfasaconditionoftheproductbeingmanufacturedandsold
tocustomers.TheODTleadisultimatelyresponsibleforensuringthateachsecurity
requirementintheProductSecurityProfileismet,orprovidejustificationonwhyitcannotbe
met.
TheODTleadsforthefollowingproductlineshaveundergonetrainingregardingthe
SecurityProcessPolicyandtherequirementforusingProfilestocheck-pointsecurity-related
matters:ThinkPad,ThinkStation,ThinkCentre,LenovoNotebook,Desktop,andServers
(ThinkServerandSystemx).
EachplatformODTincludesaSoftwarerepresentativewhoistheinterfaceintoall
softwareactivity.ThesoftwarerepinterfaceswiththevariousSoftwareODT’s,fromwhich
softwareapplicationsaredevelopedand/orprovidedforthesystem.Eachsoftwareapplication
hasaSoftwareArchitect,whowillworkwiththePSOtoensureapplicationsgothroughthe
reviewprocess.Whenanapplicationisapproved,itcanbeaddedtothelistofapproved
softwareforaplatform.ThislistisakeyparttotheProductSecurityProfileforthenew
Mr.DarylCromer
August31,2016
Page8
system.ThePSOprovidesresourcesandguidance/advicetotheODTasneededtohelpitmeet
thesecurityrequirements.
AtdefinedproductdevelopmentgatesorcheckpointsthroughtheODTprocess,the
ODTmustupdatethemanagementteam(stakeholders)regardingtheProductSecurityProfile.
Thekeycheckpointsare:ConceptExit(preliminaryProfile),PlanExit(committedProfile),and
SystemIntegrationTest(SIT)Exit(actualProfile).Theresultofthesecheckpointsisthatbefore
theproductcanmoveintomanufacturingandfinallybereleasedtocustomers,theODTlead
mustcertifytotheCPSOandthePSOthatallrequirementsoftheProfilehavebeenmet.The
CPSOhasauthorityundertheProgram,delegatedfromtheCEO,tostopshipmentonany
productthathasnotmettheProgramrequirementsandfulfilledeveryelementoftheProfile
forthatproduct.ODTleadscanpetitiontheCPSO(viathePSO)tomodifyorwaiveaparticular
Program/Profilerequirementforaparticularproductifthereisacompellingcommercialneed
todoso.TheCPSOhasultimatediscretionandauthoritywhethertograntawaiveror
exception.
PursuanttotheSecurityProcessPolicy,eachproductProfilemustincludeatleastthe
followingsecurityelements.AdditionalsecurityelementsoftheProgramwillbeaddedto
ProfilesasLenovo’simplementationoftheProgramcontinuestomature:
• AsreflectedintheMRDfortheproduct,anysecurity-relatedfunctionalityrequired
bycustomers(e.g.,biometricsecuritycontrols,customsoftwareimage),aswellas
legal/regulatoryrequirements(e.g.,TAAcompliance)
• Onlyintelligentcomponents(hardwareandsoftware)fromvendorsonthe“Trusted
SupplierList,”whichresultsfromtheTrustedSupplierProgram(seediscussion
below),areincludedintheSourcePlan(e.g.,nonon-approvedvendorisallowedto
provideanyintelligentcomponentfortheproduct)
• Longtermserviceandsupportplansthattakeintoaccountsecurityrequirements
(e.g.,geography-basedserviceteams)
• SigningofBIOSorUEFImanifestsbythePSO
1
• SoftwareapplicationsthathavebeenclearedthroughtheWindows10Pre-Load
process(seediscussionbelow)arepre-loadedontheproduct
Asofthedateofthisletter,everyODTwithinLenovofortheplatformsindicatedabove
hasbeeninformedthathe/sheisrequiredtomeetProfilerequirementsasaconditionof
offeringanyproducttocustomers.
1
TheBIOSSecurityprocessisacomponentoftheProgramthatiscontinuingtomatureasof
thedateofthisletterofattestation.FutureversionsofthisletterwilladdresstheBIOSSecurity
processinfurtherdetail.
