It’s not all DCAA-bashing here at Apogee Consulting, Inc.—though we have to admit that we do love the low-hanging fruit handed to us by the audit agency’s recent guidance to its Regional Directors and auditors. Nope, we have other topics of interest that we like to blog about, as frequent readers will aver. Based on a recent spate of articles about fraud and corruption in the public procurement process, one might assume that was our other focus. But no: we also follow defense technology, cyber-security, program management, and supply chain management as well.
Pursuing our obsessions interests on the Internet, we came across a new site, www.fiercegovernmentit.com.
We like it—a lot. On that site we came across a story that was near and
dear to our hearts, combining as it did our interests in both
cyber-security and supply chain management. The article, entitled “DHS
Could Rate Software Manufacturers According to Their supply Chain,”
definitely caught our eye. Link here.
The article focused on using trusted subcontractors and suppliers to develop secure code and secure products. It stated—
‘There are suppliers in that chain who are people we would not allow into our facilities, but we're just going to take their software and install it? Anybody understand that there's a problem with that?’ said Joe Jarzombek, director for software assurance and global cybersecurity management within the DHS National Cyber Security Division. …
Getting a good rating would not require relocating all coding activities domestically, he said. Many exploitable weaknesses found in software come from developers using U.S. citizen personnel with software clearances.
‘I'll use a technical term - they're clueless on how to develop secure products,’ Jarzombek said. Among the practices called out by Jarzombek is subcontracting with entities the government is unaware of. While the government might think it's getting code from a trusted source, in fact a hidden third party is delivering the final product merely with the vendor's nameplate.
Jarzombek also said that developers who deliver code compiled with bug flags turned off is akin to handing someone unaware a gun with the safety turned off. ‘Somehow we would think that's wrong, but we don't think that's wrong in software.
Wow. We couldn’t agree more—and what’s more we’ve said so in writing. Although our focus was on the manufacture of hardware, our thoughts could easily be applied to software coding. We said (in our typical over-the-top style)—
The risks for the A&D industry sector are real. The risks demand a serious and near-term response. Our goal should be to establish a “product pedigree” for our supply chain through creating an unbreakable chain of custody from first source through the various manufacturing and fabrication and assembly and finishing steps. We need to be able to follow our raw stock and piece parts and components and sub-assemblies into final assembly and test, ideally by satellite monitoring. One the product is assembled and tested, we need to follow the finished item as it makes its way to the warfighters. And we need to do it without alerting the enemy or giving away our position.
It’s not an easy task, but the easiest way to drown on the Titanic was to pretend there was no iceberg or that the ship wouldn’t sink. Listen up, Lunchbox, the ship is taking on water and it’s time to get a bucket. We’re not fooling you. But your foreign supplier might be.
Moving back to the article from our new favorite site, it continued—
In a related conference session, former Office of Management and Budget Administrator for e-Government and Information Technology Karen Evans urged the government to be tougher with all information technology companies over their supply chain practices.
The minute that the Defense Department rejects a router for cybersecurity reasons, ‘it will send a ripple effect through the industry, and then people will fix it,’ she said. ‘If you marked a deliverable as undeliverable, it gets everybody's attention all the way up the chain.’
As previously noted, supply chain management is one of our “things” that we think government contractors need to do better. We live in an environment of persistent cyber-threats. As we’ve written—
The next big war between nation states probably won’t be fought using tanks and planes; it will probably be fought in cyberspace. The war could be over before a single shot is fired, with the winner being the first to shut down the other side’s electrical and information grids. The soldiers of the next war are in training now. And the United States is way behind other nations in training and equipping its cybersoldiers.
Though
we put a lot of passion into that particular blog article, it did not
prove as popular with our readership as we would have hoped. (Probably
because it didn’t have “DCAA” in the title.) So if the well-documented
threat of hacking and cyber-warfare doesn’t get your attention, perhaps
this point will.
Here’s the deal. If the Department of Homeland Security is going to start using supply chain security and management practices as an evaluation criterion in the award of future contracts, then you will need to secure your supply chain in order to win that work.
That’s
right, gentle readers. A more secure supply chain is going to confer a
competitive advantage. Locking down your supply chain is a strategic
move, an investment that will pay a return. And failing to do so might
make you such a risky supplier that you can’t win new government
contracts, and will start charting a backlog burn-off that looks much
like a steep cliff. Don’t say you weren’t warned.
So why don’t you get on that “thing” right about now?
| < Prev | Next > |
|---|
