state of supply chain risk management: a nasa perspective · asams monitor any software deployed...
TRANSCRIPT
State of Supply Chain Risk Management: A NASA Perspective
Kanitra Tyler October 17, 2019
Let’s Work Together
The Journey Begins…….
Issue• NASA IG Report IG-18-19, identified Weaknesses in SCRM Practices
• Internal Controls - Risk of Cyber-Espionage or Sabotage
• Does Not Consistently Coordinate with the FBI in the Review Process
Scope • Achieve mission-focused SCRM processes and structure
• Cultivate interagency and intra-Departmental SCRM communications and outreach
• Develop SCRM capabilities that provides resources, tactics, techniques, and procedures
• Establish an Agency-wide education, training and awareness campaign
Approach• Execute ICT Supplier Risk Management Analysis and Mitigation Plans• Integrate ICT SCRM into all Mission Directorates & Stakeholders activities
Understanding the Federal DriversManagement of Federal Information Resources - 1985-2016
Federal Information Security Modernization Act - 2014
Executive Order on Securing the ICT and Services Supply Chain
The Executive Order declares a national emergency regarding telecommunications equipment that could pose a national security threatThis EO PROHIBITS U.S. companies in six major ways:
• Acquiring• Exporting• Importing• Transferring• Installing• Using any telecommunications equipment that the Department
of Commerce declares to be a national security risk
Be Aware:• Suppliers who provide telecommunications products, are
subject to the Export Administration Regulation (EAR)
Federal Acquisition Supply Chain Security Act of 2018
THIS BILL ESTABLISHES TWO MAJOR THINGS1. A Federal Acquisition Security Council (FASC) within the
Executive Branch2. The Office of Management and Budget shall designate a senior-
level official to serve as the chairperson of the council
Any Agency that makes IT available for procurement by other Agencies shall do the following four major things:• identify information technology products • complete a risk assessment of such products• in each case in which the agency identifies a significant supply
chain risk posed by information technology, make the risk assessment available to all Agencies through the council and develop a plan to mitigate that risk
• develop a vetting process
Department of Homeland Security may: • Assist Agencies in conducting risk assessments and implementing
mitigation requirements for information technology• Provide such additional guidance or tools as necessary to support
actions taken by Agencies.
Covered Article
As defined in the Federal Acquisition Supply Chain Security Act of 2018 all “covered articles” are subject to SCRM requirements.
The term ‘covered article’ means—“(A) information technology, as defined in section 11101 of title 40, including cloud computing services of all types;“(B) telecommunications equipment or telecommunications service, as those terms are defined in section 3 of the Communications Act of 1934 (47 U.S.C. 153);“(C) the processing of information on a Federal or non-Federal information system, subject to the requirements of the Controlled Unclassified Information program; or“(D) hardware, systems, devices, software, or services that include embedded or incidental information technology.
Understanding the Community
Enterprise Catalog
GSFC
LaRC
NSSC & SSC
GRCARCAFRC
JSC
KSC MSFC NMO / JPL
Enterprise-wide Solution Connecting & Exporting API | CSV FilesAssessed & Cleared List
External service providers, suppliers and partners
HQ
Understanding the Distribution Channels
Directly from PRC
US Distributors
US Government
Agencies
PRCThrough
intermediary countries
Through intermediary
countries
Through intermediary
countries
Through intermediary
countries
US Government
Agencies
US Distributors
US Government
Agencies
DIRECT
TRUSTED
P-CARD
Understanding the “As-Is” Process
CustomerInitiates procurement request for Agency missions
Center SCRM POC / Preliminary ReviewerAnalyst interfaces between Centers and the OCIO Office
Center OCIOConducts internal review to verify if items has been previously assessed and cleared by OCIO. If yes, request if forwarded to the Office of Procurement for processing. If not, a RFI is forwarded to Center SCRM Analyst for further review
NASA OCIO SCRMAnalyst OCIO Analyst Conducts Risk Assessment
NASA OCIOMakes final determination to clear item based on assessment. If cleared, item is added to the ACL and Center is notified to proceed with purchase. If not cleared, Center is notified of final decision.
