Protecting the Supply Chain: PI “Hot Topics” reakfast riefing · 2018-03-21 · Protecting the Supply Chain: PI “Hot Topics” reakfast riefing ... Controlled Unclassified information
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
Protecting the Supply Chain: PCI Presentation June 25, 2015 -1-ROGERS JOSEPH O’DONNELL
• Government and private sector functions depend substantially upon information and communication technology (ICT).
• President Obama’s 2016 budget proposes spending of $86.4 billion on federal IT, of which 57% is for non-defense functions.
• Cyber threats are posed to information and communication technology (ICT) systems operated by the federal government and by its contractors.
• Federal interests are in jeopardy if sensitive government data used by contractors, residing in or transiting through their ICT systems, is destroyed, compromised or stolen.
• Contractor ICT systems are vulnerable to diverse and dynamic cyber threats.
• Consequences of breach include loss of confidentiality, injury to privacy interests, compromise of data integrity and interruption of government and private sector functions.
The federal government will use acquisition methods and contract tools to improve the cyber protection of sensitive federal data in the hands of federal contractors and their suppliers.
The ICT supply chain is a “complex,
globally distributed, and
interconnected ecosystem that is long,
has geographically diverse routes, and
consists of multiple tiers of
outsourcing. This ecosystem includes
public and private sector entities (e.g.,
acquirers, system integrators,
suppliers, and external service
providers) and technology, law, policy,
procedures, and practices that interact
to design, manufacture, distribute,
deploy, and use ICT products and
services.”
“Federal government information
systems have rapidly adopted this
ecosystem of solution options, which
increased their reliance on
commercially available products,
system integrator support for
customer-built systems, and external
service providers.”
NIST SP 800-161 (Final.).
Protecting the Supply Chain: PCI Presentation June 25, 2015 -5-ROGERS JOSEPH O’DONNELL
• No law or general federal acquisition regulation imposes specific cybersecurity measures to protect all forms of CUI in nonfederal information systems.
– Narrow mil-specific provisions to protect supply chain against certain high-risk sources (FY 2011 NDAA § 806)
– Some measures restrict country of origin of “high impact” ICT purchases by Commerce, Justice, NASA, NSF
– DoD’s DFARS to impose basic cyber controls to protect its UCTI
– Limited Mandatory reporting of cyber events [same]
Q: is CUI inherently less important to protect than UCTI?
Q: are non-defense systems at less risk?
Q: is the civilian side of the government indifferent to the risk?
Q: are the potential consequences of vulnerability more tolerable?
Protecting the Supply Chain: PCI Presentation June 25, 2015 -14-ROGERS JOSEPH O’DONNELL
• NARA is the Executive Agent to address “CUI”– Proposed rule, 80 Fed. Reg. 26501 (comments due July 7, 2015)
• Defines and categorizes CUI (using CUI Registry); Sets safeguarding standards as “Basic” or “CUI Specified” (enhanced, or different); Adopts NIST SP 800-171 as basis for safeguards; Establishes access and dissemination policies; Assigns designation and marking responsibilities to agencies.
• NIST SP 800-171 (Final) (June 2015) – Protects confidentiality of all CUI @ “moderate” impact level of FIPS 199
– States performance or capability-based requirements that elaborate upon FIPS 200 but do not contain the “how to” rules of 800-53
– Intent is to capture intent of 800-53 “Moderate” baseline but not to obligate private companies to use specific 800-53 controls.
– Does not contain an obligatory assessment or accreditation mechanism
• Individual agencies: DoD (UCTI) and DHS (“Sensitive Information”) • 8(e) “Joint Working Group” studying contractual implementation• NARA leads drafting of “single FAR clause” to protect CUI
Protecting the Supply Chain: PCI Presentation June 25, 2015 -15-ROGERS JOSEPH O’DONNELL
• The proposed rule categorizes all CUI at the “moderate” FIPS impact level. Does some CUI need more protection. Or less?
• More than 1,000 intra-agency comments were “adjudicated”
• Rule seeks consistency but distinguishes between “Basic” and “CUI Specified” (special) standards if “required or permitted by authorizing laws, regulations or Government-wide policies.” – “CUI Specified” standards are allowed only if NARA includes in the CUI Registry.
– Will agencies acquiesce to NARA control over categorization?
– Agencies will consider themselves best informed both to identify and designate (their) CUI and to recognize special risks and impacts.
– Can NARA’s regime be reconciled to agencies who seek to “tailor” controls?
• Agency responsibility to designate and mark is crucial.– Both agencies and contractors must know what is CUI is to be protected.
– Final rule should address CUI created or developed under contract.
Protecting the Supply Chain: PCI Presentation June 25, 2015 -17-ROGERS JOSEPH O’DONNELL
NIST SP 800-171 embraces existing private sector measures – and accept alternative controls – to achieve federal purposes.
• The distinction between the 14 families of “requirements” in SP 800-171 and 800-53 controls and enhancements may not be well understood, however.
• The intent is for commercial companies to assess their systems in reference to narrative 171 “requirements” rather than the specific controls in 800-53.
• NIST recognizes that 800-53 was developed for federal systems while 171 is to achieve similar and sufficient goals (to protect confidentiality) in the in-place systems of contractors.
