Please join us as we introduce a Trustworthy Supplier Framework, a toolbox developed to assist in understanding component protection options and inform better buying decisions as part of supply chain risk management. Although this effort began in support of the Department of Defense, we are now seeking to engage a broader set of stakeholders in industry, government and academia to provide input and shape the Framework's contents to best address supply chain risk in commercial-off-the-shelf (COTS) products. The Trustworthy Supplier Framework maps various existing standards and practices to the controls provided in NIST Special Publication (SP) 800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, and supports the understanding and utilization of various standards and practices in managing supply chain risks.
Trustworthiness of the suppliers and products in supply chains is critical to ensuring that systems' quality, safety, integrity, resilience and security are not compromised.
Federal department and agency program managers are seeking help to work through existing industry standards and practices, government policies and guidance, qualified buyer lists, accreditation programs, and other activities to both protect their systems and to comply with various policies. While a wide variety of good standards and controls exist for supply chain risk mitigation, their utility is compromised by the sheer number of options, as well as by the difficulty in translating or customizing controls to specific programs. It is often unclear to buyers which practices are appropriate, effective and affordable. In these times of tight budgets, well-informed and thought-out decisions are necessary for success.
In addition, while many policies offer a disciplined approach for the contracted supply chain, a gap remains on how to perform the necessary criticality and vulnerability assessments when the products purchased are often commercial-off-the-shelf (COTS) and use commercial terms of service. This gap is especially apparent when trying to identify, assess and mitigate risks associated with large and complex COTS products and services where visibility into the product and its development can be difficult.
To address this gap, a baseline assessment has been conducted on current product and supplier standards, regulations, policies, and trustworthiness practices focused specifically on the electronic component category (although the results should be generalizable to other product categories).The process for developing the Trustworthy Suppliers Framework involved starting with NIST SP 800-161 for a risk mitigation structure and looking across existing standards to build a portfolio of options available for different levels of protection in different missions and under varying levels of threats – working from a whole-of-government perspective, but with a motivating focus on federal department and agency challenges.
Industry, academia and government systems engineers, program managers and buyers who make the component selection decisions; people who design or implement supply chain controls or quality procedures; standards developers; and those responsible for ensuring systems' quality, integrity and security.
To invite discussion and comment on the Trustworthy Suppliers Framework developed for the DoD based in part on NIST SP 800-161, and on related standards/guideline efforts.
1. Introduce the Trustworthy Suppliers Frame work and describe its connection to NIST SP 800-161
2. Validate the Trustworthy Suppliers Framework's utility
a. Does the Framework adequately address COTS?
b. Is the Framework usable and useful to a broad audience?
3. Receive input to inform future versions of the Trustworthy Suppliers Framework and other government supply chain risk management initiatives
a. Are there gaps in the Framework?
b. Are there gaps in NIST SP 800-161?
c. Are there gaps in the broader industry standards?
4. Identify future courses of action that might be taken by government or industry toaddress any identified gaps