Supply Chain Risk Management (SCRM) - Overview
DAU GLOSSARY DEFINITION
A systematic process for managing supply chain risk by identifying susceptibilities, vulnerabilities and threats throughout DoD's “supply chain” and developing mitigation strategies to combat those threats whether presented by the supplier, the supplied product and its subcomponents, or the supply chain (e.g., initial production, packaging, handling, storage, transport, mission operation, and disposal).
In addition to the DAU Glossary definition above (which originated from the Committee on National Security Systems Directive (CNSSD) 505), two other authoritative definitions include:
- “The process for managing risk by identifying, assessing, and mitigating threats, vulnerabilities, and disruptions to the DoD supply chain from beginning to end to ensure mission effectiveness. Successful SCRM maintains the integrity of products, services, people, and technologies, and ensures the undisrupted flow of product, materiel, information, and finances across the lifecycle of a weapon or support system. DoD SCRM encompasses all sub-sets of SCRM, such as cybersecurity, software assurance, obsolescence, counterfeit parts, foreign ownership of sub-tier vendors, and other categories of risk that affect the supply chain.”
- "...the risk that an adversary may sabotage, maliciously introduce unwanted function, or otherwise subvert the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a system so as to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of such system.”
- DoD Instruction (DoDI) 4140.01, DoD Supply Chain Materiel Management Policy
- DoDI 5200.44, Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN)
Overview
Because there are potential threats and liabilities throughout a system's life cycle, SCRM also needs to be in place throughout the life cycle - cradle to grave. SCRM includes working with appropriate DoD and Office of the Director of National Intelligence (ODNI) organizations on program threats (foreign and counterintelligence), technology vulnerabilities, contractor threat assessments, counterintelligence vulnerabilities, and global distribution risks.
In 2022, DoD initiated the development of additional SCRM policy and guidance, to include a common framework and taxonomy that includes definitions and a list of 12 risk categories and 124 sub-categories. In Nov 2022, the Office of the Deputy Assistant Secretary of Defense for Logistics, DASD(Log), published a record of initial discussions among DoD, industry, and academia, which included the following three definitions. (Note: these definitions are subject to change and not to be considered "authoritative" at the time of this update).
- Supply Chain Resilience - The capability of supply chains to respond quickly to unexpected events, adapt to changes, and ensure continuity of operations after a disruption. Resilience is the outcome of proactive Supply Chain Risk Management and Supply Chain Security.
- Supply Chain Risk Management - A process of proactively identifying supply chain vulnerabilities to potential disruptions and implementing mitigation strategies and actions to ensure the security, integrity, and uninterrupted flow of products as risks are found, or disruptions occur.
- Supply Chain Security - The application of policies, procedures, processes, and technologies to ensure the security, integrity, and uninterrupted flow of products while moving through the supply chain. Examples include the ability to protect supply chains from cyber infiltrations and the introduction of counterfeit material.
In May 2023, the SCRM Framework Report Phase I was signed and released by HON Christopher J. Lowman, ASD(Sustainment), providing the coordinated DoD SCRM Taxonomy that enables the DoD's cross-functional supply chain risk enterprise to communicate in common terms when identifying, assessing, and mitigating supply chain risks. The taxonomy includes 12 risk categories and 123 sub-risk categories (one of the original 124 was removed).
In November 2023, DoD released the National Defense Industrial Strategy (NDIS), which offers a strategic vision to coordinate and prioritize actions to build a modern defense industrial ecosystem that is fully aligned with the National Defense Strategy. A robust and resilient industrial base provides the enduring foundation for military advantage. Resilient Supply Chains is one of four critical areas the NDIS seeks to achieve.
The National Defense Strategy (NDS) and recent DoD exercises designed to evaluate capabilities in a Contested Logistics Environment highlighted two important SCRM requirements: (1) the need for robust decision support tools to illuminate supply chain risks and vulnerabilities and develop mitigating courses of action; and (2) the need to manage risks to Logistics Information Technology system capabilities in a communication-degraded environment. In addition, a recent article by HON Christopher J. Lowman, Assistant Secretary of Defense for Sustainment, emphasized the need for "resilient, secure, and effective supply chains [that] withstand and recover quickly from disruption while illuminating and mitigating risks such as counterfeit parts, natural disasters, and climate change."
Microelectronics
Due to the proliferation of microelectronic assets existing in every almost every DoD weapon system and major information system, an area of significant vulnerability is in potential counterfeiting of microelectronic assets. DoD established DoDI 4140.67, Counterfeit Prevention Policy. It describes counterfeit materiel as any item that is an unauthorized copy or substitute that has been identified, marked, or altered by a source other than the item’s legally authorized source and has been misrepresented to be an authorized item of the legally authorized source.
Anti-counterfeiting as a means to combat microelectronic fraud. Anti-counterfeiting represents an increasing threat of counterfeit (and fraudulent) parts in the global marketplace and affects every component of the program from commercial-off-the-shelf (COTS) assemblies to military-unique systems. Preventing counterfeit parts from entering the supply chain reduces cost and negative impacts to program schedule and system performance. Overarching DoD Counterfeit Prevention Guidance policy memorandum was signed by Under Secretary of Defense for Acquisition, Technology and Logistics (USD(AT&)L) [now the Office of the Secretary of Defense for Sustainment (OSD(S))] on March 16, 2012.
In addition, the DoD created the TFP in 2003 to respond to the threats of offshoring of microelectronics fabrication and the resulting diminishing influence of the DoD on leading-edge microelectronics research and development. The National Security Agency (NSA) and the Defense Microelectronics Activity (DMEA) equally fund the TFP. Since 2003, IBM provided US Government programs with leading edge application-specific integrated circuits (ASIC). In July 2015, IBM transferred most of its commercial semiconductor business to Global Foundries. This transaction includes the ownership and operation of the two IBM foundries accredited by DMEA to provide microelectronics to US Government programs through the TFP.
In addition to the resources and references included below, please find pertinent SCRM material in the following:
- GAO Audit GAO-17-768 Defense Supply Chain: DOD Needs Complete Information on Single Sources of Supply to Proactively Manage the Risks (Sep 28, 2017)
- Supply Chain Threats
- Enhanced Procedures for Supply Chain Risk Management
In addition to the training resources identified below, DAU now offers LOG 0440, Supply Chain Resiliency Fundamentals, an online course which includes a discussion of SCRM and its relationship to supply chain resiliency.