• SP 800-171 is now Final. Expect to see agencies utilize it – soon.
Important Assumptions of SP 8001-171
“Additional assumptions also impacting the development of
the CUI security requirements and the expectation of federal
agencies in working with nonfederal entities include:
• Nonfederal organizations have information technology
infrastructures in place, and are not necessarily developing
or acquiring information systems specifically for the purpose
of processing, storing, or transmitting CUI;
• Nonfederal organizations have specific safeguarding
measures in place to protect their information which may
also be sufficient to satisfy the CUI security requirements;
• Nonfederal organizations can implement a variety of
potential security solutions either directly or through the use
of managed services, to satisfy CUI security requirements;
and
• Nonfederal organizations may not have the necessary
organizational structure or resources to satisfy every CUI
security requirement and may implement alternative, but
equally effective, security measures to compensate for the
inability to satisfy a particular requirement.”
NIST SP 800-171 (Final), at 2-5 (emph. added).
Protecting the Supply Chain: PCI Presentation June 25, 2015 -19-ROGERS JOSEPH O’DONNELL
• SP 800-171 sets its own requirements; these are built from FIPS 200 and mapped to show relevant controls from 800-53 and counterparts in ISO/IEC 27001
• Comparing “controls” among the DFARS, -171 and -53 or the DFARS is difficult, but there are distinctions:
– The DFARS UCTI refers to 51 controls from 800-53 but 61 if you count controls + enhancements. These 61 translate to >275 “task statements.”
– SP 800-171 (Final Draft) stated 109 requirements; these “map” to 122 controls from 800-53 but there are “only” 109 “task statements.”
– Properly understood, industry should find it less demanding (and have more alternatives) to comply with 800-171 than 800-53 (or DFARS).
• Expect DoD to issue a rule to adopt in the DFARS and apply SP 800-171 controls to UCTI.
In addition to defining safeguarding
requirements for CUI within the federal
government, NARA has taken steps to alleviate
the potential impact of such requirements on
nonfederal organizations by jointly developing
with NIST, Special Publication 800-171 —
defining security requirements for protecting
CUI in nonfederal information systems and
organizations. This will help nonfederal entities,
including contractors, to comply with the
security requirements using the systems and
practices they already have in place, rather
than trying to use government-specific
approaches. It will also provide a standardized
and uniform set of requirements for all CUI
security needs, tailored to nonfederal systems,
allowing nonfederal organizations to be in
compliance with statutory and regulatory
requirements, and to consistently implement
safeguards for the protection of CUI
NIST SP 800-171 (Final), at vi.
Primary security objective: confidentiality
Protecting the Supply Chain: PCI Presentation June 25, 2015 -20-ROGERS JOSEPH O’DONNELL
• Agencies best understand threat and the risk of cyber attack to their crucial functions that depend on nonfederal info systems.
• Agencies are in the best position to know which information is “CUI.”
• Agencies best informed to categorize sensitivity of their information and impact upon their mission of lost confidentiality.
• Agencies best can assess supply chain impact upon their missions. E.g., FISMA, FIPS, FedRAMP, NIST.
• Agencies also have specific needs for event reporting, for information security and for restoration/resilience.
Agencies ultimately are responsible for implementation costs. They also must temper risk perception with recognition of potential costs, affect upon competition, and impacts to their access to the technology base.Agencies will seek role in selection and
tailoring of controls, validation and oversight.
NARA seeks to tightly control both categorization
of CUI and the applicable safeguards.
Protecting the Supply Chain: PCI Presentation June 25, 2015 -22-ROGERS JOSEPH O’DONNELL
– Safeguard unclassified controlled technical information
– Report cyber incidents
Applies to contracts and subcontracts requiring safeguarding of unclassified controlled technical information resident on or transit through contractor unclassified information systems. DFARS 204.7300.
Contract clause at DFARS 252.204-7012 is to be used “in all solicitations and contracts, including solicitations and contracts using FAR Part 12 …”
“Controlled Technical Information” “means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.” 78 Fed. Reg. 69273, at 69280
Contractor’s obligation is to provide adequate security; the contractor shall apply “other information systems security requirements” if “required to provide adequate security in a dynamic environment based on an assessed risk of vulnerability.” DFARS 252.204-7012(b)(2)
Protecting the Supply Chain: PCI Presentation June 25, 2015 -27-ROGERS JOSEPH O’DONNELL
• Incentives: bidders should see voluntary imposition of controls as likely to improve competitive posture
• Duties: contract mechanics should clearly inform companies of what is expected of them, how they will demonstrate minimum controls, what role the agency will play in identification of CUI or system approval, and how to report cyber events
• Sanctions: once the necessary elements of the basic regime are in place, threat of sanctions can reinforce
Protecting the Supply Chain: PCI Presentation June 25, 2015 -30-ROGERS JOSEPH O’DONNELL
• CUI cyber protection measures will affect thousands of civil contractors but costs and operational impact are unknown.
• The fragmented nature of the effort – NARA, JWG, NIST, Agencies – means it is difficult to predict either the timing or the substance of the final, general regulation – the “single FAR clause” that NARA aims towards. The OPM Attack is likely to accelerate agency actions, elevate safeguarding requirements and dictate prompt reporting.
