Protecting the Supply Chain: PI “Hot Topics” reakfast riefing · 2018-03-21 · Protecting the Supply Chain: PI “Hot Topics” reakfast riefing ... Controlled Unclassified information

Protecting the Supply Chain: PCI Presentation June 25, 2015 -1-ROGERS JOSEPH O’DONNELL

Rogers Joseph O’Donnell © 2015 All Rights ReservedRogers Joseph O’Donnell © 2015 All Rights Reserved

Protecting the Supply Chain:PCI “Hot Topics” Breakfast Briefing

Robert S. Metzger & Jeffery M. ChiowRogers Joseph O’Donnell, P.C.875 15th Street, N.W., Ste 725

Washington, D.C. 20005(202) 777-8950

[email protected]@rjo.com

www.rjo.com

June 25, 2015

mailto:[email protected]

mailto:[email protected]



Subjects Considered

Protection of the Supply Chain against

Cyber threats: focus on Controlled Unclassified Information

Cyber-physical threats: focus on maliciously encoded parts

Physical threats: focus on counterfeit electronic parts



Cyber Threats & Protection of

Controlled Unclassified Information (CUI)



Introduction

• Government and private sector functions depend substantially upon information and communication technology (ICT).

• President Obama’s 2016 budget proposes spending of $86.4 billion on federal IT, of which 57% is for non-defense functions.

• Cyber threats are posed to information and communication technology (ICT) systems operated by the federal government and by its contractors.

• Federal interests are in jeopardy if sensitive government data used by contractors, residing in or transiting through their ICT systems, is destroyed, compromised or stolen.

• Contractor ICT systems are vulnerable to diverse and dynamic cyber threats.

• Consequences of breach include loss of confidentiality, injury to privacy interests, compromise of data integrity and interruption of government and private sector functions.

The federal government will use acquisition methods and contract tools to improve the cyber protection of sensitive federal data in the hands of federal contractors and their suppliers.

The ICT supply chain is a “complex,

globally distributed, and

interconnected ecosystem that is long,

has geographically diverse routes, and

consists of multiple tiers of

outsourcing. This ecosystem includes

public and private sector entities (e.g.,

acquirers, system integrators,

suppliers, and external service

providers) and technology, law, policy,

procedures, and practices that interact

to design, manufacture, distribute,

deploy, and use ICT products and

services.”

“Federal government information

systems have rapidly adopted this

ecosystem of solution options, which

increased their reliance on

commercially available products,

system integrator support for

customer-built systems, and external

service providers.”

NIST SP 800-161 (Final.).



The Cyber Threat to Federal Information

Information at Risk

Classified Information

Controlled Unclassified information (23 categories, 82 subcategories)

Enterprise IP and proprietary information (e.g., PII, PCI)

Personal privacy information (e.g., HIPAA)

Systems at Risk

“Federal Information Systems”

“Non-federal Information Systems” (including contractor systems)

“External Systems” (cloud)

Nature of the Threat

Actors - range from hacker to state-sponsored actors or nation states

Objectives – include annoyance, exfiltration, espionage, disruption, destruction

Vectors – range from insider threats through external media to attrition

Consequences of Attack

Data Confidentiality

System Integrity

Mission Availability



The “Work In Progress”

ACQUISITION METHODS & CONTRACT CONTROLS - TOOLKIT

NIST

JWGNARA

Responsibilities:

NARA: to define and categorize the

varieties of “CUI” and establish

workable guidelines & mechanisms

“8(e)” JWG: to decide on the mix of

acquisition methods and contract tools

NIST: to identify required security

controls and practices for adoption

Agencies: to evaluate cost/benefit, to

establish applicability or tiers (if avail),

to tailor, to specify reporting, to

administer and oversee



Taxonomy

A “federal information

system” is defined as an

information system used or

operated by an executive

agency, by a contractor of

an executive agency, or by

another organization on

behalf of an executive

agency. 40 U.S.C. § 11331

“Controlled unclassified

information” (CUI) is

Information that requires

safeguarding or dissemination

controls pursuant to and

consistent with law, regulations,

and government wide policies,

excluding classified information.

EO 13556 (Nov. 2010)

“External information system services are services implemented outside the [federal]

authorization boundaries established by the organization for its information systems. These

external services may be used by, but are not part of, organizational information systems.”

NIST SP 800-37

A “nonfederal

information system” is

defined as an “information

system that does not meet

the criteria for a federal

information system.” NIST

SP 800-171 (final)

This presentation focused upon nonfederal information systems operated by organizations

who are entrusted with, use or transmit CUI (civilian agencies) or UCTI (for DoD).

It does not address federal information systems or systems for classified information.



What is “Controlled Unclassified Information”?

• CUI includes massive amounts of multiple types of sensitive information

• EO 13556 makes the National Archives & Records Administration (NARA) is responsible as “Executive Agent” to reconcile many types of CUI

• NARA issued a proposed rule on May 8, 2015 (80 Fed. Reg. 26501)

• The CUI Registry identifies 23 categories and 82 subcategories of CUI, e.g.,

• Technical information with military or space application (UCTI)

• Copyrights & Patents

• Census data

• Critical infrastructure data

• Info subject to export controls

• Financial information

• Geospatial

• Immigration

• Intelligence (e.g., financial records, FISA)

• Law enforcement & Legal

• Personally identifiable information

• Privacy - including PII & PHI (health information)

• Proprietary business records

• SAFETY Act (anti-terrorism related) information



CUI Registry: Categories & Subcategories

Agriculture ControlledTechnical

Information

Critical Infrastructure

(7 sub)

EmergencyManagement

Export Control (1 sub)

Financial(9 sub)

Foreign GovernmentInformation

GeodeticProduct

Information

Immigration (7 sub)

Information Systems

Vulnerability

Intelligence(5 sub)

LawEnforcement

(14 sub)

Legal(11 sub)

NATO(2 sub)

Nuclear(5 sub)

Patent(3 sub)

Privacy(8 sub)

Proprietary Business(5 sub)

SAFETY Act Information

Statistical(3 sub)

Tax(1 sub)

Transportation(1 sub)

“CUI categories and subcategories are those types of

information for which laws, regulations, or Government-

wide policies requires safeguarding or dissemination

controls”. Proposed 32 C.F.R. § 2002.2 (Definitions)



Who has access to CUI?

• Federal Contractors

• State and local governments

• State and local contractors

• Tribal governments

• Colleges & Universities

• Interstate Organizations

• NGOs

• Foreign governments

“Many federal contractors, for example,

routinely process, store, and transmit

sensitive federal information in their

information systems to support the delivery of

essential products and services to federal

agencies (e.g., providing credit card and

other financial services; providing Web and

electronic mail services; conducting

background investigations for security

clearances; processing healthcare data;

providing cloud services; and developing

communications, satellite, and weapons

systems). Additionally, federal information is

frequently provided to or shared with entities

such as State and local governments,

colleges and universities, and independent

research organizations.”

NIST SP 800-171 (Final), at 1-1.

NARA estimates that 300,000 contractors & grantees

hold Controlled Unclassified Information



The Federal Interest in Protecting CUI

• Recent well-publicized attacks show both the vulnerability of nonfederal systems and the impact of attacks:– Target

– Sony Pictures

– JP Morgan

– Anthem Healthcare

– US, EU and Ru banks

“[F]ederal information designated as

CUI has the same intrinsic value and

potential adverse impact if

compromised—whether such

information resides in a federal or a

nonfederal organization. Thus,

protecting the confidentiality of CUI is

critical to the mission and business

success of federal agencies and the

economic and national security

interests of the nation.”

NIST SP 800-171 (Final), at 2-5.

CUI of at least equal sensitivity is routinely processed on or transmitted by

nonfederal ICT systems. It is equally vulnerable as the commercial information

on those systems. Impact of a breach can be worse as it affects privacy and

enterprise rights of individuals and companies and can impair agency missions.

