Aerospace SCRM

  • Independent research & analysis
  • Program protection planning
  • Criticality analysis, mitigations and countermeasures
  • Training and best practices

Across systems lifecycles, focusing on ‘traditional’ SCRM as well as adversarial threats to supply chains.​

The Aerospace Corporation’s Role Supporting National SCRM Efforts

SCRM @ Aerospace

Managing Supply Chain Risk across the Acquisition Lifecycle

Threats to supply chains continue to evolve. Aerospace is ahead of the threat, conducting independent research and analysis, program protection planning, criticality analysis, mitigations and countermeasures, and training and best practices to manage supply chain risk across systems lifecycles.


The Aerospace FFRDC

Providing Unparalleled, Independent, Objective Guidance to the Space Enterprise

Federally Funded Research and Development Centers (FFRDCs) are independent non-profits with competencies and capabilities critical to meeting strategic, long-term needs for engineering, research, development, and other analytic capabilities that cannot be met as effectively by U.S. Government or other private-sector resources.

The Aerospace Corporation FFRDC was established June 4, 1960 to support the nation’s space-related defense systems R&D, acquisition, and operations.

Aerospace – which operates one of only six Systems Engineering and Integration (SE&I) FFRDCs nationwide – provides FFRDC services to multiple U.S. national security and civil space agencies, including NASA, NOAA, USGS, and NNSA.

Learn more here:

Value Of Aerospace FFRDC | The Aerospace Corporation

Space Safety Institute | The Aerospace Corporation

Advancing Collaboration Across A Rapidly Evolving Space Enterprise | The Aerospace Corporation

2021 Value of Space Summit: Securing the Value of Space | The Aerospace Corporation

Anticipating Future Opportunities in Space | by The Aerospace Corporation | Nov, 2021 | Medium


About This Portal

The Go-to for Actionable Supply Chain Information

The Aerospace Supply Chain Risk Management Capabilities Center is a comprehensive repository of information for the space enterprise and other civil and commercial industries to assist in the understanding of, and response to, the many threats to systems and operations related to their supply chains. On this site, you will find comprehensive information about supply chain threats, guidance and regulation, case studies and best practices, and descriptions of Aerospace services to help you in securing your supply chain.

Learn about SCRM Challenges and Implementation

SCRM Overview

With Innovation Comes an Expanding Threat Plane

Managing supply chain risk will become more critical as we evolve the infrastructure that enables critical national functions such as positioning, navigation, and timing (PNT) services; cargo, material, and passenger transport; and consumer and commercial banking services. Newly integrated technology – including space-based solar power, synthetic chemicals, precision medicine and robotic surgery, and 3-D and 4-D printing – will incorporate a range of component parts and processes, creating an even larger threat plane. Supporting supply chains will require a more deliberate and dedicated level of risk management than is currently practiced by government and industry.


SCRM History

Managing Risk in an Evolving Threat Environment

SCRM has traditionally focused on managing weaknesses in product lifecycles, such as: defects introduced through mistakes or negligence that result in vulnerabilities or degraded lifecycle performance; failure in aging devices; market risk and resiliency issues from sole-sourced suppliers; long lead times; and counterfeit risk from relabeled, recycled, cloned, defective, or out-of-spec devices.

Naturally occurring systemic threats, such as natural disasters or pandemics (e.g. COVID-19), can also shut down operations altogether, compromising the stability of the workforce and production cycles.

Increasingly, actors are entering supply chains through cyber networks (e.g. SolarWinds) to gain access to sensitive and proprietary information and intellectual property. This insertion of malicious components and coding has caused billions to government and industry in mission failure, intelligence gathering, and extortion.


SCRM Implementation Initiatives

Engaging the Widest Range of Stakeholders to Mitigate Risk

Supply chain threats have energized Congress, the White House, and executive agencies to impose requirements that demand insight into suppliers at all levels – not just first- and second-tier suppliers, but distributors and vendors across the full network that typically has not been understood. Aerospace provides tools, capabilities, and resources to assist stakeholders in engaging with suppliers at all levels to better understand and mitigate current and future risk.

U.S. Government and Industry SCRM Issues

National Security Space

Department of Defense, Intelligence Agencies

The National Security and Defense Industrial Base support U.S. national security objectives, including supplying military operations, conducting advanced R&D and systems development to ensure technological superiority of the U.S. Armed Forces, securing reliable sources of critical materials, and developing industrial preparedness to support operations in wartime or during a national emergency.


Civil Space Agencies

NASA, NOAA, USGS

Civil space agencies (CSAs) design, develop, deploy and maintain critical national space assets with global supply chains that are increasingly complex, and seen as targets for intentional threats and malicious attacks by adversaries. Given this complex and pervasive challenge, CSAs are looking to apply supply chain risk management (SCRM) approaches to reduce risk across the acquisition life cycle for human spaceflight and environmental sensing programs. Traditional National Security Space (NSS) SCRM practices can be too difficult and expensive for CSA’s to implement. Aerospace has developed guidance for a more agile, tailored approach for CSA SCRM based on NSS best practices ensuring a higher risk tolerance and reducing budget requirements.