Mr.DarylCromer
August31,2016
Page9
ODTleadswhooperateoutofLenovo’sNorthCarolinafacilitieshavereportedtoChain
SecuritythattheyareinfactimplementingProfiles(asrequiredbytheProgram)andare
interactingwiththePSOtoensuresecurityrequirementsaremet.
TheCPSOhasreportedstoppingshipmentonatleastoneproductbecauseProfile
requirementswerenotmet.
TrustedSupplierProgram
AspartofLenovo’sIODprocessfordevelopingproducts,engineeringteamsoneach
ODTcreateaSourcePlanthatidentifiesallcomponentstobeincludedintheultimatebillof
materials(“BOM”).Inaddition,theODTmustidentifyallsoftwarepre-loadsthatwillbe
includedontheproductatthetimeofsale.TheSourcePlanidentifiesnotonlyspecific
components,butalsopotentialsuppliersforthecomponents.
Oncesuppliershavebeenidentified,Lenovo’sGlobalCommodityManagers(“GCMs”)
mustnegotiateandenterintosupplycontractswiththesuppliers.Insomecases,Lenovomay
alreadyhaveanexistingrelationshipwiththesupplier.Inothercases,Lenovomustforgea
newsupplyrelationship.Lenovoandthesupplierwilltypicallyenterintoasupplyagreement,
whichisnegotiatedbyaGCM.
Lenovohashistoricallyhadanapprovalprocessforidentifyingandqualifyingsuppliers
basedonquality,performanceandprice.UndertheProgram,Lenovohasnowaddedsecurity
requirementstothesupplierqualificationprocess.Inapolicydocumententitled“Trusted
SupplierProgram,”approvedbytheCSPOonMarch15,2016(“TSP”),thePSOhas
implementedpoliciesandprocedurestoqualifysuppliersforinclusionontheTrustedSupplier
List(“TSL”).
InadditiontotheTSPbeingpartoftheProgram,asindicatedintheCEO’spolicy
documentandintheCPSO’sSecurityPolicy,theTSPfulfillsarequirementimposedintheCFIUS
AgreementinconnectionwiththepurchaseofIBM’sx86serverbusiness,specificallySection8
oftheAgreement.
Asindicatedabove,undertheSecurityPolicyandinconnectionwithsecurity
requirementsontheProfileforeachproduct,ODTleadsareprohibitedfromusinganysupplier
notincludedontheTSL.ODTteammemberswhohaveidentifiedasupplieraspartofthe
SourcePlanmustsubmitproposedsupplierstothePSOforvettingandinclusionontheTSL.
TheTSPdocumentationhasbeenprovidedtotheODTleadswithinLenovoaswellas
theGCMsforthefollowingproductlines:SystemX,ThinkServer,Notebooks,Desktop,
Thinkpad,ThinkCentre,andThinkStation.TheTSPandsupportingmaterials(describedmore
Mr.DarylCromer
August31,2016
Page10
fullybelow)arebeingtranslatedintoChineseforusebyChina-basedGCMsandODTs.Oneof
thetrainingsessionsmadeavailabletoLenovoemployeesregardingtheProgram(see
discussionabove)coverstheTSPandthesupplierqualificationprocessforinclusionontheTSL.
ThePSOiscoordinatingwithmanagerswithintheprocurementorganizationwhohave
responsibilityforGCMstoensurethatGCMsareimplementingtheTSPproperly.Thereare
currentlytwosuchmanagers—oneinLenovo’sNorthCarolinafacilityandoneinChina.The
PSOtrackstheperformanceofGCMsregardingtheTSPprocessandgivestrackingdatatothe
managers.ThePSOalsoregularlyupdatestheCPSOontrackingsupplierswhoaremoving
throughtheprocessofinclusionontheTSL.
