NASA takes aim at supply chain risk

Having good oversight of the IT supply chain has been a concern for both government and industry for many years, mainly to ensure that faulty components don’t make it into production systems. In the modern world of globalized manufacture, where much of the IT that government consumes is made outside the United States and where there is rampant electronic espionage and theft, knowing where IT originates is crucial.

The Defense Department has made its views well-known. The ubiquity of digital systems greatly expands the risk that electronic components will be altered outside the country to enable nation states to infiltrate and co-opt U.S. defense systems, it fears. Intelligence agencies have the same concerns, and when other government systems are now so widely connected via the Internet, no one can really feel safe.

It’s such a worry that the Defense Advanced Research Projects Agency, DOD’s bleeding-edge research and development outfit, last year launched the Vetting Commodity IT Software and Firmware program to find a way to screen DOD’s bulk commodity technology purchases for things such as malicious code or hidden backdoors through which hackers could gain access to military systems.

NASA’s program office for Solutions for Enterprisewide Procurement — as a supplier of IT to all federal agencies, including DOD and “three-letter” organizations — is intent on doing its part.

“I’m trying to work out how to write a contract vehicle that supports the government on this issue,” said Joanne Woytek, SEWP program manager. “Our goal as a government contract vehicle is to provide our customers with the information they’ll need to make a proper risk-based decision. We can’t solve the problem, but we can assist customers in helping them solve it.”

Woytek and other NASA officials have been participating in international standards forums that have been working on the supply chain problem, such as the Open Group Trusted Technology Forum. That’s helped her really understand the issues, she said, and to fold that understanding back into what the SEWP program office is doing on SEWP V, along with work she is doing with DOD and others.

The approach they’ve so far come up with for the upcoming SEWP V is based on querying further what the authorized reseller relationship is with contract holders. When vendors add a new company to their list or a new product from a company they are already working with, they’ll have to tell the SEWP program office what their relationship is with the company and with the manufacturer of the IT. The SEWP office will then have a system in place that automatically sends a note to the manufacturer that asks whether they are, in fact, working with that company.

That’s the overlying issue, Woytek said. Then they can provide other information such as if they are certified by various authorities or are working with a certain standards program. The program office will also have the ability for each contract holder to identify what makes them less of a risk.

One of the issues the SEWP program office has with authorized resellers is making sure of those kinds of claims, Woytek said. You can’t base it wholly on trust, she said, so new software will be needed in SEWP V to provide that kind of automated check to make sure resellers are authorized.

“The goal is that, when the customer gets a quote, we can give them a risk assessment which says, ‘This item came directly from the manufacturer’ or ‘This item may have fallen off the back of a truck’ or ‘You might not want to put this item into a system that has any security requirements to it,’” Woytek said. “What we won’t do is decide which is right or not for them.”