Fri, Mar 29, 2019

Third-Party Due Diligence Program to Strengthen U.S. A&D Supply Chains

Aerospace and defense supply chain security: the emerging “fourth pillar” of defense acquisition.

In mid-2018, the Pentagon announced a potential major change in the way it would award future aerospace and defense (A&D) contracts, elevating the role of supply chain security in future acquisition decisions.1 This new acquisition policy would require A&D companies to demonstrate the integrity of their supply chains as a prerequisite to winning a new defense contract. As a senior U.S. intelligence official recently testified to Congress, “It is no longer sufficient to only consider cost, schedule and performance when acquiring defense capabilities. We must establish security as a fourth pillar in defense acquisition and, also, create incentives for industry to embrace security, not as a cost burden, but as a major factor in their competitiveness for U.S. government business.”2

“We must establish security as a fourth pillar in defense acquisition and, also, create incentives for industry to embrace security, not as a cost burden, but as a major factor in their competitiveness for U.S. government business.”

Anthony Schinella, national intelligence officer for military issues at the Office of the Director of National Intelligence, Testimony to House Armed Services Committee, June 21, 2018. 

Although details about how the U.S. government could use its purchasing and regulatory power to encourage A&D companies to address supply chain security concerns are sparse, a recently published Department of Defense-sponsored report provides additional insights.3 This report identifies four levers available to government acquisition officers: 

  • Define requirements to incorporate new security measures; 

  • Reward superior security measures in the source selection process;

  • Include contract terms that impose security obligations; and

  • Use contractual oversight to monitor progress. 

While not yet codified into law or policy, it is likely that this concept will eventually take root, especially in light of recurring U.S. government concerns about the security of its A&D supply chains. 

“A global industrial base means increased supply chain risk associated with foreign provision, including counterfeits, lack of traceability, and insufficient quality controls throughout supply tiers.”

Interagency Task Force in Fulfillment of Executive Order 13806, Assessing and Strengthening Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States, September 2018, p. 29.

Nexus of National Security Concerns about A&D Supply Chains: Third Parties

A key source of concern with A&D supply chain security stems from the widespread presence of third-party relationships within the industry. Five third party-related challenges stand out:

  • Large, complex and often opaque supply chains.
    A&D supply chains are notoriously large and complex, comprising hundreds or even thousands of third parties in a multi-tiered, webbed relationship.4, 5 As a result, transparency across an entire supply chain is difficult if not impossible.

  • Reliance on overseas suppliers.
    As a Department of Defense-led interagency report on the defense industrial base notes, “A global industrial base means increased supply chain risk associated with foreign provision, including counterfeits, lack of traceability and insufficient quality controls throughout supply tiers.”7

  • Sourcing from potentially hostile countries.
    There is a growing concern about sourcing from third parties located in or controlled by a competitor nation since hostile state actors could use downstream entities as a vector to harm U.S. national security interests.8, 9 A frequently cited jurisdiction is China.10, 11 Russian-owned or controlled firms are also of concern, as evidenced by the U.S. government procurement ban on Russian-owned software company Kaspersky Labs.12

  • Vulnerability of information and communication technology (ICT) supply chains.
    Although ICT systems are critical for the U.S. military, these systems’ reliance on overseas manufacturers and suppliers also presents a weakness. Adversaries could potentially leverage upstream manufacturers and suppliers to introduce malware, gain possible backdoor access for espionage means, or reduce capabilities by compromising ICT system integrity.13

  • Susceptibility of downstream partners to a cybersecurity breach.
    As my Kroll colleagues recently noted, “many of the high-profile cybersecurity breaches of the last several years share a common, disturbing thread: the result not of a direct attack on the targeted organization, but instead due to exposures arising from vendors and other trusted third parties.”14 This threat of a cybersecurity breach via a third party increases for the A&D industry, given that the IT systems of the Department of Defense and its largest contractors are sufficiently hardened, pushing the threats upstream to smaller vendors with fewer resources.15

“Many of the high-profile cybersecurity breaches of the last several years share a common, disturbing thread: The breach was not the result of a direct attack on the targeted organization, but instead due to exposures arising from vendors and other trusted third parties.”

Anju S. Chopra, Brian Lapidus and Keith Wojcieszek, “Scaling Cyber Supply Chain Risk Management with Dark Web Monitoring,” Kroll, Oct 1, 2018

Implementing a national security-informed third-party due diligence program

While due diligence screening is traditionally used to minimize exposure to business risk stemming from third parties, it can be modified to accommodate national security concerns. At a minimum, A&D companies should consider the following when developing and implementing a national security-informed due diligence program:

