A Drive Toward Supply Chain Security Management (SCSM): the Next-Step to IT “Quality”
Quality is not just a matter of performance
Supply chain quality management efforts now require supply chain security management focus and drive. Companies and agencies face daily attacks on their networks, infrastructures, and data. The emphasis needs to shift to the corporate “backdoor” where computer products and end-items enter the loading bays and delivery doors. While China’s Huawei is the current poster child for the potentials of nation-state intrusions into our lives, there has been no real progress to prevent modifications to our electronic devices from other threats. Information Technology (IT) Quality must consider the cybersecurity posture of IT equipment as the next needed advance from the Quality as a Service (QaaS) community.
The current term in cybersecurity has been Supply Chain Risk Management (SCRM). SCRM may understate the dangers of nation-states with the ability to introduce vulnerabilities into our commercial computer electronics. This treatise is designed to bring focus to a subset of SCRM, and the protections demanded our quality electronic products with the term Supply Chain Security Management (SCSM). Consideration must be actively pursued to possible modifications of our electronic devices at the hardware, software, firmware, and coding levels. The costs may be initially prohibitive, but the need to conduct both physical and virtual scans of these device components are growing.
SCSM should begin with reviews of vendors from government and vetted private companies’ Approved Products Lists (APL). APLs are a good start, but certainly, there are due diligence demands for the organization as well. The logistics community must also be actively ensuring the IT equipment purchased is also coming from a reputable vendor or distributor—there will be a like need to create such APLs as well.
Furthermore, companies and agencies should be requiring open-source access ports on all devices to administer security scans. These scans should search for malware and backdoors of the local storage device and firmware that may include other malicious code. Another often missed component of SCSM is ensuring that there is an established software patching process. Software patching is not just a matter of repairing functionality problems but providing the latest security updates for the devices.
Finally, SCSM needs to be part of the system developer’s logistics and security processes. Companies building or updating IT systems must begin to consider from the point that the item arrives at the delivery bay, there is a security mindset. The logistics team should be part of the process to ensure that electronic end-items are not just functional, but are free from tampering, counterfeiting, etc., to ensure the highest in quality to the end-users. Security is not the opposite or in conflict with its sought operational capabilities; it is a supportive and reinforcing capability that ensures only the highest of quality for every consumer in the supply chain.
Dr. Russo is currently the Senior Data Scientist with Cybersenetinel AI in Washington, DC. He is a former Senior Information Security Engineer within the Department of Defense’s (DOD) F-35 Joint Strike Fighter program. He has an extensive background in cybersecurity and is an expert in the Risk Management Framework (RMF) and DOD Instruction 8510, which implement RMF throughout the DOD and the federal government. He holds a Certified Information Systems Security Professional (CISSP) certification and a CISSP in information security architecture (ISSAP). He has a 2017 Chief Information Security Officer (CISO) certification from the National Defense University, Washington, DC. Dr. Russo retired from the US Army Reserves in 2012 as a Senior Intelligence Officer.