While the future of the Defense Department’s Cyber Security Maturity Model (CMMC) certification initiative is in “wait and see mode,” the Pentagon is far from standing still when it comes to protect its supply chain.
Publicly, the DoD announced a new Supply Chain Resilience Working Group on September 3, “to remove systemic barriers that currently limit supply chain visibility, conduct resilience assessments and expand effective mitigation measures “.
And privately, Federal News Network has learned that the DoD is asking vendors for feedback on how to establish a new global purchase agreement for sharing supply chain data and information.
At the end of July, the DoD’s Office of Acquisition and Sustainment sent out a request for information seeking comment on how best to “provide DoD and affiliated federal agencies with insight into technology related to the critical defense industrial base ( DIB) and other industry supplier networks (private and public companies) as well as single network insights into affiliates and staff deemed essential to the federal government on an ongoing basis. Data should be collected on suppliers, their capabilities, financial and operational health, among other factors deemed relevant by the federal government.
Industry sources say the DoD collects recommendations from various defense agencies and military services, including the Defense Contract Management Agency, the Defense Counter Intelligence Security Agency, various intelligence officers from military departments and agencies, and others on what they would like in a BPA vehicle.
“These would be suppliers and vendors pre-vetted around supply chain risk data. Part of the deliverables from these commercial vendors will be artifacts that can be collected once and shared across the military, ”the industry source said. “The goal is to make sure the military, navy, air force, and defense agencies don’t pay for the same thing over and over again.”
Eight sectors under study
The RFI searches for general information in eight different industries, including pharmaceuticals, aerospace and defense, semiconductors, biotechnology and others.
He wants information to live in the cloud and have an artificial intelligence and machine learning tool to analyze the risks of around 100,000 companies, including Fortune 1,000.
DoD wants all of this data to be in “a commercial due diligence software platform for automated supplier verification, supply chain supplier verification, and affiliate verification to continuously inform and dynamic supplier health. The software must be immediately deployable, ready to immediately run industrial health assessments and supplier verification during price execution, for use by the company in verifying suppliers, associated personnel and supplier networks associated with companies that will provide services, supplies, goods, and materials under this authority. The software should compile, process and display relevant information based on preconfigured risk events relevant to the supply chain risk management (SCRM) use case. All returned content must have its provenance and date / time captured and fully verifiable.
Specifically, among the capabilities the Pentagon wants the platform to provide is the ability to:
- Identify all companies with Foreign Ownership, Control and Influence (FOCI) issues to include conflicting finance risk indicators, and be able to continuously monitor and monitor foreign personnel to inform FOCI risk.
- Continuously monitor supply or production shortages within the supply chain.
- Automatically report and compile in one report industrial health risks and derogatory issues on businesses and individuals, including but not limited to criminal proceedings, civil offenses, reputation / brand issues .
- Continuously monitor businesses and associated entities and individuals for industrial health risks or overriding flags impacting reliability and eligibility for continuous access to government information up to a daily basis.
Christine Michienzi, Deputy Under Secretary of Defense (DASD) technology director for industrial policy at the Ministry of Defense, said the need for a business vision of risk and chain resilience d Defense procurement was one of the reasons for establishing the new task force.
“The services have their efforts. [The Office of the Secretary of Defense] to their efforts. But there has to be this collaborative and coordinated response, ”Michienzi said at the recent intelligence and national security summit sponsored by AFCEA and the Intelligence and National Security Alliance. “The Supply Chain Resilience Working Group is going to look at things like how do you get more visibility into the supply chain? How can we better identify risks and problems before they arise? How to be proactive? How to put in place remedies? And so this activity continues for the next two years. And tools and data are going to be at the center of this activity. “
Recommendation of the Supply Chain Working Group
This RFI and this potential global purchase agreement attempts to address what Michienzi has said is the big problem for the DoD – a lack of visibility throughout the supply chain.
BPA is likely an outgrowth of the DoD Supply Chain Working Group recommendation.
“From a DoD perspective, we need to understand the interdependencies because a certain company may know who is in their supply chain, but they don’t understand what other companies are, what other systems are using that same chain as well. supply, and more vulnerable than they think, ”she said. “At the DoD level, at the Secretary of Defense office level, we have this visibility into all the systems that use all of these vendors, if we could just push the data down to the lower levels of the supply chain. So we’re starting with some of these lighting tools that use AI. These are a good place to start, but they are not the end of everything. This information must be verified and validated there. And then we have to understand, okay, what are their capabilities? What are their problems? Are they in good financial health? What capacity and capacity do they have, et cetera, before we can do a full risk assessment? So we are definitely working towards this goal.