  • Develop tiered levels of risk based upon objective national security concerns.
    Not all third parties are of concern. It is key to identify what factors pose a security threat to your A&D supply chain.
    Risk factors might include Chinese- or Russian-based or -owned companies, manufacturers or suppliers of ICT components or sensitive weapons systems, and known affiliations with state-owned or state-directed entities (hostile or otherwise) – especially national security organizations. 
  • Assign appropriate levels of due diligence to each risk category.
    Prioritize your company’s limited resources on those third parties that are of highest risk. High-risk third parties should be subject to enhanced due diligence while low-risk ones can simply undergo an initial screening, escalating to higher levels of investigation only when issues of concern are identified.
  • Leverage technology to efficiently conduct your due diligence.
    To successfully manage the screening of a typical large A&D third-party network, you need a technology-driven third-party management system. Using such a system ensures that all your diverse third parties are vetted consistently in case of an audit. The more automated the process is, the less chance of human error. Finally, use of a centralized system helps prevent inadvertent dissemination of proprietary or controlled information.
  • Identify beneficial ownership of high-risk third parties.
    Increased transparency of beneficial ownership minimizes opportunities for hostile actors to undermine the integrity of your A&D supply chain. Develop criteria for when to identify beneficial ownership of a third party and consider the need for additional due diligence on the identified owners in necessary circumstances. 
  • Set national security due diligence as a flow down requirement.
    While you cannot be expected to investigate all third parties along the entire supply chain, requiring your partners to also prioritize safeguarding their supply chains will help ensure the integrity of the overall supply chain. 
  • Implement a cyber supply chain risk management program. 
    Take a holistic approach comprised of three components to vet the cyber security of your third parties: 
    • Review a potential third party’s cyber security processes and policies to assess its cyber security culture; 
    • Conduct vulnerability scans and penetration tests to assess their systems’ strengths and weaknesses; and
    • Incorporate dark web monitoring to detect unauthorized spreading of your company’s sensitive data from a vendor’s systems.16

Conclusion

It is increasingly likely that future defense contracts will elevate security to a new fourth pillar of acquisition alongside current requirements of cost, schedule and performance. To remain competitive, A&D companies will need to demonstrate to U.S. government procurement staff that they have undertaken steps to ensure the integrity of their supply chains. One such method is to implement a due diligence program informed by national security priorities. While doing so won’t solve all the security challenges confronting the industry, it will help to reduce some concerns stemming from its third-party partnerships.

 

Sources:  
1 Ellen Nakashima, “Pentagon is rethinking its multibillion-dollar relationship with U.S. defense contractors to boost supply chain security,” Washington Post, August 13, 2018.
2 Federal News Network, “Contractors look for clues to new security proposal in appropriations bills,” August 29, 2018. 
3 Chris Nissen, et al., Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War, MITRE, August 2018, p. iii.
4 https://www.dhs.gov/cisa/defense-industrial-base-sector 
5 https://www.gao.gov/assets/700/693082.pdf 
6 Justin Lynch, “Pentagon moves to secure supply chain from foreign hackers,” Fifth Domain, Oct 21, 2018.
7 Interagency Task Force in Fulfillment of Executive Order 13806, Assessing and Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States, U.S. Department of Defense, September 2018, p. 29.
8 Interagency Task Force in Fulfillment of Executive Order 13806, Assessing and Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States, U.S. Department of Defense, September 2018, p. 8.
9 Chris Nissen, et al., Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War, MITRE, August 2018, p. 7.
10 See, for example, Interagency Task Force in Fulfillment of Executive Order 13806, Assessing and Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States, U.S. Department of Defense, September 2018; and U.S.-China Economic and Security Review Commission, 2018 Report to Congress, 115th Congress, 2nd Session, November 2018, pp. 20 and 21.
11 Doug Cameron, “Pentagon to Audit Defense Supply Chains,” Wall Street Journal, October 5, 2018.
12 Joseph Marks, “Pentagon to Scrub Kaspersky From Defense Systems Following DHS Ban,” Nextgov, October 27, 2017, https://www.nextgov.com/cybersecurity/2017/10/pentagon-scrub-kaspersky-defense-systems-following-dhs-ban/141978/
13 Tara Beeny, Supply Chain Vulnerabilities from China in U.S. Federal Information and Communications Technology, Interos Solutions, Inc., April 2018, p. v; and Chris Nissen, et al., Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War, MITRE, August 2018, pp. 7-8.
14 Anju S. Chopra, Brian Lapidus, and Keith Wojcieszek, “Scaling Cyber Supply Chain Risk Management with Dark Web Monitoring,” Kroll, oct 1, 2018, https://www.kroll.com/en/insights/publications/scaling-cyber-supply-chain-risk-management
15 Lisa Lambert, “Chinese hackers targeting U.S. Navy contractors with multiple breaches: WSJ,” Reuters, December 14, 2018, https://www.reuters.com/article/us-usa-cyber-china-navy/chinese-hackers-targeting-u-s-navy-contractors-with-multiple-breaches-wsj-idUSKBN1OD1V6
16 For more on dark web monitoring, see my colleague’s recent white paper: Anju S. Chopra, Brian Lapidus, and Keith Wojcieszek, “Scaling Cyber Supply Chain Risk Management with Dark Web Monitoring,” Kroll, oct 1, 2018, https://www.kroll.com/en/insights/publications/scaling-cyber-supply-chain-risk-management.



Compliance Risk and Diligence

The Kroll Investigations, Diligence and Compliance team partners with clients to anticipate, detect and manage regulatory and reputational risks associated with global ethics and compliance obligations.