Article Preview
TopEfforts to manage the risks associated with the cyber supply chain began in earnest with the Comprehensive National Security Initiative (CNCI), which was launched in 2008 when President George W. Bush signed National Security Presidential Directive 54/Homeland Security Presidential Directive 23 (NSPD-54/HSPD-23), Cybersecurity Policy (The White House, 2008b). President Barack Obama determined that CNCI and its associated activities should evolve to become key elements of a broader, united national security strategy (The White House, 2008a).
CNCI Initiative #11 (“Develop a multi-pronged approach for global supply chain risk management”) states that risks from both the domestic and global supply chains must be managed over the life cycle of a cyber-enabled component. The purpose of this initiative was to enhance the U.S. government’s skills, policies, and processes to provide departments and agencies with a robust toolset to manage and mitigate supply chain risk levels commensurate with the criticality of, and risks to, the government’s systems and networks (CNCI, 2008). Although CNCI’s sunset provisions caused it to expire in 2013, its key elements continue.
The Committee on National Security Systems (CNSS) is responsible for the protection of national security systems belonging to the Department of Defense (DoD), the Intelligence Community, and other government agencies. CNSS’s goals support CNCI and NSPD-54/HSPD-23. CNSS Directive 505, Supply Chain Risk Management, was published in 2012 in accordance with CNCI Initiative #11. It states that the U.S. Government must address the reality that the global marketplace provides increased opportunities for adversaries to penetrate supply chains by establishing an organizational capability to identify and manage supply chain risk to national security systems. Risks must be assessed early and throughout the acquisition life cycle, and all-source threat information must inform the use of risk mitigations (CNSS, 2017).