NASA’s Office of the Chief Information Officer (OCIO) Request for Investigation (RFI) Process
External CollaborationConsults with Federal Bureau of Investigations, Department of Defense, National Institute of Standards and Technology, NASA’s Counterintelligence Office and other NASA cybersecurity partners to understand threat vectors, system and/or component acquisition risk to the NASA environment and develop risk mitigation strategies.
Office of ProcurementInitiates purchase request of assessed and cleared item.
Understanding Service Requirements
To establish a formal SCRM service (program) and process, a standard for SCRM based decisions must be achieved:
ImplementImplement a risk management hierarchy and risk management process
EstablishEstablish an organization governance structure and process that integrates ICT SCRM requirements
AssessUse risk assessment processes after the impact level has been defined, including criticality analysis, threat analysis, and vulnerability analysis
ImplementImplement a quality and reliability program includes assurance and quality control process and practices
The Three P’s of NASA SCRM
Provenance• Blockchains - Transparent, Traceable, and Tamper-
Proof Supply Chain Data• Each link in the Supply Chain being able to trust
the link before and after itPedigree
• Tracking of manufactured products through the distribution channels prevents counterfeiting and ensures safety and security of products
Position• Innovation and efficiency in contracting
management with provider optimization and redundancy
It Takes A Village
As stated by NIST: Effective ICT SCRM is an organization-wide activity that involves each organizational tier. (Organization, Mission/Business Processes, and Information Systems) and is implemented throughout the system development life cycle.
The Three Tiers of Involvement
Tier 2Business Management
Program Management, Research and Development, Engineering,
Acquisitions, Procurement, Cost Accounting, Other management
related to: Reliability, Safety, Security, Quality
Tier 1Executive Leadership
CEO, CIO, COO, CFO, CISO, CTO, Risk
Executive Tier 3Systems Management
Architect, Developers, System Owner, QA / QC, Test, Contracting Personnel, Approving selection, Payment and Approach for Obtaining, Maintenance Engineering, Disposal Personnel
Cybersecurity & ICT SCRM
Today there are ever-growing cyber and supply chain risks. As one of the largest innovators in the world, it is important for NASA to keep the pace and stay ahead of the threats. However, you may be wondering, what is the relationship between ICT SCRM and Cybersecurity? Simple, cybersecurity becomes involved when one acquires, or, attempts to introduce any type of “covered article” into the operational environment.
There are four major ways to stay abreast of your Cybersecurity Supply Chain:
1. Establish the System Context & Lifecycle2. Understand Your Acquisition Lifecycle3. Take Action4. Stay Vigilant
What is the Relationship?
ASAMProcurement /
Strategic Sourcing
ITAMTracking IT Software
Procurements
SCRMProcurement
Agency Software Asset Management (ASAM)ASAMs monitor any software deployed within the Agency, regardless of it’s function, injects a risk into NASA’s infrastructure from a cybersecurity and software compliance perspective. NASA must deploy an Agency-wide approach to software management.
IT Acquisition Management (ITAM)ITAMs provides active, timely and professional management of NASA software. The ELMT works closely with the NASA Center ITAMs and representatives of originating organizations to manage licenses in the ELMT Portfolio and to eliminate the possibility of license duplication.
SCRMNASA ICT SCRM. With ICT globalization, the strategic drivers for this business need are the security and integrity of all mission-critical systems, focusing intently on the classified National Security Systems (NSS) and high and medium-impact unclassified systems that support our most critical missions.
What is Your Current Process?
Does your process include adequate analysis? Do you have a centralized, transparent, and easy-to-use vendor evaluation method? Do you have an equally accessible but fully-vetted method for requests, approvals, purchases, and payments?
If your answers to these questions is no, managing your supply chain will be very tough.