OPMAttack



18 MILLIONRECORDS

Threats to Nonfederal Information Systems

Adversaries may

– Create and exploit vulnerabilities

– Surveil or extract sensitive information

– Corrupt or destroy information

– Deny or disrupt reliant systems

– Frustrate or interrupt federal and related business functions

Adversaries of many types and motivations

– Governments, Non-government, Sponsored, Criminal Enterprises, Corporations, Rogue Groups, Individuals

• Theft of CUI can compromise U.S. technological leadership and dilute or destroy valuable contractor IP

• Privacy interests of individuals at risk

• Federal missions and systems at risk

“[C]yber threats and incidents to systems supporting

the federal government and national critical

infrastructures are increasing. These threats come

from a variety of sources and vary in terms of the

types and capabilities of the actors, their willingness

to act, and their motives. For example, advanced

persistent threats—where adversaries possess

sophisticated levels of expertise and significant

resources to pursue their objectives—pose

increasing risks. Further underscoring this risk are

the increases in incidents that could threaten

national security, public health, and safety, or

lead to inappropriate access to and disclosure,

modification, or destruction of sensitive

information. Such incidents may be unintentional,

such as a service disruption due to an equipment

failure or a natural event, or intentional, where for

example, a hacker attacks a computer network or

system. Over the past 8 years, the number of

information security incidents reported by

federal agencies to the U.S. Computer

Emergency Readiness Team (US-CERT) has

increased from 5,503 in fiscal year 2006 to 67,168

in fiscal year 2014, an increase of 1,121 percent.

GAO Report, “High-Risk Series” (Feb. 2015)



Few Measures in Effect Today

• No law or general federal acquisition regulation imposes specific cybersecurity measures to protect all forms of CUI in nonfederal information systems.

– Narrow mil-specific provisions to protect supply chain against certain high-risk sources (FY 2011 NDAA § 806)

– Some measures restrict country of origin of “high impact” ICT purchases by Commerce, Justice, NASA, NSF

– DoD’s DFARS to impose basic cyber controls to protect its UCTI

– Limited Mandatory reporting of cyber events [same]

Q: is CUI inherently less important to protect than UCTI?

Q: are non-defense systems at less risk?

Q: is the civilian side of the government indifferent to the risk?

Q: are the potential consequences of vulnerability more tolerable?



Overview of Initiatives Underway

• NARA is the Executive Agent to address “CUI”– Proposed rule, 80 Fed. Reg. 26501 (comments due July 7, 2015)

• Defines and categorizes CUI (using CUI Registry); Sets safeguarding standards as “Basic” or “CUI Specified” (enhanced, or different); Adopts NIST SP 800-171 as basis for safeguards; Establishes access and dissemination policies; Assigns designation and marking responsibilities to agencies.

• NIST SP 800-171 (Final) (June 2015) – Protects confidentiality of all CUI @ “moderate” impact level of FIPS 199

– States performance or capability-based requirements that elaborate upon FIPS 200 but do not contain the “how to” rules of 800-53

– Intent is to capture intent of 800-53 “Moderate” baseline but not to obligate private companies to use specific 800-53 controls.

– Does not contain an obligatory assessment or accreditation mechanism

• Individual agencies: DoD (UCTI) and DHS (“Sensitive Information”) • 8(e) “Joint Working Group” studying contractual implementation• NARA leads drafting of “single FAR clause” to protect CUI



Protecting CUI for the Federal Enterprise

• NARA responsible to identify, categorize and designate CUI

• 8(e) JWG studies acquisition measures and contract tools

• NARA leads drafting of the “single FAR clause”

• NIST sets the cyber control requirements to protect CUI

• Agencies decide which acquisitions are subject to requirements and tailor to suit mission criticality, risk, resilience, etc.

• Contractors execute – as required by solicitation and contract

NIST NARA JWG FARCONTRACTS

Achieving a contractual regime to protect CUI against

cyber risk requires complex coordination and needs stakeholder participation.

“mid-July” 201?

Expect Faster Action



NARA: Defining & Designating CUI to be Protected

• The proposed rule categorizes all CUI at the “moderate” FIPS impact level. Does some CUI need more protection. Or less?

• More than 1,000 intra-agency comments were “adjudicated”

• Rule seeks consistency but distinguishes between “Basic” and “CUI Specified” (special) standards if “required or permitted by authorizing laws, regulations or Government-wide policies.” – “CUI Specified” standards are allowed only if NARA includes in the CUI Registry.

– Will agencies acquiesce to NARA control over categorization?

– Agencies will consider themselves best informed both to identify and designate (their) CUI and to recognize special risks and impacts.

– Can NARA’s regime be reconciled to agencies who seek to “tailor” controls?

• Agency responsibility to designate and mark is crucial.– Both agencies and contractors must know what is CUI is to be protected.

– Final rule should address CUI created or developed under contract.



8(e) JWG: Acquisition Methods & Contract Tools

• “Responsible” contractor threshold

• Solicitation & SOW Requirements

• Source Selection Criteria (evaluation)

• Contract clauses (prime level)

• Flowdown clauses

• Special provisions (higher protection)

• Data Item Descriptions (CUI marking)

• Reporting obligations

• Validation, access and audit?

Tailor requirements to criticality, risk, cost

Sanctions

Damages

Breach of Contract

Termination

Adverse Perform’ceReport

If “willful” or “reckless” –

Suspension/Debarment

False Claims Act

Many issues to address

to produce a regime, that

is at once fair, workable,

practicable & affordable



SP 800-171: Extending NIST to the Private Sector

NIST SP 800-171 embraces existing private sector measures – and accept alternative controls – to achieve federal purposes.

• The distinction between the 14 families of “requirements” in SP 800-171 and 800-53 controls and enhancements may not be well understood, however.

• The intent is for commercial companies to assess their systems in reference to narrative 171 “requirements” rather than the specific controls in 800-53.

• NIST recognizes that 800-53 was developed for federal systems while 171 is to achieve similar and sufficient goals (to protect confidentiality) in the in-place systems of contractors.

• SP 800-171 is now Final. Expect to see agencies utilize it – soon.

Important Assumptions of SP 8001-171

“Additional assumptions also impacting the development of

the CUI security requirements and the expectation of federal

agencies in working with nonfederal entities include:

• Nonfederal organizations have information technology

infrastructures in place, and are not necessarily developing

or acquiring information systems specifically for the purpose

of processing, storing, or transmitting CUI;

• Nonfederal organizations have specific safeguarding

measures in place to protect their information which may

also be sufficient to satisfy the CUI security requirements;

• Nonfederal organizations can implement a variety of

potential security solutions either directly or through the use

of managed services, to satisfy CUI security requirements;

and

• Nonfederal organizations may not have the necessary

organizational structure or resources to satisfy every CUI

security requirement and may implement alternative, but

equally effective, security measures to compensate for the

inability to satisfy a particular requirement.”

NIST SP 800-171 (Final), at 2-5 (emph. added).



NIST SP 800-171: Relevant Comparisons

• SP 800-171 sets its own requirements; these are built from FIPS 200 and mapped to show relevant controls from 800-53 and counterparts in ISO/IEC 27001

• Comparing “controls” among the DFARS, -171 and -53 or the DFARS is difficult, but there are distinctions:

– The DFARS UCTI refers to 51 controls from 800-53 but 61 if you count controls + enhancements. These 61 translate to >275 “task statements.”

– SP 800-171 (Final Draft) stated 109 requirements; these “map” to 122 controls from 800-53 but there are “only” 109 “task statements.”

– Properly understood, industry should find it less demanding (and have more alternatives) to comply with 800-171 than 800-53 (or DFARS).

• Expect DoD to issue a rule to adopt in the DFARS and apply SP 800-171 controls to UCTI.

In addition to defining safeguarding

requirements for CUI within the federal

government, NARA has taken steps to alleviate

the potential impact of such requirements on

nonfederal organizations by jointly developing

with NIST, Special Publication 800-171 —

defining security requirements for protecting

CUI in nonfederal information systems and

organizations. This will help nonfederal entities,

including contractors, to comply with the

security requirements using the systems and

practices they already have in place, rather

than trying to use government-specific

approaches. It will also provide a standardized

and uniform set of requirements for all CUI

security needs, tailored to nonfederal systems,

allowing nonfederal organizations to be in

compliance with statutory and regulatory

requirements, and to consistently implement

safeguards for the protection of CUI

NIST SP 800-171 (Final), at vi.

Primary security objective: confidentiality



A Comparative Example

NIST SP 800-171

3.6 Incident Response

Basic Security Requirement

3.6.1 Establish an operational incident-

handling capability for organizational

information systems that includes

adequate preparation, detection, analysis,

containment, recovery, and user response

activities.