• DoD’s UCTI DFARS and now the DHS Special Clause show that agencies will act ahead of general federal measures.
• Industry must work with the agencies, NIST and NARA to assess potential costs and consequences of extending the federal cyber regime outside its original boundaries.
• Industry should take full use of “notice and comment.”
OPMAttack
Protecting the Supply Chain: PCI Presentation June 25, 2015 -31-ROGERS JOSEPH O’DONNELL
“A systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities and threats throughout DoD’s ‘supply chain’ and developing mitigation strategies to combat those threats whether presented by the supplier, the supplied product and its subcomponents, or the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal).”
DoDI 5200.44 (Nov. 5, 2012)
Assured Microelectronics Policy(DoD Sen. Rept. 113-85) (July 2014)
“The intent of the threat assessment is to protect mission-critical functions and CC, including critical microelectronics, by identifying and defending against the risk that an adversary may sabotage, maliciously introduce unwanted functions, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.
***
The goal of these protective measures is to reduce the risk to the mission by mitigating identified threats and vulnerabilities, such as malicious code insertions or counterfeit parts or the loss of technical information. Risk to system trust is managed throughout the entire system life cyclebeginning with design and before the acquisition or integration of CC into covered systems.”PROCESS RESULT
Protecting the Supply Chain: PCI Presentation June 25, 2015 -34-ROGERS JOSEPH O’DONNELL
We will consider acquisition and contracting measures intended to protect the supply chain against:
• Physical threats – counterfeit electronic parts
• Cyber-physical threats – maliciously encoded (or cyber-vulnerable) electronic parts
• Cyber threats – to “nonfederal” information and communications systems (ICT) and control systems
Threats include insertion of deficient, tainted or tampered parts into the supply chain, extraction of information from suppliers and creation or exploitation of software/firmware vulnerabilities
Protecting the Supply Chain: PCI Presentation June 25, 2015 -35-ROGERS JOSEPH O’DONNELL
“sabotage, maliciously introduce unwanted functions, or otherwise subvert … a system in order to conduct surveillance or to deny access to, disrupt, or otherwise degrade its reliability or trustworthiness.”
Common Criteria Supply Chain Technical Working Group, DRAFT “Supply Chain Security Assurance” April 2012, available at
http://www.commoncriteriaportal.org/
The Ordinary (“Fake”) Counterfeit Part:
Substandard or non-functionalLikely to fail in intended environmentPresents risk to operations & reliabilityMethods exist to detect (in most cases)Injury :
- degradation of performance- diminished reliability- potential device/system failure - burden on support & sustainment- costs of “remediation”
Typically a counterfeit electronic part contains no active mechanism that can be exploited by an adversary.
Unexpected Functionality
Potentially Latent Functions
Vector to induce or exploit cyber attack
Risk of unauthorized extraction
Threat to critical systems and mil ops
Increased Attention to “Taints”Focus of 818 and DFARS is on “Fakes”
Protecting the Supply Chain: PCI Presentation June 25, 2015 -36-ROGERS JOSEPH O’DONNELL
The principal motivation for counterfeit parts, addressed by Section 818, is profit. Bad actors seek to answer demand for scarce parts by offering well-priced fakes that appear genuine -- but are not.
“Malicious” parts may be counterfeit but their threat is different. They may be produced by adversary states or tolerated by state actors. Very sophisticated techniques and resources may be applied. The risk is more than that parts will fail . Threats to operations and to information are posed through hardware, firmware and software, e.g., “Malware,” “Trojan Horse,” “Denial of Service,” Intelligence Extraction, etc.
• Section 818 will reduce the risk of both
counterfeits and malicious parts by
emphasizing reliance on trusted suppliers
• For national security systems and critical
information and communications
networks, however, a different and even
more demanding response is required
Protecting the Supply Chain: PCI Presentation June 25, 2015 -37-ROGERS JOSEPH O’DONNELL
Senate Armed Services Committee hearings in 2011 focused attention on the threat and prompted Congress to “legislate supply chain security” through Section 818 of NDAA 2012
SASC Investigation of Counterfeit Parts
Protecting the Supply Chain: PCI Presentation June 25, 2015 -38-ROGERS JOSEPH O’DONNELL
• The threat of individual “fakes” is isolated to the hardware where installed
• Supply chain vulnerability is largely a function of purchasing controls and QA - can be “preempted” by design solutions – and mitigated by test & inspct’n
• Multiple sources of risk-informing data facilitate detection and avoidance
• The typical counterfeit escape exposes a system to risk of premature failure but non-functionality likely can be detected and replacement often will fix
MALICIOUSLY ENCODED COUNTERFEIT PARTS (OR CORRUPTED SOFTWARE)
• A “tainted” part can introduce vulnerability across connected systems
• The hazard may be concealed and intentionally placed in a dormant state
• There are numerous points in the supply chain that are vulnerable
• The consequences of a cyber-supply chain attack are potentially “existential”
• The means to preempt or preclude such attacks are not well understood
Protecting the Supply Chain: PCI Presentation June 25, 2015 -43-ROGERS JOSEPH O’DONNELL
“The term ‘supply chain risk’ means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use or operation of such a system.”
