Sign up to save your podcasts
Or
Share Randall Brooks, "Adding a Software Assurance Dimension to Supply Chain Practices"
Share to email
Share to Facebook
Share to X
Share to email
Share to Facebook
Share to X
Or
Randall Brooks, "Adding a Software Assurance Dimension to Supply Chain Practices"
There is a long history of supply chain management, from which many related policies, practices, processes, and enabling artifacts have been developed and employed by those business enterprises that acquire hardware and software components from a third party. Traditionally, Supply Chain Risk Management (SCRM) has been the focal point of supply chain practices and has focused on business and contractual issues, although recent efforts have increasingly included engineering expertise for product quality evaluations. This presentation advocates the introduction of a security assurance dimension to the SCRM process. It does not, however, propose the addition of an independent, parallel track of SCRM process for security assurance evaluation, but rather practical steps for augmenting those SCRM processes that already exist. Just as is the case in legacy SCRM, the cyber dimension of SCRM is based on assessing and balancing risk vs. cost. The goal is to minimize the added costs associated with improved information assurance by efficiently incorporating relevant practices industry, government, and academia to provide a security assurance dimension into the supply chain process. SCRM-relevant industry and government practices will be presented in this paper in such a way that supply chain staff can easily make use of them, even without a background in information security. Also, it will be clearly noted when subcontract management, information assurance engineering, or other business or technical expertise may be needed to complement traditional supply chain activities in the pursuit of cyber-based SCRM. Points of discussion common to both hardware and to software component acquisition will include: 1. Acquirer business risk 2. End customer mission criticality and mission assurance 3. Subcontract management 4. Supplier secure development assessment 5. Supplier management practices for their suppliers 6. Supplier business assessment 7. Product assessment Points of discussion peculiar to hardware component acquisition will include: 1. Quality vs. counterfeiting vs. malicious alteration 2. ASICS, FPGAs, and microprocessors 3. Information storage in volatile memory 4. Information storage in non-volatile memory and permanent disk storage Points of discussion peculiar to software component acquisition will include: 1. COTS, contracted software, open source, and freeware 2. Software pedigree and provenance 3. License management of open source
View all episodes
By CERIAS <[email protected]>
4.1
77 ratings
There is a long history of supply chain management, from which many related policies, practices, processes, and enabling artifacts have been developed and employed by those business enterprises that acquire hardware and software components from a third party. Traditionally, Supply Chain Risk Management (SCRM) has been the focal point of supply chain practices and has focused on business and contractual issues, although recent efforts have increasingly included engineering expertise for product quality evaluations. This presentation advocates the introduction of a security assurance dimension to the SCRM process. It does not, however, propose the addition of an independent, parallel track of SCRM process for security assurance evaluation, but rather practical steps for augmenting those SCRM processes that already exist. Just as is the case in legacy SCRM, the cyber dimension of SCRM is based on assessing and balancing risk vs. cost. The goal is to minimize the added costs associated with improved information assurance by efficiently incorporating relevant practices industry, government, and academia to provide a security assurance dimension into the supply chain process. SCRM-relevant industry and government practices will be presented in this paper in such a way that supply chain staff can easily make use of them, even without a background in information security. Also, it will be clearly noted when subcontract management, information assurance engineering, or other business or technical expertise may be needed to complement traditional supply chain activities in the pursuit of cyber-based SCRM. Points of discussion common to both hardware and to software component acquisition will include: 1. Acquirer business risk 2. End customer mission criticality and mission assurance 3. Subcontract management 4. Supplier secure development assessment 5. Supplier management practices for their suppliers 6. Supplier business assessment 7. Product assessment Points of discussion peculiar to hardware component acquisition will include: 1. Quality vs. counterfeiting vs. malicious alteration 2. ASICS, FPGAs, and microprocessors 3. Information storage in volatile memory 4. Information storage in non-volatile memory and permanent disk storage Points of discussion peculiar to software component acquisition will include: 1. COTS, contracted software, open source, and freeware 2. Software pedigree and provenance 3. License management of open source