3.6.2. Track, document, and report

incidents to appropriate officials and/or

authorities both internal and external to

the organization.

Derived Security Requirements

3.6.3 Test the organizational incident

response capability.

NIST SP 800-53r4

Family: Incident Response

15 pages of controls & enhancements



Agency Role: Balancing Cost & Risk

• Agencies best understand threat and the risk of cyber attack to their crucial functions that depend on nonfederal info systems.

• Agencies are in the best position to know which information is “CUI.”

• Agencies best informed to categorize sensitivity of their information and impact upon their mission of lost confidentiality.

• Agencies best can assess supply chain impact upon their missions. E.g., FISMA, FIPS, FedRAMP, NIST.

• Agencies also have specific needs for event reporting, for information security and for restoration/resilience.

Agencies ultimately are responsible for implementation costs. They also must temper risk perception with recognition of potential costs, affect upon competition, and impacts to their access to the technology base.Agencies will seek role in selection and

tailoring of controls, validation and oversight.

NARA seeks to tightly control both categorization

of CUI and the applicable safeguards.



Specific Agency Initiatives



DoD UCTI Regulations

DFARS 252.201-7012 (Final Rule) (Nov. 12, 2014)

DoD is far ahead of civilian agencies in protecting it UCTI

– DoD defines “UCTI” by DoDI 5230.24 “distribution statements”

– DFARS clause 252.204-7012 is required for use in all solicitations and contracts, including COTS

– DoD has issue Procedures, Guidance and Information (PGI) 204.73

– DoD selects 51 of SP 800-53 controls

– DoD requires 72-hr. reporting

– No prior review or means to assess

Consequences to contractors who suffer a cyber event? Not clear.

UCTI measures will be subsumed into CUI regime

Strengthen cybersecurity throughout the product lifecycle

A vital aspect of maintaining U.S. technological superiority is ensuring

cybersecurity of our networks and systems. Systems today, as well as all of their

external interfaces, must be resilient from cyber adversaries. The Department has

initiated a series of actions to improve military system cybersecurity from concept

development to disposal, but much more needs to be done. This initiative will help

to focus and accelerate DoD’s efforts to address planning, designing, developing,

testing, manufacturing, and sustaining activities with cyber security constantly in

mind. This initiative addresses both classified and unclassified information as

well as potential access to DoD products in the field and through the supply chain.

Unclassified controlled technical information (CTI), potentially accessible

through commercial interfaces, is particularly vulnerable to traditional and

nontraditional foreign intelligence collection. When compromised, this

information can significantly degrade U.S. technological superiority by saving an

adversary time and effort …



What is Protected – Who is Affected – What is Expected

“Controlled Technical Information”

“means technical information with

military or space application that is

subject to controls on the access,

use, reproduction, modification,

performance, display, release,

disclosure, or dissemination.”78 Fed. Reg. 69273, at 69280 (11/18/2013)

UCTI Includes:• Technical data

• Computer software including executable

code and source code

• Engineering data

• Drawings

• Associated specifications

• Data sets • Studies and analyses

DFARS Clause 252.204-7012• Included in all solicitations and

contracts • Mandatory flow down to subcontracts

• Included in commercial item contracts

• Specifies minimum* security controls for safeguarding

• Clarifies reporting requirements

* Safeguarding requirements:

To provide adequate security

the contractor shall apply

“other information systems

security requirements” if

“required to provide adequate

security in a dynamic

environment based on an

assessed risk of vulnerability.”

DFARS 252.204-7012(b)(2)

Reportable Cyber Incidents:

A cyber incident involving

possible exfiltration,

manipulation, or other loss or

compromise of any

unclassified controlled

technical information

resident on or transiting

through Contractor’s, or its

subcontractors’, unclassified

information systems.”



DoD is Pushing UCTI Compliance

“In addition to addressing classified system information, this

initiative’s objective is to improve CTI protection in both the

government and the industrial base, including the supply

chain. In FY 2014, the Department amended the Defense

Federal Acquisition Regulation Supplement (DFARS) to

safeguard unclassified CTI; we must now ensure this

provision is effectively applied to all new DoD contracts.”

(9 April 2015 Memorandum, p.6.)



DoD's Present UCTI Regulations (DFARS)

• Requires DoD contractors and subcontractors to

– Safeguard unclassified controlled technical information

– Report cyber incidents

Applies to contracts and subcontracts requiring safeguarding of unclassified controlled technical information resident on or transit through contractor unclassified information systems. DFARS 204.7300.

Contract clause at DFARS 252.204-7012 is to be used “in all solicitations and contracts, including solicitations and contracts using FAR Part 12 …”

“Controlled Technical Information” “means technical information with military or space application that is subject to controls on the access, use, reproduction, modification, performance, display, release, disclosure, or dissemination.” 78 Fed. Reg. 69273, at 69280

Contractor’s obligation is to provide adequate security; the contractor shall apply “other information systems security requirements” if “required to provide adequate security in a dynamic environment based on an assessed risk of vulnerability.” DFARS 252.204-7012(b)(2)



DHS Class Deviation 15-01 (Mar. 9, 2015)

• Applicability of DHS Special Clause– Into “existing and new high risk contracts”

– Where contractor has access to “sensitive information”

– Or its IT systems input, store, process, output or transmit

– Add by bilateral mod to existing contracts; include in new solicitations or amend pending

• Requirements Traceability Matrix (RTM) required – to identify “security controls that must be implemented”

on the contractor’s IT system

– Per FIPS 199; minimum rating no less than “Moderate”

• New Clause– “Safeguarding of Sensitive Information” (March 2015)

– Defines PII , SI , “PCII” (Protected Critical Infrastructure Information), “SSI” (Sensitive Security Information) et al.

– Contractor required to follow multiple DHS-specific controls, policies & guidance and NIST 800-53

– Independent assessment req’d per 800-53

– Includes DHS-specific (1-day!) reporting requirement

http://www.dhs.gov/sites/default/files/publications/HSAR%20Class%20Deviation%2015-01%20Safeguarding%20of%20Sensitive%20Information.pdf

http://www.dhs.gov/sites/default/files/publications/HSAR Class Deviation 15-01 Safeguarding of Sensitive Information.pdf



CUI: Where We Stand Today



“Expectations, Incentives, Duties & Sanctions”

• Expectations: setting minimum cyber controls informs prospective bidders of eligibility requirements

• Incentives: bidders should see voluntary imposition of controls as likely to improve competitive posture

• Duties: contract mechanics should clearly inform companies of what is expected of them, how they will demonstrate minimum controls, what role the agency will play in identification of CUI or system approval, and how to report cyber events

• Sanctions: once the necessary elements of the basic regime are in place, threat of sanctions can reinforce



Stakeholder Participation

• The CUI initiative should be monitored closely.

• CUI cyber protection measures will affect thousands of civil contractors but costs and operational impact are unknown.

• The fragmented nature of the effort – NARA, JWG, NIST, Agencies – means it is difficult to predict either the timing or the substance of the final, general regulation – the “single FAR clause” that NARA aims towards. The OPM Attack is likely to accelerate agency actions, elevate safeguarding requirements and dictate prompt reporting.

• DoD’s UCTI DFARS and now the DHS Special Clause show that agencies will act ahead of general federal measures.

• Industry must work with the agencies, NIST and NARA to assess potential costs and consequences of extending the federal cyber regime outside its original boundaries.

• Industry should take full use of “notice and comment.”

OPMAttack



Cyber-Supply Chain:Threat Convergence



Cyber Risk is present in Supply Chain Vulnerability

“Recent DoD and U.S. interest in counterfeit

parts has resulted in the identification of

widespread introduction of counterfeit parts

into DoD systems through commercial supply

chains. Since many systems use the same

processors and those processors are typically

built overseas in untrustworthy environments,

the challenge to supply chain management in

a cyber- contested environment is significant.”

“DoD is in the process of institutionalizing a

Supply Chain Risk Management (SCRM)

strategy that prioritizes scarce security

resources on critical mission systems and

components, provides intelligence analysis to

acquisition programs and incorporates

vulnerability risk mitigation requirements into

system designs.”

(at p.4)



Supply Chain Risk Management

Supply Chain Risk Management:

“A systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities and threats throughout DoD’s ‘supply chain’ and developing mitigation strategies to combat those threats whether presented by the supplier, the supplied product and its subcomponents, or the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal).”

