A military increasingly concerned over the provenance of its information technologies is canvassing industry for tools that detect malicious additions to commercial products made surreptitiously during the production process.

The Air Force Cryptologic Systems Group, located in Lackland Air Force Base, Texas, met with industry representatives August 17 after previously soliciting information on how to spot supply chain insertions into software, firmware and hardware, as well as a means for reducing the possibility of successful insertions. The group is developing plans for an Air Force "supply chain risk management center of excellence" and has yet to issue a request for proposals for any detection tools. 

The Air Force says it's working under the aegis of the Comprehensive National Cybersecurity Initiative, which calls for a "multi-pronged approach" for reducing global supply chain risk management.

The Defense Department has already convinced the Senate Armed Services Committee that it should have authority to establish standards for private sector supply chain management and the ability to exclude companies from certain procurements if they fail to adhere to those standards.

SASC included language allowing the DoD to do so in its version of the Defense fiscal 2011 authorization bill; the Senate is currently in summer recess and due not to reconvene again until September 13. The full Senate has yet to vote on the authorization bill, which the committee approved June 4. The House of Representatives approved its version May 28.

The committee's language has come under sharp criticism from industry groups, not so much because of supply chain standards, but because exclusion from a procurement would become public knowledge under the current SASC provision. Public disclosure "would be tantamount to a de facto debarment without any due process for the affected firm," states a coalition of industry groups known as the Acquisition Reform Working Group, which submitted written comments to Congress earlier this summer. Among ARWG members are TechAmerica and the Professional Services Council.

However, industry, SASC and the Defense Department are said by sources to be working on a compromise that would make exclusion possible only at the subcontractor level, which would also have the effect of making exclusion not public.

The issue of foreign provenance became front-page news when in 2006 Rep. Frank Wolf (R-Va.) decried a State Department purchase of Lenovo laptops about a year after IBM sold its personal computer division to the Chinese-based company; the Chinese government owns a 27 percent stake in Lenovo, making it the largest stakeholder. In response to Wolf, the State Department agreed not to connect to sensitive networks the 16,000 Lenovo laptops it bought, despite the fact that they were manufactured in North Carolina and Mexico.

For more:
- see the FBO Air Force Cryptologic Systems Group RFI and the notice of the August 17 meeting (.doc)
- read the Comprehensive National Cybersecurity Initiative
- download comments on the House and SASC-approved defense authorization bills for fiscal 2011 (.pdf)

Related Articles:
SASC would allow DoD to exclude companies over supply chain practices
House encourages IT acquisition reform in Defense bill
Federal government lacks clear cybersecurity strategy, says GAO