Developing A Cyber Supply Chain

Assurance Reference Model

A Research Collaboration Between SAIC

& The R.H. Smith School of Business University Of Maryland

Presenters: Dr. Sandor Boyson & Mr. Hart Rossman

April 2, 2009

Robert H. Smith School of Business University of Maryland and SAIC

 Project Overview

Its a national security imperative in a global economy that

we have confidence in the supply chains of integrated
systems and the integrity of the people, processes and
technology that comprise them.

The Supply Chain Management Center of the Robert H.

Smith School of Business, University of Maryland College
Park is undertaking collaborative research with SAIC to
develop a supply chain assurance reference model for
cyber infrastructure.

Robert H. Smith School of Business University of Maryland and SAIC

 Project Milestones

Phase 1: Literature Review and Interview Guide Development

(October November 08).
Phase 2: Conduct interviews with 25-30 thought leaders in the
systems engineering, network management , software/
hardware development, human factors and supply chain risk
management areas (November 2008February, 2009).
Phase 3: Compile interview results, analyze findings, and
prepare a Prototype Cyber- Supply Chain Assurance Reference
Model for presentation to a focus group convened by SAIC of
30-45 government and industry executives (March, 2009).
Phase 4: Results of this feedback will be incorporated into a
final research report (April, 2009).

Robert H. Smith School of Business University of Maryland and SAIC

 Project Rationale:

The current threat landscape requires a convergence between Defense In Depth & Defense In Breadth.

Paradigm-shifting end to end business models

Technology stack with the necessary and

Supply sufficient components to support
Chains
complimentary product providers

Platforms
Product Oriented Building
Blocks
Operating
SDLC Networks Applications
Frameworks Systems
CO
E

In the digital age, sovereignty is demarcated not by territorial frontiers but by supply
chains. Dan Geer, CISO In-Q-Tel

Amateurs study cryptography; professionals study economics. -Allan Schiffman

Robert H. Smith School of Business University of Maryland and SAIC

 Project Rationale (1):

The current threat landscape requires a convergence between Defense In Depth & Defense In Breadth.

Supply Chains
Risk
Synthesis SDLC
Management
Platforms
Frameworks
Applications Compliance
Analysis
Networks
CO

Operating Systems
E

Robert H. Smith School of Business University of Maryland and SAIC

 Project Rationale (2) :

The current threat landscape requires a convergence between Defense In Depth & Defense In Breadth.

Integration of Supply Chains

People, Process, Risk
SDLC
and Technology Management
Platforms
Frameworks

Technology & Applications Compliance

Product Focus Networks
CO

Operating Systems
E

Robert H. Smith School of Business University of Maryland and SAIC

Study Participant Demographics
30 Participants Interviewed

Robert H. Smith School of Business University of Maryland and SAIC

 Cyber Supply Chain Actors

Responsibili'es:
Responsibili'es:

mustmaintainthehighesttrustlevelsinthesystem, prepareconceptsofopera?on(ConOps)andwho
whomusthaveclearpathsfordirec?ngdemand determineQualityofService(QOS)andSupplier
signalstothesupplierbaseandwhoexpectahighly PerformanceMonitoringStandards.
responsivesupplychainfeedbackloop.

Operators/ Policy
Responsibili'es:
Users Developers Responsibili'es:

mustmanageTierIIsuppliers,assure seektoembedfederalacquisi?on
produc?onqualityandguardagainst regula?on(FAR)changesintoprocurement
counterfeitsenteringthesystem. contrac?nginpursuitofgreatersupply
chainassurance.
Network Acquisition
Providers Specialist

Hardware/
Component Integrators
Responsibili'es:
Developers Responsibili'es:

mustmanageTierIIsuppliers,assure whoactasTierIcoordinatorsofcross
produc?onqualityandguardagainst vendorproductsandservicesandwhoseek
counterfeitsenteringthesystem. Software commoncriteriaforevalua?onofTierII
Developers suppliersandmoresecurecrossvendor
transac?on/communica?onpla>orms.

Responsibili'es:

manageso0warepedigree,codeintegrity,
andkernelevalua?onassurancelevelsand
trytocarefullyscreenhumanorviral
threatstotheirprocesses.

8 Robert H. Smith School of Business University of Maryland and SAIC

 SDLC/Supply Chain Ecosystem

Suppliers Supplier Supplier Your Company Customer Customers Customer

SDLC
Initiate Initiate

Initiate
Plan Plan
Acquire/ Acquire/
Dispose Dispose
Return Source
Develop Return Source
Develop

Plan

Deliver Make Dispose Acquire/DevelopDeliver Make

Return Supply
Source

Operate &
Integrate/ Chain
Operate &
Integrate/
Implement/ Implement/
Maintain Assess Maintain Assess

Deliver Make

Integrate/
Operate & Maintain
Implement/Assess

Robert H. Smith School of Business University of Maryland and SAIC

 SDLC/Supply Chain Interdependencies
Synergies within the SDLC & Supply Chain propagate vulnerability compounding impact to the enterprise

Supplier Your Company Customer

SC: Plan
SC: Source

SDLC: Initiate SC: Plan

SDLC

SC: Make Initiate

SC: Source
SDLC: Acquire
Plan
SDLC: Initiate
Dispose Acquire/Develop
Return Source
Supply
SC: Deliver SDLC: Integrate Chain SC: Make

Deliver Make SDLC: Acquire

Integrate/
Operate & Implement/
Maintain Assess
SDLC: O&M SC: Deliver SDLC: Integrate

SDLC: O&M

SC: Return SDLC: Dispose SC: Return SDLC: Dispose

Robert H. Smith School of Business University of Maryland and SAIC

 Early Research Insights

A fundamental discovery in this project was that global cyber supply chains
today are as fragmented and stove piped today as global physical supply chains
were a decade and a half ago.

The RH Smith Supply Chain Management Center studied hundreds of companies in the early 1990s
that were undertaking global supply chain transformation and see a profound similarity between the
struggles of cyber-supply chain managers today and the struggles of those earlier supply chain
managers to gain visibility over operations and to establish more collaborative & robust business
ecosystems with customers, distributors and suppliers on a worldwide basis.

Supply chain managers needed to create a process map and set of activity definitions to capture the
operational complexity they faced and begin to create effective management understandings and
responses. A consensus emerged around the Supply Chain Operations Reference (SCOR) Model
developed by the Supply Chain Council, a membership group of over 800 companies, which now is
the widely accepted industry standard.
Lack of visibility and coherence across the cyber supply chain
Need for structured incentives and relationship drivers which facilitate
management of shared risk
Lack of communication between the cyber and physical supply chain domains is
constraining advancement
The concept of apply to and apply through is key to understanding the
interdependencies between SDLCs across the supply chain which drive the
need for an evolutionary approach to shared risk management.

Robert H. Smith School of Business University of Maryland and SAIC

 Contact Info

Sandor Boyson Hart Rossman

Co-director, Supply Chain Management Center Vice President, CTO Cyber Programs
Research professor logistics and public policy SAIC
dept. Senior Research Fellow, Robert H. Smith
Robert H. Smith School of Business School of Business
3355 Van Munching Hall
University of Maryland SAIC
College Park, MD 20742-1815 1710 SAIC Drive
M/S T3-6-5
301-405-2205
McLean, VA 22102
[email protected]

703-676-5598
[email protected]

Robert H. Smith School of Business University of Maryland and SAIC