DoDI 5200.44 (Nov. 5, 2012)

Assured Microelectronics Policy(DoD Sen. Rept. 113-85) (July 2014)

“The intent of the threat assessment is to protect mission-critical functions and CC, including critical microelectronics, by identifying and defending against the risk that an adversary may sabotage, maliciously introduce unwanted functions, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.

***

The goal of these protective measures is to reduce the risk to the mission by mitigating identified threats and vulnerabilities, such as malicious code insertions or counterfeit parts or the loss of technical information. Risk to system trust is managed throughout the entire system life cyclebeginning with design and before the acquisition or integration of CC into covered systems.”PROCESS RESULT



Three Categories of Threats

We will consider acquisition and contracting measures intended to protect the supply chain against:

• Physical threats – counterfeit electronic parts

• Cyber-physical threats – maliciously encoded (or cyber-vulnerable) electronic parts

• Cyber threats – to “nonfederal” information and communications systems (ICT) and control systems

Threats include insertion of deficient, tainted or tampered parts into the supply chain, extraction of information from suppliers and creation or exploitation of software/firmware vulnerabilities



Physical (“Fakes”) vs. Cyber-Physical (“Taints”)

“Taint”

“sabotage, maliciously introduce unwanted functions, or otherwise subvert … a system in order to conduct surveillance or to deny access to, disrupt, or otherwise degrade its reliability or trustworthiness.”

Common Criteria Supply Chain Technical Working Group, DRAFT “Supply Chain Security Assurance” April 2012, available at

http://www.commoncriteriaportal.org/

The Ordinary (“Fake”) Counterfeit Part:

Substandard or non-functionalLikely to fail in intended environmentPresents risk to operations & reliabilityMethods exist to detect (in most cases)Injury :

- degradation of performance- diminished reliability- potential device/system failure - burden on support & sustainment- costs of “remediation”

Typically a counterfeit electronic part contains no active mechanism that can be exploited by an adversary.

Unexpected Functionality

Potentially Latent Functions

Vector to induce or exploit cyber attack

Risk of unauthorized extraction

Threat to critical systems and mil ops

Increased Attention to “Taints”Focus of 818 and DFARS is on “Fakes”



Sources of the Problem; Nature of the Threat

The principal motivation for counterfeit parts, addressed by Section 818, is profit. Bad actors seek to answer demand for scarce parts by offering well-priced fakes that appear genuine -- but are not.

“Malicious” parts may be counterfeit but their threat is different. They may be produced by adversary states or tolerated by state actors. Very sophisticated techniques and resources may be applied. The risk is more than that parts will fail . Threats to operations and to information are posed through hardware, firmware and software, e.g., “Malware,” “Trojan Horse,” “Denial of Service,” Intelligence Extraction, etc.

• Section 818 will reduce the risk of both

counterfeits and malicious parts by

emphasizing reliance on trusted suppliers

• For national security systems and critical

information and communications

networks, however, a different and even

more demanding response is required



Senate Armed Services Committee hearings in 2011 focused attention on the threat and prompted Congress to “legislate supply chain security” through Section 818 of NDAA 2012

SASC Investigation of Counterfeit Parts



SASC Investigation & Findings

Key SASC findings:• China is the dominant source country for

counterfeit electronic parts;

• The Chinese government has failed to take steps to stop counterfeiting operations;

• DoD lacks knowledge of the scope and impact of counterfeit parts on critical defense systems;

• The use of counterfeit parts in defense systems can compromise performance, reliability and safety of military personnel;

• Industry’s reliance on unvetted independent distributors results in unacceptable risks;

• Weaknesses in the testing regime for electronic parts creates vulnerabilities; and

• The defense industry routinely failed to report cases of suspect counterfeit parts.



• Long life cycle for defense systems

• Short cycle for commercial parts

• Obsolescence & DMSMS

• Reliance on commercial sources

• Global supply chain vs controlled “MIL SPEC” system

• Poor program planning

• COTS purchases w/o traceability

• Price-focused purchasing (LPTA)

• Unavailability of required parts from “Trusted Suppliers”

• Small business preferences

• Reduced DoD “market influence”

Causes of Demand; Contributors to Supply

• E-waste from developed world

• China now is a leading supplier of both electronic parts and systems

• Permissive Chinese gov’t policy

• Electronic parts are procured through international markets

• Opportunistic rather than relationship purchasing practices

• A global supply chain of multinationals

• High profits to be made

• Sophistication of counterfeiters

• Lax enforcement

In contrast, the threat of insertion of malicious

parts in the defense supply chain is the product of

deliberate action taken or allowed by state actors

Why such demand for counterfeits? Why such supply?



From a cyber perspective, threats may exploit

vulnerability of Legacy systems where enemies

are capable of introducing tainted parts

Section 818’s Primary Target: Fakes

The principal motivation for counterfeit parts, addressed by Section 818, is profit.

Bad actors seek to answer demand for scarce parts by offering well-priced fakes that appear genuine -- but are not.

Demand is greatest for parts that are obsolete, out of production and no longer available from OCMs or authorized distributors.

DoD is vulnerable because of the long life of legacy systems that still require support



• Examples reportedly have been identified of cloned, current production electronic parts– From major suppliers

– Of significant complexity

– That mimic electrical functionality

• Clones are produced by illegal but highly capable enterprises

• Detection of clones is costly and difficult – but not impossible

“Cyber-Physical” Threat of Cloned EEE Parts

The existence of clones points to greater

possibiity that hostile actors will insert harmful

code using clones as carriers

“Removal of an integrated

circuit from its packaging

and replacement with a

subversive die into the same

package can be used to

modify processor behavior

under trigger conditions

determined by the attacker.”

(2013 DSB Report, at 25.)



Some Disturbing Propositions

“ORDINARY” COUNTERFEIT PARTS

• The threat of individual “fakes” is isolated to the hardware where installed

• Supply chain vulnerability is largely a function of purchasing controls and QA - can be “preempted” by design solutions – and mitigated by test & inspct’n

• Multiple sources of risk-informing data facilitate detection and avoidance

• The typical counterfeit escape exposes a system to risk of premature failure but non-functionality likely can be detected and replacement often will fix

MALICIOUSLY ENCODED COUNTERFEIT PARTS (OR CORRUPTED SOFTWARE)

• A “tainted” part can introduce vulnerability across connected systems

• The hazard may be concealed and intentionally placed in a dormant state

• There are numerous points in the supply chain that are vulnerable

• The consequences of a cyber-supply chain attack are potentially “existential”

• The means to preempt or preclude such attacks are not well understood



New Initiatives Responding to New Threats

Strengthen cybersecurity throughout the product lifecycle

A vital aspect of maintaining U.S. technological superiority is ensuring cybersecurity of

our networks and systems. Systems today, as well as all of their external interfaces, must be

resilient from cyber adversaries. The Department has initiated a series of actions to improve

military system cybersecurity from concept development to disposal, but much more needs

to be done. This initiative will help to focus and accelerate DoD’s efforts to address

planning, designing, developing, testing, manufacturing, and sustaining activities with

cyber security constantly in mind. This initiative addresses both classified and unclassified

information as well as potential access to DoD products in the field and through the supply

chain.

Unclassified controlled technical information (CTI), potentially accessible through

commercial interfaces, is particularly vulnerable to traditional and nontraditional

foreign intelligence collection. When compromised, this information can significantly

degrade U.S. technological superiority by saving an adversary time and effort …



DoD’s Supply Chain Measures



Relevant DFARS Regulations

Detection & Avoidance of Counterfeit

Electronic Parts

DFARS Case 2012-DO55

79 Fed. Reg. 26092

May 6, 2014

DFARS 252.246-7001

DFARS 252.246-7007

Implements FY 2012 NDAA Section 818

Requirements Relating to Supply Chain Risk

(Interim Rule)


78 Fed. Reg. 69268

Nov. 18, 2013

DFARS 252.239-7008

Implements FY 2011 NDAA Section 806

Safeguarding Unclassified Controlled Technical Information


78 Fed. Reg. 69273

Nov. 18, 2013

DFARS Subpart 204.73

DFARS 252.204-7012

Minimum cyber security + reporting



FAR Higher Level Quality

Higher Level

Quality

Requirements

(Interim Rule)

FAR Case 2012-032

79 Fed. Reg. 70345

Nov. 25, 2014

FAR 46.202–4

Allows agencies

to specify and

require higher

level quality for

complex or

critical items



Fundamental Purposes & Reach

Supply Chain Risk UCTI Counterfeit Parts

Principal Purpose Protect DoD supply chain against specific sourcesidentified as presenting risk of tampered, tainted or maliciously encoded parts

Require minimum level of safeguards to protect UCTI information and to require reporting to DoD of certain cyber incidents

Mandate DoD contractors to take systematic measures to detect and avoid counterfeit electronic parts.

