The Aerospace Corporation’s Role Supporting National SCRM Efforts
SCRM @ Aerospace
Managing Supply Chain Risk across the Acquisition Lifecycle
Threats to supply chains continue to evolve. Aerospace is ahead of the threat, conducting independent research and analysis, program protection planning, criticality analysis, mitigations and countermeasures, and training and best practices to manage supply chain risk across systems lifecycles.
The Aerospace FFRDC
Providing Unparalleled, Independent, Objective Guidance to the Space Enterprise
Federally Funded Research and Development Centers (FFRDCs) are independent non-profits with competencies and capabilities critical to meeting strategic, long-term needs for engineering, research, development, and other analytic capabilities that cannot be met as effectively by U.S. Government or other private-sector resources.
The Aerospace Corporation FFRDC was established June 4, 1960 to support the nation’s space-related defense systems R&D, acquisition, and operations.
Aerospace – which operates one of only six Systems Engineering and Integration (SE&I) FFRDCs nationwide – provides FFRDC services to multiple U.S. national security and civil space agencies, including NASA, NOAA, USGS, and NNSA.
Learn more here:
About This Portal
The Go-to for Actionable Supply Chain Information
The Aerospace Supply Chain Risk Management Capabilities Center is a comprehensive repository of information for the space enterprise and other civil and commercial industries to assist in the understanding of, and response to, the many threats to systems and operations related to their supply chains. On this site, you will find comprehensive information about supply chain threats, guidance and regulation, case studies and best practices, and descriptions of Aerospace services to help you in securing your supply chain.
Learn about SCRM Challenges and Implementation
With Innovation Comes an Expanding Threat Plane
Managing supply chain risk will become more critical as we evolve the infrastructure that enables critical national functions such as positioning, navigation, and timing (PNT) services; cargo, material, and passenger transport; and consumer and commercial banking services. Newly integrated technology – including space-based solar power, synthetic chemicals, precision medicine and robotic surgery, and 3-D and 4-D printing – will incorporate a range of component parts and processes, creating an even larger threat plane. Supporting supply chains will require a more deliberate and dedicated level of risk management than is currently practiced by government and industry.
Managing Risk in an Evolving Threat Environment
SCRM has traditionally focused on managing weaknesses in product lifecycles, such as: defects introduced through mistakes or negligence that result in vulnerabilities or degraded lifecycle performance; failure in aging devices; market risk and resiliency issues from sole-sourced suppliers; long lead times; and counterfeit risk from relabeled, recycled, cloned, defective, or out-of-spec devices.
Naturally occurring systemic threats, such as natural disasters or pandemics (e.g. COVID-19), can also shut down operations altogether, compromising the stability of the workforce and production cycles.
Increasingly, actors are entering supply chains through cyber networks (e.g. SolarWinds) to gain access to sensitive and proprietary information and intellectual property. This insertion of malicious components and coding has caused billions to government and industry in mission failure, intelligence gathering, and extortion.
SCRM Implementation Initiatives
Engaging the Widest Range of Stakeholders to Mitigate Risk
Supply chain threats have energized Congress, the White House, and executive agencies to impose requirements that demand insight into suppliers at all levels – not just first- and second-tier suppliers, but distributors and vendors across the full network that typically has not been understood. Aerospace provides tools, capabilities, and resources to assist stakeholders in engaging with suppliers at all levels to better understand and mitigate current and future risk.
U.S. Government and Industry SCRM Issues
National Security Space
Department of Defense, Intelligence Agencies
The National Security and Defense Industrial Base support U.S. national security objectives, including supplying military operations, conducting advanced R&D and systems development to ensure technological superiority of the U.S. Armed Forces, securing reliable sources of critical materials, and developing industrial preparedness to support operations in wartime or during a national emergency.
Civil Space Agencies
NASA, NOAA, USGS
Civil space agencies (CSAs) design, develop, deploy and maintain critical national space assets with global supply chains that are increasingly complex, and seen as targets for intentional threats and malicious attacks by adversaries. Given this complex and pervasive challenge, CSAs are looking to apply supply chain risk management (SCRM) approaches to reduce risk across the acquisition life cycle for human spaceflight and environmental sensing programs. Traditional National Security Space (NSS) SCRM practices can be too difficult and expensive for CSA’s to implement. Aerospace has developed guidance for a more agile, tailored approach for CSA SCRM based on NSS best practices ensuring a higher risk tolerance and reducing budget requirements.