ThefollowingisadescriptionoftheTSPandhowsuppliersareincludedontheTSL,as
wellashowODT’susetheTSLwhencreatingSourcePlansandfulfillingProfilerequirements:
UndertheTSP,theTSLislimitedtosupplierswhoareproviding“Intelligent
Components”forLenovoproducts.TheTSPdefinesIntelligentComponentsas“(a)any
hardware,softwareorfirmwareexecutableonanymicroprocessor,(b)themicroprocessor
itself,(c)anysemiconductordevicethathasprocessingability(d)anydevicethathasinternal
memory,(e)anycomponentordevicethatperformsacommunicationfunction,and(f)any
hardware,firmwareorsoftware(includingoperatingsystems)integratedintoorinstalledonan
IntelligentComponent.”IntelligentComponentscanincludecomponents,sub-assemblies,
wholeproductassemblies,firmware(includinginanycomponentorsub-assembly),and
softwareinstalledontotheproducts.
AlthoughbothhardwareandsoftwarecomponentsqualifyasIntelligentComponents,
asofthedateofthisletterofattestation,LenovohasonlyimplementedtheTSPinconnection
withhardware(includingfirmware).AsLenovo’sTSPmatures,softwaresupplierswillbeadded
(beyondtheprocessessurroundingWindows10Pre-Load,asdiscussedbelow).
EachsupplierofanIntelligentComponentisissuedasecurityquestionnairethathas
beendevelopedbythePSO.Thequestionnaireseeksdisclosuresfromsuppliersonawide
rangeofsecurity-relatedquestions,includingbutnotlimitedtolocationandownershipofthe
suppliers,security-relatedincidents,internalsecuritycontrolswithinthesuppliers’operations,
andvisibilityandtraceabilityintothesuppliers’ownsupplychains.Thequestionnairesare
providedtothesuppliersbytheGCMs.TheGCMsgatherthecompletedquestionnairesand
forwardthemtothePSOforreviewandanalysis.
ThePSOusesariskanalysismodelforassessingtheinformationprovidedonthe
securityquestionnaires.Theriskmodelassesses(1)threatposedbythesupplier,(2)
vulnerabilityassociatedwiththesupplier’sproduct/component/sub-assembly,(3)likelihoodof
exploitation,and(4)impactandconsequencesofexploitation.Eachelementoftheriskmodel
Mr.DarylCromer
August31,2016
Page11
isscoredas“nothreat/vulnerability,”“low,”“medium”or“high.”Theelementsarecombined
tocreateanoverallriskscore.Asupplierthatreceivesanoverall“low”riskisaddedtotheTSL.
Asupplierthatreceivesanoverall“medium”riskisaddedtotheTSLbutisflaggedwitha
caution,sothattheODTandultimatelythePSOareawarethattheremaybesecurityissuesto
address.ThePSOwillworkwiththeGCMtourgethesuppliertoimproveitssecurityposture.
Asupplierthatreceivesanoverall“high”riskcannotbeincludedontheTSLunlessthereare
compellingbusinessreasonstodosoandtheCPSOspecificallyauthorizestheinclusion,after
assessingtheoverallriskprofileofthesupplier.
ForanysupplierthatqualifiesforinclusionontheTSL,Lenovo(viatheGCM)negotiates
asupplieragreement.ThePSOhasdevelopedstandardcontractuallanguagetobeusedbythe
GCMinthisprocess.Thesuppliercontractrequiresthesuppliertowarrantandrepresentthat
thesecurity-relatedinformationonthequestionnaireiscorrect.Thesuppliercontractalso
givesLenovotherighttoconductsecurityauditsofthesupplier.Forlong-standingsupplier
contractsthatexistedbeforetheTSP,thePSOandGCMsareseekingtoamendexistingsupplier
contractstoincludethesecurity-specificprovisions.
TheTSLismaintainedbythePSOasa“livingdocument”thatreflectsongoingvettingof
suppliers.
ThePSOprovideseachODTwithaccesstothecurrentTSL,enablingtheODTstoreview
theSourcePlantoensurethateveryIntelligentComponentineachproduct’sBOMisbeing
suppliedbyasupplierontheTSL.ThecomparisonagainsttheTSLbytheODTisdonein
coordinationwiththePSO,whichservesasaresourcetotheODT.
ThePSOretainsarepositoryofallsecurityquestionnairessubmittedbysuppliers,which
canbereviewedifsecurity-relatedquestionsarise.