Identified Threat Sabotage or subversion of national security systems

Theft of data by adversaries providing insight into defense and industrial capabilities

Counterfeit electronic parts are a threat to the safety and operational effectiveness of systems

Applicability Acquisition of information technology for national security systems (“covered systems”)

To contracts and subcontracts req’g safeguarding of UCTI on non-federal contractor information systems

“Covered contractors” (CAS-covered)

“Reach” All solicitations for development or delivery of any IT (service orsupply)

All solicitations and contracts including … FAR part 12 procedures for the acquisition of commercial items

All subcontractors … at all tiers. Flow down applies to all of the supply chain of covered contractors (inc’g COTS, CI and SBs)

Cyber-Physical Cyber Physical



Section 806 RegulationsDFARS 252/239-7008

Interim Rule Nov. 18, 2013



Section 806 of NDAA FY 2012

“Supply Chain Risk”Section 806(e)(4)

“The term ‘supply chain risk’ means the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a covered system so as to surveil, deny, disrupt, or otherwise degrade the function, use or operation of such a system.”

§ 806 authorizes exclusion of high risk suppliers

• Applies narrowly to “covered procurements” of National Security

Systems where there is a “significant supply chain risk to a

covered system”

• Sources may be excluded based on an assessment of

“significant supply chain risk”

• Assessment may reflect all-source intelligence risk assessment

• A written determination is required that exclusion is necessary

• DoD need not disclose basis of exclusion

• DFARS included in all solicitations – including commercial

contracts – because DoD believes it cannot know which

systems might support or link to national security systems and

selective application presents operational security risks.

Interim Rule – sunsets at end FY 2018

806 DFARS exclusion is imposed on not implemented by contractors

“The Contractor shall maintain controls in the

provision of supplies and services to the

Government to minimize supply chain risk.”

DFARS 252.239-7018(b)



DFARS Subpart 239.73 (Nov. 18, 2013)

“The rule establishes a new provision and clause (see DFARS 239.7306) for inclusion in all solicitations and contracts, including contracts for commercial items or commercial off-the-shelf items involving the development or delivery of any information technology, whether acquired as a service or as a supply, because portions of these contracts may be used to support or link with one or more NSS.” 78 Fed. Reg. 69268.

“The Contractor shall maintain controls in

the provision of supplies and services to the

Government to minimize supply chain risk.”DFARS 252.239-7018(b)

“This rule applies to rule applies to contractors involved in the development or delivery of anyinformation technology, whether acquired by DoD as a service or as a supply.” 78 Fed. Reg. 69269.

DFARS Subpart 239.7306: insert the clause, “Notice of Supply Chain Risk,” in all solicitations, including FAR Part 12, that involve the development or delivery or any IT whether acquired as a service or as a supply.

As defined, “information technology” includes equipment “used by a contractor under a contract with the agency” where its use is required to perform the service.



Section 818NDAA FY 2012



Fundamental Requirements of Section 818

818(c) (3) TRUSTED SUPPLIERS.—The revised regulations issued

pursuant to paragraph (1) shall—

(A) require that, whenever possible, the Department and Department

contractors and subcontractors at all tiers—

(i) obtain electronic parts that are in production or currently

available in stock from the original manufacturers of the parts

or their authorized dealers, or from trusted suppliers who obtain

such parts exclusively from the original manufacturers of the

parts or their authorized dealers; and

(ii) obtain electronic parts that are not in production or currently

available in stock from trusted suppliers;

(B) establish requirements for notification of the Department, and

inspection, testing, and authentication of electronic parts that the

Department or a Department contractor or subcontractor obtains from

any source other than a source described in subparagraph (A);

(C) establish qualification requirements, consistent with the

requirements of section 2319 of title 10, United States Code, pursuant

to which the Department may identify trusted suppliers that have

appropriate policies and procedures in place to detect and avoid

counterfeit electronic parts and suspect counterfeit electronic parts; and

(D) authorize Department contractors and subcontractors to identify

and use additional trusted suppliers, provided that—

(i) the standards and processes for identifying such trusted

suppliers comply with established industry standards;

(ii) the contractor or subcontractor assumes responsibility for

the authenticity of parts provided by such suppliers as

provided in paragraph (2); and

(iii) the selection of such trusted suppliers is subject to

review and audit by appropriate Department officials.

(e) IMPROVEMENT OF CONTRACTOR SYSTEMS FOR

DETECTION AND AVOIDANCE OF COUNTERFEIT ELECTRONIC

PARTS.—

(1) IN GENERAL.—Not later than 270 days after the date of the

enactment of this Act, the Secretary of Defense shall implement a

program to enhance contractor detection and avoidance of counterfeit

electronic parts.

(2) ELEMENTS.—The program implemented pursuant to paragraph (1)

shall—

(A) require covered contractors that supply electronic parts or systems

that contain electronic parts to establish policies and procedures to

eliminate counterfeit electronic parts from the defense supply chain,

which policies and procedures shall address—

(i) the training of personnel;

(ii) the inspection and testing of electronic parts;

(iii) processes to abolish counterfeit parts proliferation;

(iv) mechanisms to enable traceability of parts;

(v) use of trusted suppliers;

(vi) the reporting and quarantining of counterfeit electronic parts and

suspect counterfeit electronic parts;

(vii) methodologies to identify suspect counterfeit parts and to rapidly

determine if a suspect counterfeit part is, in fact, counterfeit;

(viii) the design, operation, and maintenance of systems to detect and

avoid counterfeit electronic parts and suspect counterfeit electronic

parts; and

(ix) the flow down of counterfeit avoidance and detection

requirements to subcontractors; and

(B) establish processes for the review and approval of contractor

systems for the detection and avoidance of counterfeit electronic parts

and suspect counterfeit electronic parts, which processes shall be

comparable to the processes established for contractor business

systems under section 893 of the Ike Skelton National Defense

Authorization Act for Fiscal Year 2011.



• Detection

• Exclusion

• Enforcement

• Purchasing Practices

• Inspection & Testing

Section 818 of NDAA FY 2012

• Reporting

• Corrective Measures

• Contractor Systems

• Costs & Incentives

• Sanctions

Section 818 Operates At Many “Junctions” of the Supply Chain

Section 818 Addresses Only Counterfeit Electronic Parts For DoD

There is no statutory counterpart for cyber and cyber-physical security



Features of Section 818

Applies to “covered contractors who

supply electronic parts or products that

include electronic parts” 818(c)(2)(A)

Costs of rework or corrective action

“required to remedy the use or

inclusion of counterfeit electronic parts

are not allowable” 818(c)(2)(B) – not

limited to costs on supply

“whenever possible, [DoD] contractors

and subcontractors at all tiers” are to

obtain electronic parts from trusted

suppliers 818(c)(3)(A)

reporting requirement applies to “any

Department contractor or subcontractor

who becomes aware …” of a counterfeit

818(c)(4)



DFARS: Detection & Avoidance of Counterfeit Electronic Parts

79 Fed. Reg. 26092 (May 6, 2014)



Who is Subject to the DFARS?

The DFARS confirm that Sec. 818 is “specifically limited to ‘covered contractors’” and that the initial implementation of the rules “has limited application at the prime contract level to CAS-covered contractors.” 79 Fed. Reg. 26098.

However, the flow down requirement causes the rule to affect all subs – including small businesses

“However, all levels of the supply chain have the potential for introducing counterfeit or suspect-counterfeit electronic items into the end items contracted for under a CAS-covered prime contract. The prime contractor cannot bear all responsibility for preventing the introduction of counterfeit parts. By flowing down the prohibitions against counterfeit and suspect counterfeit electronic items and the requirements for systems to detect such parts to all subcontractors that provide electronic parts or assemblies containing electronic parts (without regard to CAS-coverage of the subcontractor), there will be checks instituted at multiple levels within the supply chain, reducing the opportunities for counterfeit parts to slip through into end items.” 79 Fed. Reg. 26099.

