The Department of Defense (DoD) recently released an updated instruction around their information supply chain to protect mission critical systems, networks, and functions. This is done to minimize information and communication technology (ICT) supply chain and engineering risks. This direction will implement ICT supply chain risk management (SCRM) requirements in line with the DoD’s SCRM implementation strategy.
The SCRM (supply chain risk management) is a systematic process that identifies potential threats or vulnerabilities through the DoD supply chain. This involves risk assessment and threat mitigation strategy implementation to ensure integrity, security, and uninterrupted procedure.
In 2022, the DoD started developing additional SCRM policies and a common framework that could be used across all their affiliates. This framework includes 12 risk categories and 124 sub-categories. The most recent changes are intended to provide proactive risk management and resilience to safeguard critical supply chains.
The scope of this new coverage goes over all DoD information systems, networks, and weapon systems, which includes National Security Systems (NSS), DoD systems with high confidentiality, and systems that are critical to military or intelligence missions. This also includes control systems and business systems. Essentially, every element of the DoD ICT supply chain and every system that uses ICT components will be affected.
The directive focuses on the protection of DoD mission critical functions through updated ICT SCRM practices. This includes addressing critical components to applicable systems and their suppliers by improving systems around supplier due diligence so they can make better informed risk management decisions.
Risk management processes will be used throughout the entire system life cycle. This will use TSN processes, tools, and techniques to reduce vulnerabilities, assess risk, and plan and implement mitigations.
Mission critical functions, critical components, and risk planning and management activities are to be documented in the program protection plan and in relevant cybersecurity plans and documentation.
The DoD will implement tailored strategies, contract tools, and procurement methods for critical components in applicable systems. Any custom designed or manufactured integrated circuit-related products and services must be procured through a trusted supplier using trusted processes as accredited by the Defense Microelectronics Activity (DMEA). If a trusted supplier isn’t available, the DoD requires the procurement to be approved by the defense component head, after undergoing an appropriate risk assessment.
Since the scope of the systems is so broad, nearly all suppliers within the defense industry will be impacted. Even if you’re a commodity IT supplier or a custom solution or service provider, your product or service will undergo DoD SCRM scrutiny.
Since the DoD will tailor its acquisition and procurement strategies, methods, and contract vehicles to assure that procured technologies and services meet their new standards, contractors need to stay up to date on the DoD’s acquisition approaches or risk missing opportunities, even if their offering meets the SCRM technical standards.
Knowledgeable contractors will stay ahead of these new changes to give themselves a competitive advantage. Your strategies and policies should reflect these changes to give you a leg up on contract award decisions. For everyone else, this will affect compliance regulations across the board, so keep your practices and tools updated to this new standard of operation and reap the rewards.
As these changes affect US Cloud, we are constantly keeping up with the latest shifts in DoD SCRM practices and applying the necessary adjustments to our services. We are a proud supporter of the US government and defense, utilizing our Microsoft Enterprise Technical Support Services (METSS) to deliver faster, more economical support by screened US domestic teams.
Our Microsoft Enterprise Services (MES) is a part of the company that provides comprehensive support and consulting services to help enterprises optimize their use of Microsoft products and technologies. These services include:
Microsoft Enterprise Technical Support Services (METSS) refers to the range of support options provided by US Cloud to Government and Defense agencies for their technical needs and challenges. These services help enterprises maximize their use of Microsoft products and technologies. These services are composed of:
We support all government and defense agencies and enterprises, providing comprehensive, compliant support. We keep up with the latest changes from the DoD and ensure that all of our practices and policies are ahead of the curve. Faster Microsoft support for less starts with US Cloud. Learn more by booking a call today.