Non-space Civil Agencies
Departments of Energy, Health and Human Services, and U.S. Treasury
Ensuring supply chain security for energy networks to support the national security, homeland security, and the commercial bulk power system is a massive and complex undertaking. A cybersecurity supply chain framework is needed to recognize differences in energy suppliers that operate effectively across these systems. Only supplies provided by permitted components and vendors, based on information sharing across federal intelligence organizations, DOE, and other agencies actively receiving information from industry should be permitted. A testing and evaluation system assessing the integrity of components by National Labs and non-governmental organizations to oversee certification is necessary. Evaluation of the most critical components and prioritizing the most critical components is imperative.
Information and Communications Technology (ICT)
ICT is integral for the daily operations and functionality of U.S. critical infrastructure. If vulnerabilities in the ICT supply chain—composed of hardware, software, and managed services from third-party vendors, suppliers, service providers, and contractors—are exploited, the consequences can affect all users of that technology or service.
Multi-agency Practices and Guidance
Aerospace Technical Reports
Technical Subject Area Direction
Legislation, Executive Orders, and other Directives
Department Directives and Programming
Recommendations and Thought Leadership
Aerospace SCRM Capabilities and Focus Areas
Aerospace conducts independent research & analysis, program protection planning, criticality analysis, mitigations and countermeasures, and training and best practices to manage supply chain risk (SCRM) across systems lifecycles, focusing on ‘traditional’ SCRM as well as adversarial threats to supply chains.
Aerospace’s efforts in traditional SCRM include:
- Identification of vulnerabilities in product lifecycles, i.e., defects introduced through mistakes or negligence, degraded lifecycle performance, reliability failure in aging devices
- Assessment of quality and market risk and resiliency issues from single or sole-sourced suppliers, foreign control, long lead times, and counterfeit risk from false, relabeled, recycled, fabricated, cloned, defective, or out-of-spec devices, parts, and materials
- Supplier health and market viability, including understanding technology trends, industry interactions, and supporting supply chains
- SCRM policy perspectives – from macroeconomic to market segment, i.e. semi-conductor, satellite manufacture – and reviews of guidance documents for periodic updates and incorporation into program acquisition plans and CDRL DIDs
Aerospace activities to prepare, protect, and mitigate malicious threats that can exploit vulnerabilities in supply chain networks and provide wide access to sensitive and proprietary information include:
- Technical assessments in technology prequalification, verification sciences and engineering, analysis of material and physical-implementation related vulnerabilities, and product analyses or testing (e.g. ASIC/FPGA microelectronics hardware reliability/vulnerability)
- Supplier assessments for industrial espionage, intentional insertion of malicious components or coding to enable physical attacks or cause mission failure, IP theft through the unauthorized extraction of sensitive intellectual property using reverse engineering or embedded system security weakness, and other emerging threats/multi-vector approaches
- Cybersecurity reviews for software applications developed to support mission needs, including: software security assurance, including analysis of the code (source or binary) for exposure to CWEs, adherence to good practices and standards, and analysis of code complexity; origin analysis to identify CVE exposure and risk with open licenses; vulnerability analysis to identify CVEs and assess STIG compliance; and dynamic testing attempts to break into the software (fuzz/penetration testing)
Intelligence and Information Sharing
Aerospace tools, processes, and methods include:
- Supplier threat information and intelligence (Bloomberg, TAC centers) to assess risk and inform acquisitions
- Alerts and warnings at classified and unclassified levels (AWARE)
Alerts, Warnings, Advice, Resolutions, and Experience (AWARE) is a repository that facilitates information exchange on technical issues and threats to space enterprise acquisitions and operations. Operational since 2010, the capability includes data and analysis on cyber, supply chain, parts and materials, and counterspace threats sourced from a variety of government and industry organizations. AWARE has a repository for SCRM Analysis that contains corporate threat assessments, hardware/software vulnerability assessments, and other critical information.
After review by FFRDC Subject Matter Experts (SMEs), alerts that have a high chance of affecting Space Enterprise operations are entered into AWARE and are distributed to the specific SMEs or mission areas that may be affected.
AWARE has three versions operating at the unclassified, secret and top-secret levels.
For more on AWARE, reach out to us.
Training and Best Practices
Aerospace has developed Technical Operating Reports (TORs) for SCRM.
Lab Capabilities & Tours
Aerospace also conducts tours of our lab capabilities for analysis and testing of microelectronics.
Contact an Aerospace SCRM Specialist
Submit an Inquiry
Let us know your SCRM needs, desired expertise areas, and timeframe.
Lori W Gordon
Dr. Thomas A Kashangaki