§ 806 authorizes exclusion of high risk suppliers
• Applies narrowly to “covered procurements” of National Security
Systems where there is a “significant supply chain risk to a
covered system”
• Sources may be excluded based on an assessment of
“significant supply chain risk”
• Assessment may reflect all-source intelligence risk assessment
• A written determination is required that exclusion is necessary
• DoD need not disclose basis of exclusion
• DFARS included in all solicitations – including commercial
contracts – because DoD believes it cannot know which
systems might support or link to national security systems and
“The rule establishes a new provision and clause (see DFARS 239.7306) for inclusion in all solicitations and contracts, including contracts for commercial items or commercial off-the-shelf items involving the development or delivery of any information technology, whether acquired as a service or as a supply, because portions of these contracts may be used to support or link with one or more NSS.” 78 Fed. Reg. 69268.
“The Contractor shall maintain controls in
the provision of supplies and services to the
Government to minimize supply chain risk.”DFARS 252.239-7018(b)
“This rule applies to rule applies to contractors involved in the development or delivery of anyinformation technology, whether acquired by DoD as a service or as a supply.” 78 Fed. Reg. 69269.
DFARS Subpart 239.7306: insert the clause, “Notice of Supply Chain Risk,” in all solicitations, including FAR Part 12, that involve the development or delivery or any IT whether acquired as a service or as a supply.
As defined, “information technology” includes equipment “used by a contractor under a contract with the agency” where its use is required to perform the service.
Protecting the Supply Chain: PCI Presentation June 25, 2015 -51-ROGERS JOSEPH O’DONNELL
The DFARS confirm that Sec. 818 is “specifically limited to ‘covered contractors’” and that the initial implementation of the rules “has limited application at the prime contract level to CAS-covered contractors.” 79 Fed. Reg. 26098.
However, the flow down requirement causes the rule to affect all subs – including small businesses
“However, all levels of the supply chain have the potential for introducing counterfeit or suspect-counterfeit electronic items into the end items contracted for under a CAS-covered prime contract. The prime contractor cannot bear all responsibility for preventing the introduction of counterfeit parts. By flowing down the prohibitions against counterfeit and suspect counterfeit electronic items and the requirements for systems to detect such parts to all subcontractors that provide electronic parts or assemblies containing electronic parts (without regard to CAS-coverage of the subcontractor), there will be checks instituted at multiple levels within the supply chain, reducing the opportunities for counterfeit parts to slip through into end items.” 79 Fed. Reg. 26099.
The final rule does exclude set-asides from small business, because CAS does not apply to contracts with small business. “This rule does not apply to small entities as prime contractors.” 79 Fed. Reg. 26105. This limits application of the DFARS when DoD purchases from a small business, but will not affect flow down from covered contractors.
Promulgation comments recognize that small business subcontractors will incur “some costs for complying with prime contractors’ requirements.”
Protecting the Supply Chain: PCI Presentation June 25, 2015 -57-ROGERS JOSEPH O’DONNELL
Counterfeit Electronic Part“an unlawful or unauthorized reproduction, substitution, or alteration that has been knowingly mismarked, misidentified, or otherwise misrepresented to be an authentic, unmodified electronic part from the original manufacturer, or a source with the express written authority of the original manufacturer or current design activity, including an authorized aftermarket manufacturer.
Unlawful or unauthorized substitution includes used electronic parts represented as new, or the false identification of grade, serial number, lot number, date code, or performance characteristics.”
Electronic Part“an integrated circuit, a discrete electronic component (including, but not limited to, a transistor, capacitor, resistor, or diode), or a circuit assembly (section 818(f)(2) of Pub. L. 112–81). The term ‘‘electronic part’’ includes any embedded software or firmware.”
Obsolete Electronic Part“an electronic part that is no longer in production by the original manufacturer or an aftermarket manufacturer that has been provided express written authorization from the current design activity or original manufacturer.”
Suspect Counterfeit Electronic Part“an electronic part for which credible evidence (including, but not limited to, visual inspection or testing) provides reasonable doubt that the electronic part is authentic.”
Electronic part: implies cyber-
physical security issues and
concerns of tainted hardware.
There are some reports that DoD will revise
the DFARS to eliminate this definition.
Protecting the Supply Chain: PCI Presentation June 25, 2015 -58-ROGERS JOSEPH O’DONNELL
Part 252: Solicitation Provision & Contract Clauses
• DFARS 252.244–7001 Contractor Purchasing System Administration
• DFARS 252.246–7007 Contractor Counterfeit Electronic Part Detection and Avoidance System
246.870-3 Contract Clause(a) Except as provided in paragraph (b) of this section, use the clause at 252.246–7007, Contractor Counterfeit Electronic Part Detection and Avoidance
System, in solicitations and contracts when procuring—
(1) Electronic parts;
(2) End items, components, parts, or assemblies containing electronic parts; or
(3) Services where the contractor will supply electronic parts or components, parts, or assemblies containing
electronic parts as part of the service.
(b) Do not use the clause in solicitations and contracts that are setaside for small business.
“(e) The Contractor shall include the
substance of this clause, including paragraphs
(a) through (e), in subcontracts, including
subcontracts for commercial items, for
electronic parts or assemblies containing
electronic parts.”
