State of Supply Chain Risk Management: A NASA Perspective

Kanitra Tyler October 17, 2019

Let’s Work Together

The Journey Begins…….

Issue• NASA IG Report IG-18-19, identified Weaknesses in SCRM Practices

• Internal Controls - Risk of Cyber-Espionage or Sabotage

• Does Not Consistently Coordinate with the FBI in the Review Process

Scope • Achieve mission-focused SCRM processes and structure

• Cultivate interagency and intra-Departmental SCRM communications and outreach

• Develop SCRM capabilities that provides resources, tactics, techniques, and procedures

• Establish an Agency-wide education, training and awareness campaign

Approach• Execute ICT Supplier Risk Management Analysis and Mitigation Plans• Integrate ICT SCRM into all Mission Directorates & Stakeholders activities

Understanding the Federal DriversManagement of Federal Information Resources - 1985-2016

Federal Information Security Modernization Act - 2014

Executive Order on Securing the ICT and Services Supply Chain

The Executive Order declares a national emergency regarding telecommunications equipment that could pose a national security threatThis EO PROHIBITS U.S. companies in six major ways:

• Acquiring• Exporting• Importing• Transferring• Installing• Using any telecommunications equipment that the Department

of Commerce declares to be a national security risk

Be Aware:• Suppliers who provide telecommunications products, are

subject to the Export Administration Regulation (EAR)

Federal Acquisition Supply Chain Security Act of 2018

THIS BILL ESTABLISHES TWO MAJOR THINGS1. A Federal Acquisition Security Council (FASC) within the

Executive Branch2. The Office of Management and Budget shall designate a senior-

level official to serve as the chairperson of the council

Any Agency that makes IT available for procurement by other Agencies shall do the following four major things:• identify information technology products • complete a risk assessment of such products• in each case in which the agency identifies a significant supply

chain risk posed by information technology, make the risk assessment available to all Agencies through the council and develop a plan to mitigate that risk

• develop a vetting process

Department of Homeland Security may: • Assist Agencies in conducting risk assessments and implementing

mitigation requirements for information technology• Provide such additional guidance or tools as necessary to support

actions taken by Agencies.

Covered Article

As defined in the Federal Acquisition Supply Chain Security Act of 2018 all “covered articles” are subject to SCRM requirements.

The term ‘covered article’ means—“(A) information technology, as defined in section 11101 of title 40, including cloud computing services of all types;“(B) telecommunications equipment or telecommunications service, as those terms are defined in section 3 of the Communications Act of 1934 (47 U.S.C. 153);“(C) the processing of information on a Federal or non-Federal information system, subject to the requirements of the Controlled Unclassified Information program; or“(D) hardware, systems, devices, software, or services that include embedded or incidental information technology.

Understanding the Community

Enterprise Catalog

GSFC

LaRC

NSSC & SSC

GRCARCAFRC

JSC

KSC MSFC NMO / JPL

Enterprise-wide Solution Connecting & Exporting API | CSV FilesAssessed & Cleared List

External service providers, suppliers and partners

HQ

Understanding the Distribution Channels

Directly from PRC

US Distributors

US Government

Agencies

PRCThrough

intermediary countries

Through intermediary

countries

Through intermediary

countries

Through intermediary

countries

US Government

Agencies

US Distributors

US Government

Agencies

DIRECT

TRUSTED

P-CARD

Understanding the “As-Is” Process

CustomerInitiates procurement request for Agency missions

Center SCRM POC / Preliminary ReviewerAnalyst interfaces between Centers and the OCIO Office

Center OCIOConducts internal review to verify if items has been previously assessed and cleared by OCIO. If yes, request if forwarded to the Office of Procurement for processing. If not, a RFI is forwarded to Center SCRM Analyst for further review

NASA OCIO SCRMAnalyst OCIO Analyst Conducts Risk Assessment

NASA OCIOMakes final determination to clear item based on assessment. If cleared, item is added to the ACL and Center is notified to proceed with purchase. If not cleared, Center is notified of final decision.

