A self-assessment is the first step in understanding where potential threats may come from.
With the federal government shutdown over—at least for the moment— there is a lot of conversation about the fallout from the shutdown, what didn’t get done and what it will take to recover. Much of that exchange has been around what threats to security the shutdown posed, and what risks were heightened during those 35 days and beyond. One silver lining to the shutdown is that it may serve as a forcing function for a closer examination of organizational operating practices with an eye toward building resilience.
One critical threat to the resilience of any organization is the security of its supply chain. In 2018, President Trump signed a law that effectively banned the use of Chinese-made technology by the federal government, and it is reported that he is considering a more robust ban against these products. This is one approach to threat management, but an earlier ban on Russia-based Kaspersky Labs anti-virus software has been costly and difficult to implement.
So how should federal agencies address potential threats posed by foreign-made products and services and secure their overall supply chain? There are three types of assessments that any government agency or organization can perform to reduce threats and improve their supply chain security. These self, supplier and product assessments examine all levels of an organization and their supply chains, prioritizing threats and improving security.
A self-assessment is the first step in understanding where potential threats may come from. Across federal agencies, hundreds of thousands of contracts supply goods and services that make the government and military function. The sheer volume of contracts can be daunting, but a good self-assessment starts with understanding where vulnerabilities lie, and which components are the most critical. By breaking down the importance of products and suppliers, it is easier to prioritize which suppliers for these mission-critical items should be the ones that are routinely audited or subjected to greater scrutiny. During the self-assessment process, agencies should ensure that they have auditing processes in place to examine their suppliers, develop an approved-supplier list for sensitive products and services and see if the agency can have some kind of oversight into specific suppliers.
It is also important during the self-assessment process to ensure that the supply chain security team and the procurement teams are working closely with one another. Procurement’s role is to look at quality and cost, but supply chain security analysts have the important job of identifying potential issues and threats to an agency’s mission. The supply chain team must be empowered to stop a contract and cease business with a supplier if they find evidence of counterfeit, compromised or suspect goods and services.
Once a self-assessment is complete, the next step is to audit the most mission-critical suppliers and arrange for audits of their other suppliers where possible. An important component of supplier audits is to examine what processes the suppliers themselves have in place for ensuring that their supply chains are secure, and building these obligations into contracts. Communication is key and there must be processes in place for suppliers to flag potential threats, counterfeit and compromised goods to their customers even if the issue occurs several tiers down in the supply chain.
Finally, agencies should do an inspection of mission-critical products they use. In an ideal world, these products would be built with supply chain security accounted for in the development process. If it is an existing product, before a new contract is started, agencies must thoroughly vet their suppliers and have a solid understanding of the origins of the most critical components within the products that they use. Agencies should also do regular spot-checks where a representative sample of the products supplied are thoroughly checked to ensure its quality, security and that it conforms to the contracted requirements.
While there may be few suppliers of some products, redundancies are important to ensuring a secure supply chain. If an issue is found with one product or with a certain supplier there should be a backup option that an agency can switch to. This has the advantage of giving an agency leverage over their suppliers and not surprisingly, most suppliers are willing to work closely and transparently with their clients to examine supply chains. If this is not possible, the agency should examine the exposure that a particular supplier poses, consider their leverage with that supplier, and attempt to get the supplier to change their processes for their own supply chains.
Globalization has stretched supply chains and made them increasingly complex, but a smaller supply chain will not solve the supply chain security threats faced by federal agencies, including the Defense Department. Recent events with China and Russia have been a wake-up call to government procurement offices and reinforce the need for proper supply chain security processes. With proper supply chain security, we can be best prepared to safely take advantage of the global market and international supply chains that have tremendous advantages: providing top-quality, on-demand and cost-effective products. Having good supply chain hygiene and security, is attainable for the federal government and will improve the overall contracting process.
Tony Pelli is a supply chain risk consultant for Supply Chain Services and Solutions at BSI.