The final rule does exclude set-asides from small business, because CAS does not apply to contracts with small business. “This rule does not apply to small entities as prime contractors.” 79 Fed. Reg. 26105. This limits application of the DFARS when DoD purchases from a small business, but will not affect flow down from covered contractors.

Promulgation comments recognize that small business subcontractors will incur “some costs for complying with prime contractors’ requirements.”



Part 202: Definitions

Counterfeit Electronic Part“an unlawful or unauthorized reproduction, substitution, or alteration that has been knowingly mismarked, misidentified, or otherwise misrepresented to be an authentic, unmodified electronic part from the original manufacturer, or a source with the express written authority of the original manufacturer or current design activity, including an authorized aftermarket manufacturer.

Unlawful or unauthorized substitution includes used electronic parts represented as new, or the false identification of grade, serial number, lot number, date code, or performance characteristics.”

Electronic Part“an integrated circuit, a discrete electronic component (including, but not limited to, a transistor, capacitor, resistor, or diode), or a circuit assembly (section 818(f)(2) of Pub. L. 112–81). The term ‘‘electronic part’’ includes any embedded software or firmware.”

Obsolete Electronic Part“an electronic part that is no longer in production by the original manufacturer or an aftermarket manufacturer that has been provided express written authorization from the current design activity or original manufacturer.”

Suspect Counterfeit Electronic Part“an electronic part for which credible evidence (including, but not limited to, visual inspection or testing) provides reasonable doubt that the electronic part is authentic.”

Electronic part: implies cyber-

physical security issues and

concerns of tainted hardware.

There are some reports that DoD will revise

the DFARS to eliminate this definition.



Part 252: Solicitation Provision & Contract Clauses

• DFARS 252.244–7001 Contractor Purchasing System Administration

• DFARS 252.246–7007 Contractor Counterfeit Electronic Part Detection and Avoidance System

246.870-3 Contract Clause(a) Except as provided in paragraph (b) of this section, use the clause at 252.246–7007, Contractor Counterfeit Electronic Part Detection and Avoidance

System, in solicitations and contracts when procuring—

(1) Electronic parts;

(2) End items, components, parts, or assemblies containing electronic parts; or

(3) Services where the contractor will supply electronic parts or components, parts, or assemblies containing

electronic parts as part of the service.

(b) Do not use the clause in solicitations and contracts that are setaside for small business.

“(e) The Contractor shall include the

substance of this clause, including paragraphs

(a) through (e), in subcontracts, including

subcontracts for commercial items, for

electronic parts or assemblies containing

electronic parts.”



Contract ClauseThe clause at DFAR 252.246-7007 (CPDAS) is to be used in solicitations and contracts when procuring … “[s]ervices where the contractor will supplyelectronic parts or components, part, or assemblies containing electronic parts as part of the service.”

The clause applies if the contractor is subject to CAS.

Considerations for Service Providers

Definition of “Electronic Part”“an integrated circuit, a discrete electronic component (including, but not limited to, a transistor, capacitor, resistor, or diode), or a circuit assembly … The term ‘‘electronic part’’ includes any embedded software or firmware.”

Contract Cost Principles“costs of counterfeit electronic parts or suspect counterfeit electronic parts and the cost of rework or corrective action that may be required to remedy the use or inclusion of such parts are unallowable.” [except if a narrow safeharbor is available] DFARS 231.205-71

Subcontracting Policies & ProceduresACO is responsible for reviews of contractor’s purchasing system; review is to include “the adequacy the contractor’s counterfeit electronic part detection and avoidance system under DFAR 252.246-7007”

The definition implies cyber

physical security issues and

concerns of tainted hardware.

Applies to all companies subject to the DFAR

Cost Principles – not limited to companies that

supply parts, assemblies or systems

A service provider subject to purchasing system

review would be likely to receive scrutiny of the

adequacy of its CPDAS

A service provider subject to CAS could be found obligated to

flow down to subcontractors at all levels of the supply chain” the

CPDAS contract clause.



DFARS

Twelve System Criteria 252.246–7007(c)(1-12)



System Criteria (1) Training

The training of personnel. Contractors have flexibility. Training should be tailored for function/ responsibility. Refresh needed to recognize new STDs, etc. Should a covered contractor confirm subs conduct training also?

Generally, training is extremely important. Functions that “touch” on parts acquisition, receipt and use should be informed of counterfeit threat and knowledgeable of command media instructions to detect and avoid.

Training to defend against cyber physical threats is much more difficult. Goals are to train personnel to recognize threats, to utilize available open (and closed source) information, to assess and act upon inherent or induced vulnerability. This may require a CI function (if available), cleared personnel and support from design and engineering disciplines. Government is in best position to communicate threat information (sources, vector).



System Criteria (2) Inspection and Testing

The inspection and testing of electronic parts, including criteria for acceptance and rejection. Tests and inspections shall be performed in accordance with accepted Government- and industry-recognized techniques. Selection of tests and inspections shall be based on minimizing risk to the Government. Determination of risk shall be based on the assessed probability of receiving a counterfeit electronic part; the probability that the inspection or test selected will detect a counterfeit electronic part; and the potential negative consequences of a counterfeit electronic part being installed (e.g., human safety, mission success) where such consequences are made known to the Contractor.

Today, there are neither established nor common criteria to inform contractors on how to select tests and inspection and how to address the costs of higher level and potentially destructive tests.

The pending SAE AS-6171 provides a hierarchy of test methods and provides a mechanism for risk-based analysis with needed detail. It examines Risk as to the Supplier (RS), as to the Component (RC) and as to the Product (RP) and takes into account Adjustment factors and potential mitigation measures for each risk area. This is an objective method for contractors to make risk-informed decisions. Because necessary electronic parts cannot always be obtained from preferred, authorized sources such as OCMs, standards to guide industry and government are critical.

Contractors still will face situations where they do not and cannot know the intended or eventual utilization of a given part. Nor are contractors assured of having relevant knowledge of “threat” relevant to risk of receiving a counterfeit

This aspect of the DFARS will reduce the risk of “taints” but AS-6171 is not intended to identify alternation to embedded software or firmware. The risk of taints is threat-driven and contractors ordinarily do not have access to this information. Nor is a “gold standard” always available to test against known authentic.

It is the purchaser’s responsibility under AS-6171

to supply the information that drives the risk

assessment; it is the purchaser’s responsibility to

decide upon the test and assurance measures.



System Criteria (3) Proliferation

Processes to abolish counterfeit parts proliferation.

Responsible contractors know they must avoid the “return” of a counterfeit electronic part into the supply chain. Difficulties arise where a contractor deals with brokers/distributors or test labs who have ownership and possession of parts found suspect or counterfeit. Does the “covered contractor” have control over the disposition? Is the “covered contractor” legally responsible?

Where tainted parts are involved, it is even more important to assure retention for examination by Counter-Intelligence and law enforcement. Reporting, however, becomes problematic. Public dissemination of information on tainted parts may work against the national interest.

It is essential to secure by contract authority over

the disposition of parts determined to be suspect

or counterfeit; under no circumstances should

risk be accommodated that such parts may be

returned to the supply chain.



System Criteria (4) Traceability

Processes for maintaining electronic part traceability (e.g., item unique identification) that enable tracking of the supply chain back to the original manufacturer, whether the electronic parts are supplied as discrete electronic parts or are contained in assemblies. This traceability process shall include certification and traceability documentation developed by manufacturers in accordance with Government and industry standards; clear identification of the name and location of supply chain intermediaries from the manufacturer to the direct source of the product for the seller; and where available, the manufacturer's batch identification for the electronic part(s), such as date codes, lot codes, or serial numbers. If IUID marking is selected as a traceability mechanism, its usage shall comply with the item marking requirements of 252.211-7003, Item Unique Identification and Valuation.

While desirable, achieving traceability to satisfy this criteria will be very difficult for many parts now in inventory. Today, only a limited class of MIL SPEC (PRF) parts come with end-to-end traceability and these represent only a modest (if not small) fraction of the universe. Traceability will improve as industry practices evolve. But it is not be possible to demonstrate traceability “back to the original manufacturer” for many parts and it is not cost-effective or practicable to use only parts with full traceability.