NASA’s Office of the Chief Information Officer (OCIO) Request for Investigation (RFI) Process

External CollaborationConsults with Federal Bureau of Investigations, Department of Defense, National Institute of Standards and Technology, NASA’s Counterintelligence Office and other NASA cybersecurity partners to understand threat vectors, system and/or component acquisition risk to the NASA environment and develop risk mitigation strategies.

Office of ProcurementInitiates purchase request of assessed and cleared item.

Understanding Service Requirements

To establish a formal SCRM service (program) and process, a standard for SCRM based decisions must be achieved:

ImplementImplement a risk management hierarchy and risk management process

EstablishEstablish an organization governance structure and process that integrates ICT SCRM requirements

AssessUse risk assessment processes after the impact level has been defined, including criticality analysis, threat analysis, and vulnerability analysis

ImplementImplement a quality and reliability program includes assurance and quality control process and practices

The Three P’s of NASA SCRM

Provenance• Blockchains - Transparent, Traceable, and Tamper-

Proof Supply Chain Data• Each link in the Supply Chain being able to trust

the link before and after itPedigree

• Tracking of manufactured products through the distribution channels prevents counterfeiting and ensures safety and security of products

Position• Innovation and efficiency in contracting

management with provider optimization and redundancy

It Takes A Village

As stated by NIST: Effective ICT SCRM is an organization-wide activity that involves each organizational tier. (Organization, Mission/Business Processes, and Information Systems) and is implemented throughout the system development life cycle.

The Three Tiers of Involvement

Tier 2Business Management

Program Management, Research and Development, Engineering,

Acquisitions, Procurement, Cost Accounting, Other management

related to: Reliability, Safety, Security, Quality

Tier 1Executive Leadership

CEO, CIO, COO, CFO, CISO, CTO, Risk

Executive Tier 3Systems Management

Architect, Developers, System Owner, QA / QC, Test, Contracting Personnel, Approving selection, Payment and Approach for Obtaining, Maintenance Engineering, Disposal Personnel

Cybersecurity & ICT SCRM

Today there are ever-growing cyber and supply chain risks. As one of the largest innovators in the world, it is important for NASA to keep the pace and stay ahead of the threats. However, you may be wondering, what is the relationship between ICT SCRM and Cybersecurity? Simple, cybersecurity becomes involved when one acquires, or, attempts to introduce any type of “covered article” into the operational environment.

There are four major ways to stay abreast of your Cybersecurity Supply Chain:

1. Establish the System Context & Lifecycle2. Understand Your Acquisition Lifecycle3. Take Action4. Stay Vigilant

What is the Relationship?

ASAMProcurement /

Strategic Sourcing

ITAMTracking IT Software

Procurements

SCRMProcurement

Agency Software Asset Management (ASAM)ASAMs monitor any software deployed within the Agency, regardless of it’s function, injects a risk into NASA’s infrastructure from a cybersecurity and software compliance perspective. NASA must deploy an Agency-wide approach to software management.

IT Acquisition Management (ITAM)ITAMs provides active, timely and professional management of NASA software. The ELMT works closely with the NASA Center ITAMs and representatives of originating organizations to manage licenses in the ELMT Portfolio and to eliminate the possibility of license duplication.

SCRMNASA ICT SCRM. With ICT globalization, the strategic drivers for this business need are the security and integrity of all mission-critical systems, focusing intently on the classified National Security Systems (NSS) and high and medium-impact unclassified systems that support our most critical missions.

What is Your Current Process?

Does your process include adequate analysis? Do you have a centralized, transparent, and easy-to-use vendor evaluation method? Do you have an equally accessible but fully-vetted method for requests, approvals, purchases, and payments?

If your answers to these questions is no, managing your supply chain will be very tough.