Protecting the Supply Chain: PCI Presentation June 25, 2015 -59-ROGERS JOSEPH O’DONNELL
Contract ClauseThe clause at DFAR 252.246-7007 (CPDAS) is to be used in solicitations and contracts when procuring … “[s]ervices where the contractor will supplyelectronic parts or components, part, or assemblies containing electronic parts as part of the service.”
The clause applies if the contractor is subject to CAS.
Considerations for Service Providers
Definition of “Electronic Part”“an integrated circuit, a discrete electronic component (including, but not limited to, a transistor, capacitor, resistor, or diode), or a circuit assembly … The term ‘‘electronic part’’ includes any embedded software or firmware.”
Contract Cost Principles“costs of counterfeit electronic parts or suspect counterfeit electronic parts and the cost of rework or corrective action that may be required to remedy the use or inclusion of such parts are unallowable.” [except if a narrow safeharbor is available] DFARS 231.205-71
Subcontracting Policies & ProceduresACO is responsible for reviews of contractor’s purchasing system; review is to include “the adequacy the contractor’s counterfeit electronic part detection and avoidance system under DFAR 252.246-7007”
The definition implies cyber
physical security issues and
concerns of tainted hardware.
Applies to all companies subject to the DFAR
Cost Principles – not limited to companies that
supply parts, assemblies or systems
A service provider subject to purchasing system
review would be likely to receive scrutiny of the
adequacy of its CPDAS
A service provider subject to CAS could be found obligated to
flow down to subcontractors at all levels of the supply chain” the
CPDAS contract clause.
Protecting the Supply Chain: PCI Presentation June 25, 2015 -60-ROGERS JOSEPH O’DONNELL
The training of personnel. Contractors have flexibility. Training should be tailored for function/ responsibility. Refresh needed to recognize new STDs, etc. Should a covered contractor confirm subs conduct training also?
Generally, training is extremely important. Functions that “touch” on parts acquisition, receipt and use should be informed of counterfeit threat and knowledgeable of command media instructions to detect and avoid.
Training to defend against cyber physical threats is much more difficult. Goals are to train personnel to recognize threats, to utilize available open (and closed source) information, to assess and act upon inherent or induced vulnerability. This may require a CI function (if available), cleared personnel and support from design and engineering disciplines. Government is in best position to communicate threat information (sources, vector).
Protecting the Supply Chain: PCI Presentation June 25, 2015 -62-ROGERS JOSEPH O’DONNELL
The inspection and testing of electronic parts, including criteria for acceptance and rejection. Tests and inspections shall be performed in accordance with accepted Government- and industry-recognized techniques. Selection of tests and inspections shall be based on minimizing risk to the Government. Determination of risk shall be based on the assessed probability of receiving a counterfeit electronic part; the probability that the inspection or test selected will detect a counterfeit electronic part; and the potential negative consequences of a counterfeit electronic part being installed (e.g., human safety, mission success) where such consequences are made known to the Contractor.
Today, there are neither established nor common criteria to inform contractors on how to select tests and inspection and how to address the costs of higher level and potentially destructive tests.
The pending SAE AS-6171 provides a hierarchy of test methods and provides a mechanism for risk-based analysis with needed detail. It examines Risk as to the Supplier (RS), as to the Component (RC) and as to the Product (RP) and takes into account Adjustment factors and potential mitigation measures for each risk area. This is an objective method for contractors to make risk-informed decisions. Because necessary electronic parts cannot always be obtained from preferred, authorized sources such as OCMs, standards to guide industry and government are critical.
Contractors still will face situations where they do not and cannot know the intended or eventual utilization of a given part. Nor are contractors assured of having relevant knowledge of “threat” relevant to risk of receiving a counterfeit
This aspect of the DFARS will reduce the risk of “taints” but AS-6171 is not intended to identify alternation to embedded software or firmware. The risk of taints is threat-driven and contractors ordinarily do not have access to this information. Nor is a “gold standard” always available to test against known authentic.
It is the purchaser’s responsibility under AS-6171
to supply the information that drives the risk
assessment; it is the purchaser’s responsibility to
decide upon the test and assurance measures.
Protecting the Supply Chain: PCI Presentation June 25, 2015 -63-ROGERS JOSEPH O’DONNELL
Processes to abolish counterfeit parts proliferation.
Responsible contractors know they must avoid the “return” of a counterfeit electronic part into the supply chain. Difficulties arise where a contractor deals with brokers/distributors or test labs who have ownership and possession of parts found suspect or counterfeit. Does the “covered contractor” have control over the disposition? Is the “covered contractor” legally responsible?
Where tainted parts are involved, it is even more important to assure retention for examination by Counter-Intelligence and law enforcement. Reporting, however, becomes problematic. Public dissemination of information on tainted parts may work against the national interest.
It is essential to secure by contract authority over
the disposition of parts determined to be suspect
or counterfeit; under no circumstances should
risk be accommodated that such parts may be
returned to the supply chain.