Todate,atleastonesupplierhasbeenrejectedbyLenovobecausetheywouldnot
providesufficientinformationonthesecurityquestionnairetoallowthePSOtoconductarisk
analysis.TheODTshavethereforebeenprohibitedfromusingthissupplier.Asofthedateof
thisletter,Lenovohasincluded168suppliersontheTSL.
Windows10Pre-Load
ThefollowingLenovoproductlinescomewithapre-loadedversionoftheMicrosoft
Windowsoperatingsystem:LenovoNotebook,Desktop,ThinkPad,ThinkCentreand
ThinkStation.InadditiontoWindowsitself,PCvendorssuchasLenovotypicallyalsopre-loada
varietyofsoftwareapplicationsthatareintendedtoassistthecustomerwithcertainfunction
(e.g.,customersupport)aswellastoearnLenovoadditionalrevenuebychargingthesoftware
vendorsforinclusioninthepre-load.
Mr.DarylCromer
August31,2016
Page12
ThenewestversionofWindows—Windows10—wasscheduledtobereleasedin
approximatelyJuly2015.Withitsrelease,Lenovowouldagainincludeavarietyofadditional
thirdpartyandLenovo-proprietarysoftwareaspartofthepre-loadpackagefornewWindows
10products(“Windows10Pre-Load”).
Inconnectionwithits“Cleaner,Safer”initiative,inFebruary2015,Lenovodetermined
toimplementasecurityreviewforeverysoftwareapplicationthatwaspartoftheWindows10
Pre-Load.Thedecisiontoconductthissecurityreviewwasmadebyseniorofficerswithin
LenovoandapprovedbyLenovo’sExecutiveCommittee.TheCPSOwaschargedwithcreating
andimplementingthesecurityprocessfortheWindows10pre-load.Ultimateauthorityforthe
Win10ProcessresideswiththeCPSO.ThePSOsupportstheprocess.
TheCPSOdirectedtheestablishmentofaSoftwareSecurityReviewBoard(“SSRB”)to
implementthesecurityreviewsandtomakesecurity-relateddeterminations.TheSSRB
consistsofamanagerandrepresentativesfromthePSOandtherelevantbusinessunits(“BU”).
DuringtheinitialstagesoftheWin10Process,therepresentativesofthePSOmanagedmostof
thesecurityreviewprocess,butincreasinglythePSOistrainingBUpersonneltoconductinitial
securitytesting,withthePSOservingasadvisorsandresources.
TheWin10ProcessbeganwithaninventoryingofallsoftwarewithinLenovothatwere
candidateapplicationstobeincludedintheWindows10Pre-Load.ThePSOandtheSSRB
directlycontactedeachLenovosoftwaredevelopmentteamwithintherelevantBUs(i.e.,those
producingNotebooks,Desktops,ThinkPads,ThinkCentresandThinkStations)foraninventory
ofallLenovo-developedsoftwareapplications.ThePSOandtheSSRBalsocontactedeach
softwareproductmanagerforeachproducttoidentifythirdpartyapplicationsthatwere
candidatesforinclusionintheWindows10Pre-Load.
LenovoengagedwithaprominentsoftwaresecurityfirmintheWashingtonD.C.areato
developaproprietarytoolforreviewingbasedontheLenovoprocesstoexpeditethebinary
analysisofsoftwareapplicationsforsecurityvulnerabilities.Thecriteriaforvulnerabilitieswas
setforthinaseriesofcontractsandstatementsofworkbetweenLenovoandthissecurityfirm.
Thetoolproducesareportofidentifiedpotentialsecurityissuesforeachapplication.The
reportranksthesecurityvulnerabilitiesonalow,mediumorhighscale.
ThePSOandtheSSRBobtainedabinaryversionofeachcandidateapplicationforthe
Windows10Pre-Loadandconductedsecurityassessmentsforeachapprovedapplication.