“As-Is” Process & Value Determinations

Analyze

8 Roles & 41 Process Steps Identified

• 21 Identified as Red; Waste• 17 Identified as Yellow; Waste/Yet

Required• 3 Defined as Green; Value Added

“To Be” State

• Phase 1: Proactively establish and manage a catalog of items vendors would like to offer NASA

• Suppliers/vendors and products & services managed in the Agency Risk Information Security Compliance System (RISCS)

• Supports a proactive assessment cadence• Addresses remaining IG findings• Mirror LaRC’s “Software & Hardware Evaluated for Lifecycle Fulfillment” (SHELF)

solution at an Enterprise level • Automated, ServiceNow based, timely & customer friendly• Replaces ACL (SharePoint) with automation and accountability• Customers buying “off the SHELF” are never confronted with the NF1823

“To Be” State

• TOP SHELF = Enterprise SCRM Solution“Total Operational Provisioning of Software and Hardware Evaluated for Lifecycle Fulfillment”

TOP SHELF Introduces:• Centralization• Standardization• Workflow • Automation• Accountability• Efficiencies• Extensibility

TOP SHELF:• Leverages a pre-existing solution to quickly

bring SCRM into compliance with federal drivers.

• Establishes end-to-end governance necessary to close remaining IG finding.

• Positions SCRM as an enabling platform for other NASA services.

Customer checks Top

Shelf

Item in Top

Shelf?

ISSO Approve?

Vendor StartSCRM Service Owner

Notifies Vendor / Supplier

COMPLETE

Product / Service

Approved

New SHELF Item

SHELF Generates 4 Questions

Customer Answers Questions

ISSO What needs to be done?

OCIO / OCSS Conducts SCRM SCRA

CLEAR

Generate Report & Supporting Materials

Supplier Product / Service Offerings

Supplier Completes Blanket Clearance

Questionnaire Submits via VMM

Added to TOP SHELF

OCIO / OCSS / SCRM Service Owner

Exceed Risk Threshold or DNE

APPROVED

Appeal Submitted by

ISSOREJECT

REJECT

N

Y

Y

N

Y

Y

What?Why?

Impact?Use?

Integrated SCRM Flow Chart

SCRM as a Service

1PortfoliosPortfolios are used to compare different risk perspectives within a company. They are used to group suppliers in order to easily compare them with each other.

2 Risk AssessmentAn analysis of publicly available information about suppliers. They contain an Executive Summary, Corporate Overview, Risk Summary, Risk Narratives, and Analyst Comments.

3 Risk Factor NarrativeAn in-depth description of the sources of the risk for that Risk Factor.

4Eco-System MappingEco-System mapping refers to how the Platform identifies, categorizes, and visually represents relationships between entities.

What are the Challenges?

• Ensuring that supply chain risk is understood to be a shared risk – not owned by cyber or any other functional areas across the Enterprise.

• Balancing ICT supply chain risks with the costs and benefits of mitigating controls.

• Engaging partners, to include suppliers/vendors, in the SCRM discussion.

• Obtaining access to non-public supplier and/or product information.

The State of NASA SCRM is Strong

• SCRM represents the Agency’s first line of cybersecurity defense.

• TOP SHELF provides a unique opportunity to proactively manage what we introduce and monitor what have.

• Integration and support for NSINS, ITAM, ASAM/SWLM, SEWP

• SEWP integration will offer Federal agencies with a procurement vehicle for SCRM assessed and cleared products.

• “TOP SHELF may well represent one of the biggest benefits the OCIO has ever delivered its customer base.”

Q & A

Questions?

Kanitra D. Tyler, CISSP, CAP, CEH, NSA IAM/IEM, CHFI, CECS, ITIL v3

Supply Chain Risk Management (SCRM) Service OwnerOffice of Cyber Security Services (OCSS)NASA Office of the Chief Information Officer (OCIO)

301.286.6173 – phone301.286.4262 – fax 240.313.8727 – cell

SIPR Email: kanitra.tyler@nss.sgov.govJWICS Email: kanitra.tyler@nasa.ic.govvIPer: 240-684-9053 (secure phone)