Protecting the Supply Chain: PCI Presentation June 25, 2015 -64-ROGERS JOSEPH O’DONNELL
Processes for maintaining electronic part traceability (e.g., item unique identification) that enable tracking of the supply chain back to the original manufacturer, whether the electronic parts are supplied as discrete electronic parts or are contained in assemblies. This traceability process shall include certification and traceability documentation developed by manufacturers in accordance with Government and industry standards; clear identification of the name and location of supply chain intermediaries from the manufacturer to the direct source of the product for the seller; and where available, the manufacturer's batch identification for the electronic part(s), such as date codes, lot codes, or serial numbers. If IUID marking is selected as a traceability mechanism, its usage shall comply with the item marking requirements of 252.211-7003, Item Unique Identification and Valuation.
While desirable, achieving traceability to satisfy this criteria will be very difficult for many parts now in inventory. Today, only a limited class of MIL SPEC (PRF) parts come with end-to-end traceability and these represent only a modest (if not small) fraction of the universe. Traceability will improve as industry practices evolve. But it is not be possible to demonstrate traceability “back to the original manufacturer” for many parts and it is not cost-effective or practicable to use only parts with full traceability.
AS6081 limits documentation requirements to where traceability exists; customers may accept “as-built” traceability without end-to-end documentation for all components.
A contractor should be found compliant if it seek all available documentation of pedigree or provenance and considers the extent of documentation when it is necessary to perform a risk-based assessment of a particular source for an electronic part. Absence of traceability is a risk-indicator for additional inspection and test.
Improving traceability is an important way to reduce supply chain risk both to “fakes” and “taints.” Vulnerability to cyber physical threats exists along the entire continuum from inception through hardware retirement. But: traceability documentation, itself, can be faked; and, traceability often is unavailable for sustainment
Protecting the Supply Chain: PCI Presentation June 25, 2015 -65-ROGERS JOSEPH O’DONNELL
Use of suppliers that are the original manufacturer, or sources with the express written authority of the original manufacturer or current design activity, including an authorized aftermarket manufacturer or suppliers that obtain parts exclusively from one or more of these sources. When parts are not available from any of these sources, use of suppliers that meet applicable counterfeit detection and avoidance system criteria.
The core principle of both 818 and the DFARS is that the best way to avoid counterfeits is to procure parts from OCMs, other authorized manufacturers or authorized distributors. However, DoD’s contractors must support many legacy systems where required parts are obsolete or no longer available from these trusted sources.
The DFARS is short on guidance on how to qualify additional sources when necessary. Contractors may be informed by Standards and best practices to make prudent, risk informed decisions.
Control of sources of supply is the single-most important measure taken to address risk of both “fakes” and “taints.” Even so, care should be taken to assure supply chain and information security of suppliers as they may be the “weak link” or vulnerable underbelly of the supply chain.
Trusted source requirements protect against tampering or insertion of malicious code – but not completely.
DoD is working on regulations (DFARS Case
2014-D005) to address how covered contractors
can be “authorized to identify and use additional
trusted suppliers” pursuant to § 817 NDAA 2015.
AS-6081 is a useful tool to facilitate purchaser
decisions on qualification of distributors.
Protecting the Supply Chain: PCI Presentation June 25, 2015 -66-ROGERS JOSEPH O’DONNELL
Reporting and quarantining of counterfeit electronic parts and suspect counterfeit electronic parts. Reporting is required to the Contracting Officer and to the Government-Industry Data Exchange Program (GIDEP) when the Contractor becomes aware of, or has reason to suspect that, any electronic part or end item, component, part, or assembly containing electronic parts purchased by the DoD, or purchased by a Contractor for delivery to, or on behalf of, the DoD, contains counterfeit electronic parts or suspect counterfeit electronic parts. Counterfeit electronic parts and suspect counterfeit electronic parts shall not be returned to the seller or otherwise returned to the supply chain until such time that the parts are determined to be authentic.
The principle that counterfeit and suspect electronic parts should be quarantined is important to prevent re-entry and to enable appropriate investigation and law enforcement.
Reporting is an acute problem. At all levels of the supply chain, there is aversion to reporting as it is perceived to “taint” the party that reports. Current mechanisms (GIDEP) are less than satisfactory. And there is no clear guidance on reporting. A pending revision to AS-6081 will place the reporting responsibility on the legal owner of the part and requires reporting within 60 days.
Section 818 imposes reporting obligation on any party that becomes “aware” of a counterfeit. The DFARS apply only to “covered contractors” but many others in the supply chain may discover or become aware of a counterfeit part.
Measures should be taken to resolve continuing uncertainty
regarding reporting. Coordination with law enforcement and
counter-intelligence resources may prove very important to learning
from and responding to threats of “tainted” parts.
Protecting the Supply Chain: PCI Presentation June 25, 2015 -67-ROGERS JOSEPH O’DONNELL
Methodologies to identify suspect counterfeit parts and to rapidly determine if a suspect counterfeit part is, in fact, counterfeit.
DoD is paying increasing attention to the threat of maliciously-encoded or tampered electronic parts. (This is a “cyber-physical” threat.) The DFARS includes “any embedded software or firmware” in the definition of an “electronic part.” This suggests an obligation to validate.
There is no present Standard or commonly available and accepted method to make this determination for most parts. SAE is working, through the G-19A Tampered Subgroup, to create a Test Method to detect embedded malware and hardware Trojans at the electronic piece part level.”