Applicationsthatscoreda“low”vulnerabilitybasedonthetoolwereeitherapprovedfor
Windows10Pre-LoadafterassessmentbytheSSRBandthePSO(withfinalapprovalbyCPSO)
orweresubjecttosecurityremediation.Amongthe“low”vulnerabilityapplicationsthat
receivedapprovalwithoutremediationwerecertainapplicationsthatarewidelyusedin
Mr.DarylCromer
August31,2016
Page13
industryandareproducedbycompaniesthatareviewedastrusted,suchthattheoverallrisk
associatedbytheapplicationwereacceptabletotheCPSO.Thoseapplicationsthatscoredasa
“low”vulnerabilitybutweredesignatedforremediation,aswellasanyapplicationthatscored
a“medium”or“high”vulnerability,weresenttooneofLenovo’stwosoftwaresecurityfirms
forfurthersecurityrevieworweresubjectedtointernalLenovosecurityremediation.The
securityfirmssentLenovoareportforeachsuchreviewonanapplication-by-applicationbasis
anddetailedfurtherfindingsregardingvulnerabilities.
Aftereachremediation,allapplicationsweresubjectedtoretestingtoensurethe
vulnerabilityhadbeenaddressed.Ifavulnerabilitycouldnotberemediated,theSSRB(withthe
assentofthePSO)excludedtheapplicationfromtheWindows10Pre-LoadunlesstheCPSO
agreedthattheoverallriskassociatedwiththeapplicationwasacceptable.
SinceimplementingtheWin10Process,Lenovohasimplementedapolicyofnot
shippinganyNotebook,Desktop,ThinkPad,ThinkCentreorThinkStationwithanyPre-Load
softwareunlessthesoftwarehasbeenvettedthroughtheWin10Processandhasbeen
assessedtopassLenovo’ssecurityparameters.Thatpolicyhasbeeneffectivelyimplemented
withtheexceptionofaverysmallsetofapplicationsthatinadvertentlyslippedthroughthe
processandwereshippedwithoutsecurityreviews.Oncetheseomissionswereidentified,the
applicationswereimmediatelyrunthroughtheWin10Process,whereitwasconfirmedthat
therewerenounmitigatedsecurityrisksassociatedwiththeseapplications.TheWin10Process
hasnotbeenextendedtoincludeallfirmwareloadedonsuchproducts.
ForthefiscalyearendingMarch31,2016,Lenovosubjected436applicationstothe
Win10Process.Ofthose,283wereapprovedandincludedintheWindows10Pre-Load,with
153beingrejectedand/orstillundergoingfurtherremediationandtesting.TheWindows10
Pre-Loadprocessisongoing.
WithinLenovoThinkPadpre-loadteams,anysoftwareapplicationthatisgoingtobe
pre-loadedonaproductmustbesentinbinaryformfromtheLenovoproductteamstoapre-
loadteamthatismanagedbyapre-loadmanager.Thepre-loadmanagerisresponsiblefor
assemblingallpre-loadapplicationsplustheoperatingsystemitself(Windows10)ina“golden”
softwareimagethatisreadytobeloadedontoaproduct’sharddriveduringthemanufacturing
process.Thegoldenimageisstoredona“goldenserver”thatismanagedbythepre-load
managerandhis/herteam.Lenovo’smanufacturingfacilitiesandcontractmanufacturespull
thegoldenimagefromthegoldenserver.Thepre-loadmanagerhasultimateauthorityand
administrativerightstomanagewhocanhaveaccesstothepre-loadserver.Thepre-load
team,underthedirectionofthepre-loadmanager,keepsaninventoryofeveryapplicationin
anygoldenimage.Goldenimagesareretainedinanarchiveonthegoldenservers.Thepre-
loadmanageralsomaintainsalogofthesource(byname)ofeachsoftwareapplication
submittedforinclusioninagoldenimage.
Mr.DarylCromer
August31,2016
Page14
DuringtheWin10Process,theSSRBandPSOkeptaninventoryofthefilenames,
versions,andhashnumbersassociatedwitheachapplicationthathadbeenreviewedand
approvedforinclusionintheWindows10Pre-Load.Thisinventorywasgiventothepre-load
managersforuseinassemblingthegoldenimagesforeachWindows10product.Thepre-load
teamsmanuallyinspectedandcomparedthefilenames,versionsandhashnumbersofeach
applicationsubmittedbyproductteams(forinclusioninthegoldenimage)againstthelisted
providedbytheSSRBandthePSO.