“As-Is” Process & Value Determinations
Analyze
8 Roles & 41 Process Steps Identified
• 21 Identified as Red; Waste• 17 Identified as Yellow; Waste/Yet
Required• 3 Defined as Green; Value Added
“To Be” State
• Phase 1: Proactively establish and manage a catalog of items vendors would like to offer NASA
• Suppliers/vendors and products & services managed in the Agency Risk Information Security Compliance System (RISCS)
• Supports a proactive assessment cadence• Addresses remaining IG findings• Mirror LaRC’s “Software & Hardware Evaluated for Lifecycle Fulfillment” (SHELF)
solution at an Enterprise level • Automated, ServiceNow based, timely & customer friendly• Replaces ACL (SharePoint) with automation and accountability• Customers buying “off the SHELF” are never confronted with the NF1823
“To Be” State
• TOP SHELF = Enterprise SCRM Solution“Total Operational Provisioning of Software and Hardware Evaluated for Lifecycle Fulfillment”
TOP SHELF Introduces:• Centralization• Standardization• Workflow • Automation• Accountability• Efficiencies• Extensibility
TOP SHELF:• Leverages a pre-existing solution to quickly
bring SCRM into compliance with federal drivers.
• Establishes end-to-end governance necessary to close remaining IG finding.
• Positions SCRM as an enabling platform for other NASA services.
Customer checks Top
Shelf
Item in Top
Shelf?
ISSO Approve?
Vendor StartSCRM Service Owner
Notifies Vendor / Supplier
COMPLETE
Product / Service
Approved
New SHELF Item
SHELF Generates 4 Questions
Customer Answers Questions
ISSO What needs to be done?
OCIO / OCSS Conducts SCRM SCRA
CLEAR
Generate Report & Supporting Materials
Supplier Product / Service Offerings
Supplier Completes Blanket Clearance
Questionnaire Submits via VMM
Added to TOP SHELF
OCIO / OCSS / SCRM Service Owner
Exceed Risk Threshold or DNE
APPROVED
Appeal Submitted by
ISSOREJECT
REJECT
N
Y
Y
N
Y
Y
What?Why?
Impact?Use?
Integrated SCRM Flow Chart
SCRM as a Service
1PortfoliosPortfolios are used to compare different risk perspectives within a company. They are used to group suppliers in order to easily compare them with each other.
2 Risk AssessmentAn analysis of publicly available information about suppliers. They contain an Executive Summary, Corporate Overview, Risk Summary, Risk Narratives, and Analyst Comments.
3 Risk Factor NarrativeAn in-depth description of the sources of the risk for that Risk Factor.
4Eco-System MappingEco-System mapping refers to how the Platform identifies, categorizes, and visually represents relationships between entities.
What are the Challenges?
• Ensuring that supply chain risk is understood to be a shared risk – not owned by cyber or any other functional areas across the Enterprise.
• Balancing ICT supply chain risks with the costs and benefits of mitigating controls.
• Engaging partners, to include suppliers/vendors, in the SCRM discussion.
• Obtaining access to non-public supplier and/or product information.
The State of NASA SCRM is Strong
• SCRM represents the Agency’s first line of cybersecurity defense.
• TOP SHELF provides a unique opportunity to proactively manage what we introduce and monitor what have.
• Integration and support for NSINS, ITAM, ASAM/SWLM, SEWP
• SEWP integration will offer Federal agencies with a procurement vehicle for SCRM assessed and cleared products.
• “TOP SHELF may well represent one of the biggest benefits the OCIO has ever delivered its customer base.”
Q & A
Questions?
Kanitra D. Tyler, CISSP, CAP, CEH, NSA IAM/IEM, CHFI, CECS, ITIL v3
Supply Chain Risk Management (SCRM) Service OwnerOffice of Cyber Security Services (OCSS)NASA Office of the Chief Information Officer (OCIO)
301.286.6173 – phone301.286.4262 – fax 240.313.8727 – cell
SIPR Email: [email protected] Email: [email protected]: 240-684-9053 (secure phone)