AS6081 limits documentation requirements to where traceability exists; customers may accept “as-built” traceability without end-to-end documentation for all components.

A contractor should be found compliant if it seek all available documentation of pedigree or provenance and considers the extent of documentation when it is necessary to perform a risk-based assessment of a particular source for an electronic part. Absence of traceability is a risk-indicator for additional inspection and test.

Improving traceability is an important way to reduce supply chain risk both to “fakes” and “taints.” Vulnerability to cyber physical threats exists along the entire continuum from inception through hardware retirement. But: traceability documentation, itself, can be faked; and, traceability often is unavailable for sustainment



System Criteria (5) Use of Suppliers

Use of suppliers that are the original manufacturer, or sources with the express written authority of the original manufacturer or current design activity, including an authorized aftermarket manufacturer or suppliers that obtain parts exclusively from one or more of these sources. When parts are not available from any of these sources, use of suppliers that meet applicable counterfeit detection and avoidance system criteria.

The core principle of both 818 and the DFARS is that the best way to avoid counterfeits is to procure parts from OCMs, other authorized manufacturers or authorized distributors. However, DoD’s contractors must support many legacy systems where required parts are obsolete or no longer available from these trusted sources.

The DFARS is short on guidance on how to qualify additional sources when necessary. Contractors may be informed by Standards and best practices to make prudent, risk informed decisions.

Control of sources of supply is the single-most important measure taken to address risk of both “fakes” and “taints.” Even so, care should be taken to assure supply chain and information security of suppliers as they may be the “weak link” or vulnerable underbelly of the supply chain.

Trusted source requirements protect against tampering or insertion of malicious code – but not completely.

DoD is working on regulations (DFARS Case

2014-D005) to address how covered contractors

can be “authorized to identify and use additional

trusted suppliers” pursuant to § 817 NDAA 2015.

AS-6081 is a useful tool to facilitate purchaser

decisions on qualification of distributors.



System Criteria (6) Reporting & Quarantining

Reporting and quarantining of counterfeit electronic parts and suspect counterfeit electronic parts. Reporting is required to the Contracting Officer and to the Government-Industry Data Exchange Program (GIDEP) when the Contractor becomes aware of, or has reason to suspect that, any electronic part or end item, component, part, or assembly containing electronic parts purchased by the DoD, or purchased by a Contractor for delivery to, or on behalf of, the DoD, contains counterfeit electronic parts or suspect counterfeit electronic parts. Counterfeit electronic parts and suspect counterfeit electronic parts shall not be returned to the seller or otherwise returned to the supply chain until such time that the parts are determined to be authentic.

The principle that counterfeit and suspect electronic parts should be quarantined is important to prevent re-entry and to enable appropriate investigation and law enforcement.

Reporting is an acute problem. At all levels of the supply chain, there is aversion to reporting as it is perceived to “taint” the party that reports. Current mechanisms (GIDEP) are less than satisfactory. And there is no clear guidance on reporting. A pending revision to AS-6081 will place the reporting responsibility on the legal owner of the part and requires reporting within 60 days.

Section 818 imposes reporting obligation on any party that becomes “aware” of a counterfeit. The DFARS apply only to “covered contractors” but many others in the supply chain may discover or become aware of a counterfeit part.

Measures should be taken to resolve continuing uncertainty

regarding reporting. Coordination with law enforcement and

counter-intelligence resources may prove very important to learning

from and responding to threats of “tainted” parts.



System Criteria (7) Identification

Methodologies to identify suspect counterfeit parts and to rapidly determine if a suspect counterfeit part is, in fact, counterfeit.

DoD is paying increasing attention to the threat of maliciously-encoded or tampered electronic parts. (This is a “cyber-physical” threat.) The DFARS includes “any embedded software or firmware” in the definition of an “electronic part.” This suggests an obligation to validate.

There is no present Standard or commonly available and accepted method to make this determination for most parts. SAE is working, through the G-19A Tampered Subgroup, to create a Test Method to detect embedded malware and hardware Trojans at the electronic piece part level.”

New technologies are being promoted to enhance testing of large volumes of parts for physical or cyber-physical discrepancies. Standards will emerge on the qualification and use of such new methods.

The last minute introduction of “embedded

software or firmware” into the DFARS definition

was a surprise to many and has prompted

considerable and continuing uncertainty. It

extends the DFARS into the cyber domain even

though not contemplated by § 818.



System Criteria (8) Systems to Detect & Avoid

Design, operation, and maintenance of systems to detect and avoid counterfeit electronic parts and suspect counterfeit electronic parts. The Contractor may elect to use current Government- or industry-recognized standards to meet this requirement.

Covered contractors and companies that accept flowdown must develop compliant systems and will be subject to review against the 12 criteria.

The DFARS recognizes but does not specify particular industry Standards. The fit to the new “Higher Level Quality” FAR is uncertain.

The “systems” requirement is imposed across a highly diverse supply chain that produces and supports an enormous breadth of supplies and functions. Many reliable sources decline to accept system elements.

Also unresolved is whether “covered contractors” are responsible to validate the compliance of their subcontractors and if they can rely upon third-party certification of adherence to Standards.

Required system elements focus upon “fakes;” their effectiveness against cyber-physical threats is limited.



System Criteria (9) Flowdown

Flowdown of counterfeit detection and avoidance requirements, including applicable system criteria provided herein, to subcontractors at all levels in the supply chain that are responsible for buying or selling electronic parts or assembliescontaining electronic parts, or for performing authentication testing.

Flowdown presents serious implementation challenges. Legally, Section 818 and the DFARS apply only to “covered contractors” – about 1,200 companies subject to all of DoD’s CAS. Through flowdown, “covered contractors” are obtain the same anti-counterfeit assurance (and system compliance) from all sources in their supply chain –including COTS and commercial item sources and small business. There are 23,000 companies that sell to DoD –and tens of thousands more who sell to DoD suppliers.

There are practical and cost limitations. Significant and reliable supply sources may refuse full flowdown, accept only limited flowdown or offer their own measures as surrogates. They will charge more for higher assurance of authenticity. DoD’s should interpret and apply the flowdown requirement to allow “covered contractors” to use their low-risk, established sources even where they decline full flowdown.



System Criteria (10) Keeping Informed

Process for keeping continually informed of current counterfeiting information and trends, including detection and avoidance techniques contained in appropriate industry standards, and using such information and techniques for continuously upgrading internal processes.

This is not a particularly difficult requirement,conceptually, but again experience suggests there are practical problems. Until reporting obligations are clarified and GIDEP is improved, it remains difficult for many actors in industry to know when counterfeits have been found and to integrate source- or parts-risk information into their supply chain planning. The absence of effective systems to collect and disseminate information will impair the ability to learn from counterfeit escapes and frustrate the common objective of eliminating counterfeits.

Ultimately, data analytics should figure into industry response to the threat of counterfeits – but the value of such analytics is compromised if relevant information is neither reported nor disseminated.

As concern cyber-physical threat, prompt transmission of information about the attack vector (and other attributes) is necessary to defend and recover. Methods to organize and distribute information need improvement.



System Criteria (11) Screening GIDEP & Other Reports

Process for screening GIDEP reports and other credible sources of counterfeiting information to avoid the purchase or use of counterfeit electronic parts.

See comments above. GIDEP has not materially improved despite the enactment of 818 and promulgation of the DFARS. Reporting practices are inconsistent and dissemination is limited. Industry needs more than just the ability to “screen” reports that happen to be made to GIDEP or to private sources (such as ERAI).

The value of GIDEP also suffers presently uncertain obligations on “who,” is to report, “what” and “when”, etc.

DoD should promote an automated information exchange that rapidly collects and distributes data on counterfeits. TBD is how to identify and exploit government and private databases (e.g., ERAI), and how to resolve potential inconsistencies in reported info. Ultimately, data analytics should be used to generate and “adjudicate” source risks. Improved standards and methods are needed.

Special and secure methods are needed to distribute information about cyber-physical threats (“taints”)

It is very important to keep informed of reports of

counterfeits and to actively seek to scrub both

inventory and BOMs to identify reported parts.

However, GIDEP has limitations that compromise

its utility. GIDEP reports are not validated

independently. Membership in GIDEP is limited.