New technologies are being promoted to enhance testing of large volumes of parts for physical or cyber-physical discrepancies. Standards will emerge on the qualification and use of such new methods.
The last minute introduction of “embedded
software or firmware” into the DFARS definition
was a surprise to many and has prompted
considerable and continuing uncertainty. It
extends the DFARS into the cyber domain even
though not contemplated by § 818.
Protecting the Supply Chain: PCI Presentation June 25, 2015 -68-ROGERS JOSEPH O’DONNELL
Design, operation, and maintenance of systems to detect and avoid counterfeit electronic parts and suspect counterfeit electronic parts. The Contractor may elect to use current Government- or industry-recognized standards to meet this requirement.
Covered contractors and companies that accept flowdown must develop compliant systems and will be subject to review against the 12 criteria.
The DFARS recognizes but does not specify particular industry Standards. The fit to the new “Higher Level Quality” FAR is uncertain.
The “systems” requirement is imposed across a highly diverse supply chain that produces and supports an enormous breadth of supplies and functions. Many reliable sources decline to accept system elements.
Also unresolved is whether “covered contractors” are responsible to validate the compliance of their subcontractors and if they can rely upon third-party certification of adherence to Standards.
Required system elements focus upon “fakes;” their effectiveness against cyber-physical threats is limited.
Protecting the Supply Chain: PCI Presentation June 25, 2015 -69-ROGERS JOSEPH O’DONNELL
Flowdown of counterfeit detection and avoidance requirements, including applicable system criteria provided herein, to subcontractors at all levels in the supply chain that are responsible for buying or selling electronic parts or assembliescontaining electronic parts, or for performing authentication testing.
Flowdown presents serious implementation challenges. Legally, Section 818 and the DFARS apply only to “covered contractors” – about 1,200 companies subject to all of DoD’s CAS. Through flowdown, “covered contractors” are obtain the same anti-counterfeit assurance (and system compliance) from all sources in their supply chain –including COTS and commercial item sources and small business. There are 23,000 companies that sell to DoD –and tens of thousands more who sell to DoD suppliers.
There are practical and cost limitations. Significant and reliable supply sources may refuse full flowdown, accept only limited flowdown or offer their own measures as surrogates. They will charge more for higher assurance of authenticity. DoD’s should interpret and apply the flowdown requirement to allow “covered contractors” to use their low-risk, established sources even where they decline full flowdown.
Protecting the Supply Chain: PCI Presentation June 25, 2015 -70-ROGERS JOSEPH O’DONNELL
Process for keeping continually informed of current counterfeiting information and trends, including detection and avoidance techniques contained in appropriate industry standards, and using such information and techniques for continuously upgrading internal processes.
This is not a particularly difficult requirement,conceptually, but again experience suggests there are practical problems. Until reporting obligations are clarified and GIDEP is improved, it remains difficult for many actors in industry to know when counterfeits have been found and to integrate source- or parts-risk information into their supply chain planning. The absence of effective systems to collect and disseminate information will impair the ability to learn from counterfeit escapes and frustrate the common objective of eliminating counterfeits.
Ultimately, data analytics should figure into industry response to the threat of counterfeits – but the value of such analytics is compromised if relevant information is neither reported nor disseminated.
As concern cyber-physical threat, prompt transmission of information about the attack vector (and other attributes) is necessary to defend and recover. Methods to organize and distribute information need improvement.
Protecting the Supply Chain: PCI Presentation June 25, 2015 -71-ROGERS JOSEPH O’DONNELL
System Criteria (11) Screening GIDEP & Other Reports
Process for screening GIDEP reports and other credible sources of counterfeiting information to avoid the purchase or use of counterfeit electronic parts.
See comments above. GIDEP has not materially improved despite the enactment of 818 and promulgation of the DFARS. Reporting practices are inconsistent and dissemination is limited. Industry needs more than just the ability to “screen” reports that happen to be made to GIDEP or to private sources (such as ERAI).
The value of GIDEP also suffers presently uncertain obligations on “who,” is to report, “what” and “when”, etc.
DoD should promote an automated information exchange that rapidly collects and distributes data on counterfeits. TBD is how to identify and exploit government and private databases (e.g., ERAI), and how to resolve potential inconsistencies in reported info. Ultimately, data analytics should be used to generate and “adjudicate” source risks. Improved standards and methods are needed.
Special and secure methods are needed to distribute information about cyber-physical threats (“taints”)
It is very important to keep informed of reports of
counterfeits and to actively seek to scrub both
inventory and BOMs to identify reported parts.
However, GIDEP has limitations that compromise
its utility. GIDEP reports are not validated
independently. Membership in GIDEP is limited.
Protecting the Supply Chain: PCI Presentation June 25, 2015 -72-ROGERS JOSEPH O’DONNELL
Control of obsolete electronic parts in order to maximize the availability and use of authentic, originally designed, and qualified electronic parts throughout the product’s life cycle.
There are many DoD programs (e.g., PPP, DMSMS) and company initiatives to deal with obsolescence, as matters of design, sustainment, engineering and purchasing practices. The value of this 12th criteria is prospective. It does not help industry deal with the present and very real problem of how to satisfy continuing requirements for parts that already are obsolete or out of production.
