Aerospace conducts independent research & analysis, program protection planning, criticality analysis, mitigations and countermeasures, and training and best practices to manage supply chain risk (SCRM) across systems lifecycles, focusing on ‘traditional’ SCRM as well as adversarial threats to supply chains.
Traditional SCRM
Aerospace’s efforts in traditional SCRM include:
- Identification of vulnerabilities in product lifecycles, i.e., defects introduced through mistakes or negligence, degraded lifecycle performance, reliability failure in aging devices
- Assessment of quality and market risk and resiliency issues from single or sole-sourced suppliers, foreign control, long lead times, and counterfeit risk from false, relabeled, recycled, fabricated, cloned, defective, or out-of-spec devices, parts, and materials
- Supplier health and market viability, including understanding technology trends, industry interactions, and supporting supply chains
- SCRM policy perspectives – from macroeconomic to market segment, i.e. semi-conductor, satellite manufacture – and reviews of guidance documents for periodic updates and incorporation into program acquisition plans and CDRL DIDs
Adversarial SCRM
Aerospace activities to prepare, protect, and mitigate malicious threats that can exploit vulnerabilities in supply chain networks and provide wide access to sensitive and proprietary information include:
- Technical assessments in technology prequalification, verification sciences and engineering, analysis of material and physical-implementation related vulnerabilities, and product analyses or testing (e.g. ASIC/FPGA microelectronics hardware reliability/vulnerability)
- Supplier assessments for industrial espionage, intentional insertion of malicious components or coding to enable physical attacks or cause mission failure, IP theft through the unauthorized extraction of sensitive intellectual property using reverse engineering or embedded system security weakness, and other emerging threats/multi-vector approaches
- Cybersecurity reviews for software applications developed to support mission needs, including: software security assurance, including analysis of the code (source or binary) for exposure to CWEs, adherence to good practices and standards, and analysis of code complexity; origin analysis to identify CVE exposure and risk with open licenses; vulnerability analysis to identify CVEs and assess STIG compliance; and dynamic testing attempts to break into the software (fuzz/penetration testing)
Intelligence and Information Sharing
Aerospace tools, processes, and methods include:
- Supplier threat information and intelligence (Bloomberg, TAC centers) to assess risk and inform acquisitions
- Alerts and warnings at classified and unclassified levels (AWARE)
Alerts, Warnings, Advice, Resolutions, and Experience (AWARE) is a repository that facilitates information exchange on technical issues and threats to space enterprise acquisitions and operations. Operational since 2010, the capability includes data and analysis on cyber, supply chain, parts and materials, and counterspace threats sourced from a variety of government and industry organizations. AWARE has a repository for SCRM Analysis that contains corporate threat assessments, hardware/software vulnerability assessments, and other critical information.
After review by FFRDC Subject Matter Experts (SMEs), alerts that have a high chance of affecting Space Enterprise operations are entered into AWARE and are distributed to the specific SMEs or mission areas that may be affected.
AWARE has three versions operating at the unclassified, secret and top-secret levels.
For more on AWARE, reach out to us.
Training and Best Practices
Aerospace has developed Technical Operating Reports (TORs) for SCRM.
Lab Capabilities & Tours
Aerospace also conducts tours of our lab capabilities for analysis and testing of microelectronics.