Non-space Civil Agencies

Departments of Energy, Health and Human Services, and U.S. Treasury

Ensuring supply chain security for energy networks to support the national security, homeland security, and the commercial bulk power system is a massive and complex undertaking. A cybersecurity supply chain framework is needed to recognize differences in energy suppliers that operate effectively across these systems. Only supplies provided by permitted components and vendors, based on information sharing across federal intelligence organizations, DOE, and other agencies actively receiving information from industry should be permitted. A testing and evaluation system assessing the integrity of components by National Labs and non-governmental organizations to oversee certification is necessary. Evaluation of the most critical components and prioritizing the most critical components is imperative.


Information and Communications Technology (ICT)

ICT is integral for the daily operations and functionality of U.S. critical infrastructure. If vulnerabilities in the ICT supply chain—composed of hardware, software, and managed services from third-party vendors, suppliers, service providers, and contractors—are exploited, the consequences can affect all users of that technology or service.

Multi-agency Practices and Guidance

Aerospace Technical Reports

Technical Subject Area Direction

National-level Guidance

Legislation, Executive Orders, and other Directives

Agency-specific Guidance

Department Directives and Programming

Best Practices

Recommendations and Thought Leadership

Aerospace SCRM Capabilities and Focus Areas

Aerospace conducts independent research & analysis, program protection planning, criticality analysis, mitigations and countermeasures, and training and best practices to manage supply chain risk (SCRM) across systems lifecycles, focusing on ‘traditional’ SCRM as well as adversarial threats to supply chains.

Traditional SCRM

Aerospace’s efforts in traditional SCRM include:

  • Identification of vulnerabilities in product lifecycles, i.e., defects introduced through mistakes or negligence, degraded lifecycle performance, reliability failure in aging devices
  • Assessment of quality and market risk and resiliency issues from single or sole-sourced suppliers, foreign control, long lead times, and counterfeit risk from false, relabeled, recycled, fabricated, cloned, defective, or out-of-spec devices, parts, and materials
  • Supplier health and market viability, including understanding technology trends, industry interactions, and supporting supply chains
  • SCRM policy perspectives – from macroeconomic to market segment, i.e. semi-conductor, satellite manufacture – and reviews of guidance documents for periodic updates and incorporation into program acquisition plans and CDRL DIDs

Adversarial SCRM

Aerospace activities to prepare, protect, and mitigate malicious threats that can exploit vulnerabilities in supply chain networks and provide wide access to sensitive and proprietary information include:

  • Technical assessments in technology prequalification, verification sciences and engineering, analysis of material and physical-implementation related vulnerabilities, and product analyses or testing (e.g. ASIC/FPGA microelectronics hardware reliability/vulnerability)
  • Supplier assessments for industrial espionage, intentional insertion of malicious components or coding to enable physical attacks or cause mission failure, IP theft through the unauthorized extraction of sensitive intellectual property using reverse engineering or embedded system security weakness, and other emerging threats/multi-vector approaches
  • Cybersecurity reviews for software applications developed to support mission needs, including: software security assurance, including analysis of the code (source or binary) for exposure to CWEs, adherence to good practices and standards, and analysis of code complexity; origin analysis to identify CVE exposure and risk with open licenses; vulnerability analysis to identify CVEs and assess STIG compliance; and dynamic testing attempts to break into the software (fuzz/penetration testing)

Intelligence and Information Sharing

Aerospace tools, processes, and methods include:

  • Supplier threat information and intelligence (Bloomberg, TAC centers) to assess risk and inform acquisitions
  • Alerts and warnings at classified and unclassified levels (AWARE)

Alerts, Warnings, Advice, Resolutions, and Experience (AWARE) is a repository that facilitates information exchange on technical issues and threats to space enterprise acquisitions and operations. Operational since 2010, the capability includes data and analysis on cyber, supply chain, parts and materials, and counterspace threats sourced from a variety of government and industry organizations. AWARE has a repository for SCRM Analysis that contains corporate threat assessments, hardware/software vulnerability assessments, and other critical information.

After review by FFRDC Subject Matter Experts (SMEs), alerts that have a high chance of affecting Space Enterprise operations are entered into AWARE and are distributed to the specific SMEs or mission areas that may be affected.

AWARE has three versions operating at the unclassified, secret and top-secret levels.

For more on AWARE, reach out to us.


Training and Best Practices

Aerospace has developed Technical Operating Reports (TORs) for SCRM.


Lab Capabilities & Tours

Aerospace also conducts tours of our lab capabilities for analysis and testing of microelectronics.

Contact an Aerospace SCRM Specialist

Submit an Inquiry

Let us know your SCRM needs, desired expertise areas, and timeframe.

Contact

Lori W Gordon
Direct: 703.812.7053
Mobile: 202.308.9729

Contact

Dr. Thomas A Kashangaki
Direct: 703.812.0640
Mobile: 571.422.5653

News

Beyond Cybersecurity Frameworks

The last couple of years have been filled with what seems like countless high-profile cyber attacks — SolarWinds and Colonial Pipeline immediately come to mind. Add …
Read More

Events

Speeding Up the Move to Zero Trust

November 30, 20222:00 PM Webinar As civilian and defense agencies work through the nuances of incorporating zero trust strategies, the question becomes: How can this process …
Read More

IT Asset Management in the Era of Zero Trust

September 21, 20222:00 PM Webinar During this exclusive webinar, moderator Scott Maucione and guest Steve Wallace, chief technology officer at the Defense Information Systems Agency will discuss …
Read More