IT supply chain central to new DoD instruction

Tools

Defense Department Chief Information Officer Teri Takai must coordinate with department components to ensure trusted systems and networks, or TSN, concepts are properly implemented, according to DoD instruction (.pdf) issued Nov. 5. This requires the identification and protection of mission-critical functions and components into system engineering, acquisition, logistics and materiel readiness policies, says the document.

Among the directions laid out in the policy, is the instruction that DoD components "detect the occurrence of, reduce the likelihood of, and mitigate the consequences of unknowingly using products containing counterfeit components or malicious functions."

As part of this supply-chain risk management effort, DoD plans to employ new assurance tools and techniques for ensuring software and hardware is free from exploitable vulnerabilities and malicious intent, says the instruction. These concepts should also be included in solicitation and contract language, says the DoD.

With assistance from the Defense Intelligence Agency, Takai is also to develop a strategy for managing risk in the supply chain for integrated circuit-related products and services. This strategy should flag for suppliers what must be specifically created or modified for DoD use, says the instruction.

In a March 27 prepared statement (.pdf) for the House Energy and Commerce subcommittee on oversight and investigations, DoD CIO for trusted mission systems and networks Mitchell Komaroff said the department was piloting concepts outlined in the then-forthcoming instruction.

He said institutionalizing the concepts laid out in DoDI 5200.44 requires that "risks to critical functions and components of mission-critical systems be protected across the entire system lifecycle." He said the policy "will enable full operating capability for [supply-chain risk management, or SCRM,] across the Department.

Komaroff also said the instruction was crafted with input from several agencies and departments outside of DoD, including the National Institute of Standards and Technology. The DoD instruction complements NIST's Interagency Report 7622 (.pdf), said Komaroff, which was recently released in a final version.

For more:
- download the DoD Instruction Number 5200.44 (.pdf)

Related Articles:
Chinese telecom officials say spying would undermine business
It came from China! Maybe. Or not, says DoD
Counterfeit milspec electronics easily bought online