System Criteria (12) Control of Obsolete Parts

Control of obsolete electronic parts in order to maximize the availability and use of authentic, originally designed, and qualified electronic parts throughout the product’s life cycle.

There are many DoD programs (e.g., PPP, DMSMS) and company initiatives to deal with obsolescence, as matters of design, sustainment, engineering and purchasing practices. The value of this 12th criteria is prospective. It does not help industry deal with the present and very real problem of how to satisfy continuing requirements for parts that already are obsolete or out of production.

A related and unresolved issue is how to treat inventory accumulated before these new rules came in force.

Over the longer term, measures to anticipate and avoid obsolescent parts will reduce supply chain vulnerability to both physical and cyber-physical threats.

DoD places great emphasis on parts obsolescence.

Anticipating and answering this problem involves

many functions, beginning with design to avoid

vulnerability to OOP or obsolete parts and including

proactive supply chain actions years in advance of

“end of life” situations.



CONCLUDING OBSERVATIONS



R = F(T x V x C)

R = Risk

T = Threat

V = Vulnerability

C = Consequence

Risk-Based Analysis (818 DFARS)

(DSB Report, Resilient Military Systems and the Advanced Cyber Threat, Jan. 2013, at 6)

• The DFARS focuses largely on supply chain vulnerability rather than on threats or remediation of consequences.

• Key DFARS attributes are narrowing sources and risk-based test and inspection.

• The DFARS will improve DoD’s protection against the “ordinary” counterfeit.

• Different, more rigorous and threat-informed measures will be needed to deal with taints.

• These special methods should focus on mission critical systems and infrastructure.

DFARS focus



Changing Focus of Supply Chain Risk Management

• The focus of regulations so far has been on avoidance of counterfeit electronic parts for defense systems

• “818 DFARS” is working to reduce vulnerability to counterfeits

• The federal supply chain also is vulnerable to cyber attack through poorly protected systems and by introduction of maliciously encoded or intentionally defective parts

• The consequences of cyber and cyber-physical attack dwarf those likely from the “normal” counterfeit “escape” (active control pot.)

• Government and industry will focus on protecting the defense and nondefense supply chain against threats

• Risks are present to ICT systems bought and utilized for services

• Needed: proactive strategy rather than reactive responses



Protecting the Whole Federal Supply Chain

• National interests in protection against supply chain threats extend beyond DoD and reach supply and service contractors

• Supply chain defense will extend to other federal agencies – Via the pending E.O. 13656 “8(e)” multi-agency initiative (SP 800-171)

– By industry adoption of improved practices and new standards

• Acquisition methods and contract tools will be used to impose standards and achieve flowdown

• The “ubiquity” and diversity of threats does not distinguish large from small or specialized from commercial sources

• Implementation costs and industry resistance risks necessary separation of commercial sources from the industrial base

Tension between sufficient protection and practicable, affordable implementation.



DISCUSSION



Robert S. Metzger

received his B.A. from

Middlebury College and is

a graduate of Georgetown

University Law Center,

where he was an Editor of

the Georgetown Law

Journal. Before practicing

law, he was a Research

Fellow at the Center for

Science & International

Affairs, Harvard Kennedy

School of Government

(now “Belfer Center”).

Mr. Metzger is the head of the Washington, D.C. office of

Rogers Joseph O’Donnell, P.C. A member of the

International Institute for Strategic Studies (IISS), he has

written on national security topics for International

Security and the Journal of Strategic Studies. He is the

Vice-Chair of the Software and Supply Chain Assurance

Working Group of the IT Alliance for Sector (ITAPs), a

unit of the Information Technology Industry Council, a

leading U.S. trade association. He is recognized by 2015

Chambers USA® at “Band 3” as a top Government

Contracts lawyer. He participates on the Defense

Science Board Cyber-Supply Chain Working Group.

Rogers Joseph O’Donnell has specialized in public contract

matters for 34 years, is ranked highly ranked by leading

international authorities such as Chambers USA and The

Legal500 ®. RJO is the only boutique among the top-rated

U.S. government contract firms.

SELECTED EXTERNAL PUBLICATIONSavailable at http://www.rjo.com/metzger.html

• “Threats to the Supply Chain: Extending Federal Cybersecurity Safeguards to the Commercial Sector ,” Bloomberg BNA, 14 PVLR 1010, June 8, 2015

• “Cybersecurity for the Rest of Us: Protecting Federal Information of Civilian Agencies,” Federal Contracts Report, 103 FCR ___, Mar. 10, 2015

• “DOD's Cybersecurity Initiative - What the Unclassified Controlled Technical Information Rule Informs Public Contractors About the New Minimums in Today's Cyber-Contested Environment, ”Federal Contracts Report, 102 FCR 744, Dec. 30, 2014

• “A Standards-Based Way to Avoid Counterfeit Electronic Parts,” Federal Contracts Report, Nov. 4, 2014

• “New Rule Addresses Supply Chain Assurance,” National Defense (NDIA), Oct. 2014

• “Convergence of Counterfeit and Cyber Threats: Understanding New Rules on Supply Chain Risk,” Federal Contracts Report, Feb. 18, 2014

• “Legislating Supply Chain Assurance: Examination of Section 818 of the FY 2012 NDAA,” The Procurement Lawyer, Vol. 47, No. 4, Summer 2012 (with Jeff Chiow)

Presenter: Robert S. Metzger

Disclaimer

The views presented here are those of Mr. Metger individually and should not be

attributed to any client he represents or organization with which he is affiliated.

http://www.rjo.com/metzger.html

http://www.rjo.com/PDF/bloomberg_06082015_RSM.pdf



Mr. Chiow represents clients in

litigation and government

investigations that involve

government contracts and he also

provides business and compliance

counsel. He was named 1 of 4

“Associates to Watch” among all

government contracts attorneys

by Chambers USA® 2015 and

SuperLawyers has twice called

him a “Rising Star” among DC government contracts attorneys.

.

Rogers Joseph O’Donnell, a boutique law firm that has

specialized in public contract matters for 34 years, is

ranked in “Band 2” by Chambers USA – the only boutique

among the nine highest ranked firms. RJO was listed

among the top six government contracts firms globally by

The Legal 500®. Free from the bureaucratic and economic

burdens of a supersize law firm, we can listen to our clients

more attentively, think more creatively and act more nimbly.

LEADERSHIP POSITIONS

• Board of Governors of the Court of Federal Claims Bar Association

• Editorial Advisory Board of Law360: Government Contracts

• ABA PCLS Vice-Chair of Acquisition Reform and Emerging Issues --Cybersecurity, Privacy and Data Protection – Battle Space and Contingency Procurements Committees

• Chair-elect of the ABA’s Battle Space and Contingency Procurements Committee

SELECTED SPEAKING EVENTS/ PUBLICATIONSavailable at http://www.rjo.com/chiow.html

• Making Sense of Complex Government Contracting Issues, Ralph Nash 2015 Webinar Series, Jan. 29, 2015

• Privacy vs. Security – A Zero sum game?, Presented at 20th Annual Federal Procurement Institute in Annapolis, MD

• 2013 Government Contract Law Decisions of the Federal Circuit, 63 American Univ. Law Rev. 1307 (2014)

• “Legislating Supply Chain Assurance: Examination of Section 818 of the FY 2012 NDAA,” The Procurement Lawyer, Vol. 47, No. 4, Summer 2012 (with Bob Metzger)

Presenter: Jeffery M. Chiow

Disclaimer

The views presented here are those of Mr. Chiow individually and should not be

attributed to any client he represents or organization with which he is affiliated.

Particular interests include aerospace and defense (he was a

U.S. Marine Corps weapons and sensors officer in the F/A-18D

Hornet before becoming a lawyer), bid protests, cybersecurity,

technology services contracting, schedule contracting and

contingency contracting. Recently, Mr. Chiow has been called

upon to assist with the government’s growing demands for

information assurance/cybersecurity, cloud computing and the

transition of legacy IT systems. He has also focused intently on

supply chain assurance and the threat posed by counterfeit

parts. He speaks and writes on emerging issues.

http://www.rjo.com/chiow.html

Protecting the Supply Chain: PI “Hot Topics” reakfast riefing · 2018-03-21 · Protecting the Supply Chain: PI “Hot Topics” reakfast riefing ... Controlled Unclassified information

Documents