Thepre-loadmanagersrepresentedtoChainSecuritythattheyhadcertaintythatonly
approvedsoftwareapplicationswereincludedinthegoldenimageforWindows10Pre-Loaded
products,otherthan(asmentionedabove)thesmallsetofapplicationsthatinadvertently
slippedthroughtheprocess.Pre-loadmanagershaveidentifiedapplicationssubmittedfor
inclusioninthegoldenimagethatwerenotapprovedintheWin10Processandrejectedthose
submissions.Thepre-loadteamsdigitallysignedeachgoldenimagewiththeirownunique
digitalsignatureafterconfirmingthatonlyapprovedsoftwareapplicationswereincluded.
TheCPSOandthePSOintendtofurtherstreamlinetheWin10Processforfuture
softwaresecurityreviews,includingplacingmoreresponsibilityontheBUstoconductand
supportthesecuritytesting.ThePSOwillremainaresource.
TheinitialSSRBisbasedinNorthCarolina,butLenovohasjustcreatedasecondSSRBin
ChinathatwillfocusonspecificproductsfortheChinesemarket,withChinesesecurity
standardstogovernthesecurityreview.TheChineseSSRBwilllikelymirrortheinitialSSRB.
TheChineseSSRBisusingtheresourcesofthePSOandisstillsubjecttofinalauthorityofthe
CPSO,whohasglobalsecurityresponsibilitiesforLenovoproducts.
CONCLUSIONS ChainSecuritybelievesthatLenovo’simplementationofthefouridentifiedcomponents
oftheProgram—CorporateGovernance,SecurityProcesses,TrustedSupplierProgramand
Windows10—meetorexceedindustrystandardsfromasupplychainandproduct
developmentsecurityperspectiveandlikelyareatorabovethelevelofitspeers,including
companiesthatareheadquarteredintheUnitedStatesandcurrentlyprovideproductstothe
U.S.Government.Inaddition,Lenovoappearsanxiousandmotivatedtocontinuetoimprove
itsprocesses,andChainSecurityisassistingthemtodoso,includingwiththeimplementation
ofBIOSSecurityandSoftwareLifecycleprocesses.
Weareavailabletodiscussthecontentsofthisletterwithyouand/orotherappropriate
thirdparties.Pleasedonothesitatetocontactmeat571.344.9625
Mr.DarylCromer
August31,2016
Page15
(mobile)/[email protected](mobile)/[email protected].
Ourofficenumberis571.354.0068.
Sincerely,
ChristopherP.Simkins
ChainSecurity,LLC
11490CommerceParkDrive,Suite200
Reston,VA20191
571.306.2929(direct)
Mr.DarylCromer
August31,2016
Page16
ATTACHMENTAQualificationsofChainSecurity,LLC
CapabilitiesSummary
Overview Chain Security is based in theWashington, DC area, with strong ties to Silicon
Valley. Our teamhasdeep technical andoperationalexperience ingovernment
and commercial sectors. Our senior team members have built successful
technology start-up companies and worked in government agencies,
telecommunication carriers and defense contracting companies. Our technical
expertsandengineering teamhavehands-onexperiencedesigning,buildingand
operating government and commercial programs and systems. We understand
the full lifecycle of technology development, from design to sourcing to
manufacture todeploymentand customer support.Ourexperienceallowsus to
assess the role particular technologies play in U.S. Government systems and
operations and to understand how U.S. Government and critical infrastructure
entities may view interactions of businesses operating in the U.S. with foreign
owners,managers,investors,employees,vendorsandsubcontractors.
ChainSecurityalsoprovidessupplychainintelligenceandanalyticsthroughits
ChainSecurityIntelligenceservices.Throughouranalysisofsupplychainsandproductdevelopmentorganizations,ChainSecurityIntelligenceproducesdata-intensive supply chainmodels (usingcommercial visualization tools) that can
showthecommercial“chainofcustody”forintelligentcomponents(software
and hardware) for specific technologies, from R&D all the way to deployed
systems.
