SCRM Portal

SCRM @ Aerospace

Managing Supply Chain Risk across the Acquisition Lifecycle

Threats to supply chains continue to evolve. Aerospace is ahead of the threat, conducting independent research and analysis, program protection planning, criticality analysis, mitigations and countermeasures, and training and best practices to manage supply chain risk across systems lifecycles.

The Aerospace FFRDC

Providing Unparalleled, Independent, Objective Guidance to the Space Enterprise

Federally Funded Research and Development Centers (FFRDCs) are independent non-profits with competencies and capabilities critical to meeting strategic, long-term needs for engineering, research, development, and other analytic capabilities that cannot be met as effectively by U.S. Government or other private-sector resources.

The Aerospace Corporation FFRDC was established June 4, 1960 to support the nation’s space-related defense systems R&D, acquisition, and operations.

Aerospace – which operates one of only six Systems Engineering and Integration (SE&I) FFRDCs nationwide – provides FFRDC services to multiple U.S. national security and civil space agencies, including NASA, NOAA, USGS, and NNSA.

Learn more here:

Value Of Aerospace FFRDC | The Aerospace Corporation

Space Safety Institute | The Aerospace Corporation

Advancing Collaboration Across A Rapidly Evolving Space Enterprise | The Aerospace Corporation

2021 Value of Space Summit: Securing the Value of Space | The Aerospace Corporation

Anticipating Future Opportunities in Space | by The Aerospace Corporation | Nov, 2021 | Medium

About This Portal

The Go-to for Actionable Supply Chain Information

The Aerospace Supply Chain Risk Management Capabilities Center is a comprehensive repository of information for the space enterprise and other civil and commercial industries to assist in the understanding of, and response to, the many threats to systems and operations related to their supply chains. On this site, you will find comprehensive information about supply chain threats, guidance and regulation, case studies and best practices, and descriptions of Aerospace services to help you in securing your supply chain.

National Security Space

Department of Defense, Intelligence Agencies

The National Security and Defense Industrial Base support U.S. national security objectives, including supplying military operations, conducting advanced R&D and systems development to ensure technological superiority of the U.S. Armed Forces, securing reliable sources of critical materials, and developing industrial preparedness to support operations in wartime or during a national emergency.

Civil Space Agencies

NASA, NOAA, USGS

Civil space agencies (CSAs) design, develop, deploy and maintain critical national space assets with global supply chains that are increasingly complex, and seen as targets for intentional threats and malicious attacks by adversaries. Given this complex and pervasive challenge, CSAs are looking to apply supply chain risk management (SCRM) approaches to reduce risk across the acquisition life cycle for human spaceflight and environmental sensing programs. Traditional National Security Space (NSS) SCRM practices can be too difficult and expensive for CSA’s to implement. Aerospace has developed guidance for a more agile, tailored approach for CSA SCRM based on NSS best practices ensuring a higher risk tolerance and reducing budget requirements.

Non-space Civil Agencies

Departments of Energy, Health and Human Services, and U.S. Treasury

Ensuring supply chain security for energy networks to support the national security, homeland security, and the commercial bulk power system is a massive and complex undertaking. A cybersecurity supply chain framework is needed to recognize differences in energy suppliers that operate effectively across these systems. Only supplies provided by permitted components and vendors, based on information sharing across federal intelligence organizations, DOE, and other agencies actively receiving information from industry should be permitted. A testing and evaluation system assessing the integrity of components by National Labs and non-governmental organizations to oversee certification is necessary. Evaluation of the most critical components and prioritizing the most critical components is imperative.

Information and Communications Technology (ICT)

ICT is integral for the daily operations and functionality of U.S. critical infrastructure. If vulnerabilities in the ICT supply chain—composed of hardware, software, and managed services from third-party vendors, suppliers, service providers, and contractors—are exploited, the consequences can affect all users of that technology or service.

Traditional SCRM

Aerospace’s efforts in traditional SCRM include:

• Identification of vulnerabilities in product lifecycles, i.e., defects introduced through mistakes or negligence, degraded lifecycle performance, reliability failure in aging devices
• Assessment of quality and market risk and resiliency issues from single or sole-sourced suppliers, foreign control, long lead times, and counterfeit risk from false, relabeled, recycled, fabricated, cloned, defective, or out-of-spec devices, parts, and materials
• Supplier health and market viability, including understanding technology trends, industry interactions, and supporting supply chains
• SCRM policy perspectives – from macroeconomic to market segment, i.e. semi-conductor, satellite manufacture – and reviews of guidance documents for periodic updates and incorporation into program acquisition plans and CDRL DIDs

Adversarial SCRM

Aerospace activities to prepare, protect, and mitigate malicious threats that can exploit vulnerabilities in supply chain networks and provide wide access to sensitive and proprietary information include:

• Technical assessments in technology prequalification, verification sciences and engineering, analysis of material and physical-implementation related vulnerabilities, and product analyses or testing (e.g. ASIC/FPGA microelectronics hardware reliability/vulnerability)
• Supplier assessments for industrial espionage, intentional insertion of malicious components or coding to enable physical attacks or cause mission failure, IP theft through the unauthorized extraction of sensitive intellectual property using reverse engineering or embedded system security weakness, and other emerging threats/multi-vector approaches
• Cybersecurity reviews for software applications developed to support mission needs, including: software security assurance, including analysis of the code (source or binary) for exposure to CWEs, adherence to good practices and standards, and analysis of code complexity; origin analysis to identify CVE exposure and risk with open licenses; vulnerability analysis to identify CVEs and assess STIG compliance; and dynamic testing attempts to break into the software (fuzz/penetration testing)

Intelligence and Information Sharing

Aerospace tools, processes, and methods include:

• Supplier threat information and intelligence (Bloomberg, TAC centers) to assess risk and inform acquisitions
• Alerts and warnings at classified and unclassified levels (AWARE)

Alerts, Warnings, Advice, Resolutions, and Experience (AWARE) is a repository that facilitates information exchange on technical issues and threats to space enterprise acquisitions and operations. Operational since 2010, the capability includes data and analysis on cyber, supply chain, parts and materials, and counterspace threats sourced from a variety of government and industry organizations. AWARE has a repository for SCRM Analysis that contains corporate threat assessments, hardware/software vulnerability assessments, and other critical information.

After review by FFRDC Subject Matter Experts (SMEs), alerts that have a high chance of affecting Space Enterprise operations are entered into AWARE and are distributed to the specific SMEs or mission areas that may be affected.

AWARE has three versions operating at the unclassified, secret and top-secret levels.

For more on AWARE, reach out to us.

Training and Best Practices

Aerospace has developed Technical Operating Reports (TORs) for SCRM.

Lab Capabilities & Tours

Aerospace also conducts tours of our lab capabilities for analysis and testing of microelectronics.