A related and unresolved issue is how to treat inventory accumulated before these new rules came in force.
Over the longer term, measures to anticipate and avoid obsolescent parts will reduce supply chain vulnerability to both physical and cyber-physical threats.
DoD places great emphasis on parts obsolescence.
Anticipating and answering this problem involves
many functions, beginning with design to avoid
vulnerability to OOP or obsolete parts and including
proactive supply chain actions years in advance of
“end of life” situations.
Protecting the Supply Chain: PCI Presentation June 25, 2015 -73-ROGERS JOSEPH O’DONNELL
• The focus of regulations so far has been on avoidance of counterfeit electronic parts for defense systems
• “818 DFARS” is working to reduce vulnerability to counterfeits
• The federal supply chain also is vulnerable to cyber attack through poorly protected systems and by introduction of maliciously encoded or intentionally defective parts
• The consequences of cyber and cyber-physical attack dwarf those likely from the “normal” counterfeit “escape” (active control pot.)
• Government and industry will focus on protecting the defense and nondefense supply chain against threats
• Risks are present to ICT systems bought and utilized for services
• Needed: proactive strategy rather than reactive responses
Protecting the Supply Chain: PCI Presentation June 25, 2015 -76-ROGERS JOSEPH O’DONNELL
Mr. Metzger is the head of the Washington, D.C. office of
Rogers Joseph O’Donnell, P.C. A member of the
International Institute for Strategic Studies (IISS), he has
written on national security topics for International
Security and the Journal of Strategic Studies. He is the
Vice-Chair of the Software and Supply Chain Assurance
Working Group of the IT Alliance for Sector (ITAPs), a
unit of the Information Technology Industry Council, a
leading U.S. trade association. He is recognized by 2015
Chambers USA® at “Band 3” as a top Government
Contracts lawyer. He participates on the Defense
Science Board Cyber-Supply Chain Working Group.
Rogers Joseph O’Donnell has specialized in public contract
matters for 34 years, is ranked highly ranked by leading
international authorities such as Chambers USA and The
Legal500 ®. RJO is the only boutique among the top-rated
U.S. government contract firms.
SELECTED EXTERNAL PUBLICATIONSavailable at http://www.rjo.com/metzger.html
• “Threats to the Supply Chain: Extending Federal Cybersecurity Safeguards to the Commercial Sector ,” Bloomberg BNA, 14 PVLR 1010, June 8, 2015
• “Cybersecurity for the Rest of Us: Protecting Federal Information of Civilian Agencies,” Federal Contracts Report, 103 FCR ___, Mar. 10, 2015
• “DOD's Cybersecurity Initiative - What the Unclassified Controlled Technical Information Rule Informs Public Contractors About the New Minimums in Today's Cyber-Contested Environment, ”Federal Contracts Report, 102 FCR 744, Dec. 30, 2014
• “A Standards-Based Way to Avoid Counterfeit Electronic Parts,” Federal Contracts Report, Nov. 4, 2014
him a “Rising Star” among DC government contracts attorneys.
.
Rogers Joseph O’Donnell, a boutique law firm that has
specialized in public contract matters for 34 years, is
ranked in “Band 2” by Chambers USA – the only boutique
among the nine highest ranked firms. RJO was listed
among the top six government contracts firms globally by
The Legal 500®. Free from the bureaucratic and economic
burdens of a supersize law firm, we can listen to our clients
more attentively, think more creatively and act more nimbly.
LEADERSHIP POSITIONS
• Board of Governors of the Court of Federal Claims Bar Association
• Editorial Advisory Board of Law360: Government Contracts
• ABA PCLS Vice-Chair of Acquisition Reform and Emerging Issues --Cybersecurity, Privacy and Data Protection – Battle Space and Contingency Procurements Committees
• Chair-elect of the ABA’s Battle Space and Contingency Procurements Committee
SELECTED SPEAKING EVENTS/ PUBLICATIONSavailable at http://www.rjo.com/chiow.html
• Making Sense of Complex Government Contracting Issues, Ralph Nash 2015 Webinar Series, Jan. 29, 2015
• Privacy vs. Security – A Zero sum game?, Presented at 20th Annual Federal Procurement Institute in Annapolis, MD
• 2013 Government Contract Law Decisions of the Federal Circuit, 63 American Univ. Law Rev. 1307 (2014)
• “Legislating Supply Chain Assurance: Examination of Section 818 of the FY 2012 NDAA,” The Procurement Lawyer, Vol. 47, No. 4, Summer 2012 (with Bob Metzger)
Presenter: Jeffery M. Chiow
Disclaimer
The views presented here are those of Mr. Chiow individually and should not be
attributed to any client he represents or organization with which he is affiliated.
Particular interests include aerospace and defense (he was a
U.S. Marine Corps weapons and sensors officer in the F/A-18D
Hornet before becoming a lawyer), bid protests, cybersecurity,
technology services contracting, schedule contracting and
contingency contracting. Recently, Mr. Chiow has been called
upon to assist with the government’s growing demands for
information assurance/cybersecurity, cloud computing and the
transition of legacy IT systems. He has also focused intently on
supply chain assurance and the threat posed by counterfeit