Leadership ChristopherP.Simkins,Co-FounderandCEO:[email protected];571.344.9625(mobile);571.306.2929(directoffice)
Former Senior Official in U.S. Dept. of Justice (DOJ); investigator/prosecutor in
DOJ’s Counterespionage Section; reviewed over 200 transactions as DOJ’s
representativetoCFIUS;CFIUSnegotiatorinanumberofprominenttransactions
reviewwherenationalsecuritymitigationagreementswereimplemented;former
senior corporate lawyer and current entrepreneur and consultant; breadth of
experiencehelpingU.S.andforeigncompaniesdobusinessandinteractwithUSG
interestsandcomplywithU.S.regulations(e.g.,CFIUS,exportcontrol,NISPOM)
JeffreyStern,Co-FounderandCOO:[email protected];408.608.8184(mobile)
Former Senior Vice President – Government Solutions, TerreStar Networks;
technology executive with broad engineering, sales & marketing experience in
mobile network design and emergency communications; executive leadership
experienceinbothSiliconValleyandWashington,DCsettings;multiplesuccessful
exits for start-up technology companies; co-founder Independence Technologies
(BEA/Oracle); co-founder GoBeam, a Business VoIP SaaS pioneer (Covad
Communications); consultant to multiple companies providing technical and
operationalsolutionstoU.S.Governmentcustomers
Mr.DarylCromer
August31,2016
Page17
ATTACHMENTBLenovoCorporatePolicy#21–LenovoProductSecurityPolicy(February2,2016)
Mr.DarylCromer
August31,2016
Page18
CorporatePolicy#21–LenovoProductSecurityPolicyAugust3,2016Lenovoiscommittedtoofferingproductsthatmeetorexceedindustrystandardsforsecurity.OurcustomersmustbeabletouseLenovo’sproductswithconfidencethattheyhavethetoolsthatenablethemtoprotecttheirdata,andthatourproductsminimizetheriskofvulnerabilitytomaliciousorunauthorizeduseorattackbyanythirdparty.Wedeliveronthesecommitmentsbydoingthefollowing:
1. Includingsecurityasadesignfeatureinallourproducts,2. Adoptingrobustsecuritypractices3. Appropriatelymanaging,implementing,andvalidatingsecuritypracticesandprocesses
throughouttheentirelifecycleofourproducts.
Werequireouremployeesandstakeholders,aswellasoursuppliers,tosupportthesecommitments.Infurtheranceofthesesecuritycommitments,Lenovohastakenthefollowingsteps:• Establishedacomprehensiveproductsecurityprogram(“ProductSecurityProgram”)managed
bytheCorporateProductSecurityOffice(PSO),whichreportsdirectlytotheChiefProductSecurityOfficer(CPSO).Thisprogramencompassescriticalsecurityprocessesandpracticesbeingimplementedacrossproductlines.LenovoemployeesandstakeholdersarerequiredtocomplywiththeProductSecurityProgram,andtoberesponsivetotheProgramrequirements.Inaddition,LenovorequiressupplierstomakecommitmentsinsupportoftheSecurityProgramasaconditionofdoingbusinesswithus.
• IdentifiedthecorporateChiefProductSecurityOfficer(CPSO),anddesignatedtheCPSOastheLenovoofficialresponsiblefordeveloping,implementing,andenforcingProductSecurityProgramsandprocessesacrossLenovo.TheProductSecurityOfficeundertheCPSOhastheauthorityandresourcestocarryouttheseresponsibilities.
• AuthorizedthePSOtodevelopandimplementindustryleadingsecuritybestpracticesInadditiontotheaboveitems,BusinessUnitsmayincorporateadditionalcontrolstomeetspecificregulatoryorcustomerrequirements.ItisclearthatthesecurityofourproductsisakeyfactorinourcustomerschoosingLenovoastheirsupplierofITequipment.YuanqingYangChairman&CEOLenovo
ATTACHMENTCLenovoCorporatePolicy#21(revised)–LenovoProductSecurityPolicy(August3,2016)
Mr.DarylCromer
August31,2016
Page19
ATTACHMENTDProgramPolicyIssuedbyChiefProductSecurityOfficer
Mr.DarylCromer
August31,2016
Page20
(ATTACHMENTDcont.)