Graph Image
Invictus Insights

Measure Twice Before You Buy: Supply Chain Risk Management (SCRM)

By: Jonathan Schlosser and Ric Van Antwerp

We have all bought something, taken it home to install, only to find that it is not the right size, has unanticipated costs to service, and won’t do what we need it to do once we make those necessary changes. This is a result of not clearly knowing requirements up front and evaluating if the corrections that need to be made along the way were the right ones. We didn’t “measure twice, cut once.”  Well, what does this have to do with SCRM and cybersecurity? It is analogous to mistakes made by organizations in implementing SCRM into cybersecurity frameworks.  Implementation of an integrated SCRM program with cybersecurity brings functions to determine whether or not we “measured twice” to acquire the correct and most secure product. This is most effective prior to network and system deployment.

The reality is that an organization’s Information Communications Technology (ICT) infrastructure is reliant on unknown global partners, as every organization must acquire commercial hardware, software, and services to house and process data.   As a result, there are threats to the ICT supply chain that exists which we cannot control.  This affects security throughout the product lifecycle from product manufacturing and development, to pre-acquisition and retirement. For example, foreign ownership, product obsolescence, and diminishing manufacturing sources and material shortages (DMSMS) all provide threat actors with opportunities to influence and exploit the supply chain.

It is certainly under our control to reduce the likelihood that threats will expose vulnerabilities, and impact organizational mission success.  SCRM functions are designed to be the controlled safeguards and responses to these persistent and asymmetrical threats. The logical execution of these safeguards is to adopt a whole-of-organization approach for deploying SCRM into cybersecurity frameworks.   Fundamental processes that do so are:

  1. Criticality assessment and prioritization on networks and systems.
  2. Identification of organizational risk thresholds.
  3. Prioritized supply chain risk assessments on acquired ICT.
  4. Linkage of risk to technical cybersecurity mitigations.

However, adoption of these practices is increasingly complex as awareness of an organization’s ICT supply chains rapidly changes with the production of new technologies, foreign-sourced component suppliers, enterprise hardware and software licensing, maintenance servicing, laws, policies, etc.  Due to this complexity, the most effective solution is to implement SCRM processes prior to network and system deployment; as early on in the acquisition, system design/planning stages as possible.  Success hinges on a whole-of-organization approach that accounts for risks at the start of system design through product acquisition to system retirement.

Baking-in a “measured twice” first step with this whole-of-organization SCRM program requires organizational commitment to assess the “criticality” of ICT system components.  This is as most cybersecurity supply chain risks amplify later in the ICT’s product acquisition lifecycle.  Though this “measure twice, cut once” proverb to “measure twice, before you buy”, organizations reduce the incidence of having to mitigate risks with costly and mission-interfering situations.

Invictus has a team of ICT acquisition and cybersecurity SCRM experts that have developed and implemented an agency-level SCRM strategy using this framework and methodology.  Our experts can assist both large enterprises and small organizations with effective strategies to address supply chain concerns, and ensure your SCRM strategy is tailored to your organization, the sensitivity of your data, and the current threat.  ​Since SCRM solutions require multi-discipline expertise, the experts need to be adept at facilitating the inter- and intra-agency relationships necessary to institutionalize the intent of SCRM.

Watch the following video from the Center for Development of Security Excellence (CDSE), “Know the Risk – Raise Your Shield: Supply Chain Risk Management Video Lesson” for more information regarding SCRM:

CDSE provides security education, training, and certification products and services to a broad audience supporting the protection of National Security and professionalization of the DoD security enterprise.