Every once in a while a signal emerges from our tracking efforts which feels like finding a needle in a haystack.  This development is one of those times.  

Background

Based on the insights from our OODA Stragitame and, most recently, in conversations with OODA Strategic Advisor and OODA Network Member Chris Ward, we have been concerned with a fast, secure IT supply chain not only for the classified information which is attached to government contracting but also for the point to point, secure acquisition of subcomponents (with a trackable provenance of each IT component part) for emerging and advanced technologies systems in current development for strategic, technological advantage over China. 

Specifically, we have been concerned with the advantage that the prime contractors would have in this regard – and we have been on the lookout if DoD is looking at creating a system for smaller, more innovative startups to “plug and play” into a secure pipeline customized to solve this pain point for new entrants into the government contracting system.  As Ward pointed out recently: 

“A real system like what you are describing- an honest-to-goodness system where you want every piece of the supply chain protected  – that goes behind the door and then nobody sees it except the industries themselves. And that is going to be the big defense contractors.  The innovative new companies are not going to get in there to see any of that.”  

There is also the problem of not achieving any speed and scale because new entrants are busy allocating resources to build out a bespoke IT operation within their company to meet the security requirements of DoD procurement and deliverables.  Again, Ward:   “The risk is that innovative companies are going to lose their focus on pursuing all these processes.  They are going to get their focus off.  I’m always nervous about these businesses spreading themselves too thin in too many different directions and then not being able to stay focused on what they do best.”

Upcoming posts will address any discussions we are finding of the potential for a hardware-level secure pipeline with trackable, secure provenance information attached to each part of the IT supply chain (designed to serve the smaller, more innovative players and new entrants in the DoD procurement and acquisition ecosystem). 

To start, recent comments made by Robert Vietmeyer, Director for Cloud and Software Modernization in DoD Chief Information Office are the first we have seen that address a fast, secure pipeline to protect controlled unclassified information (CUI). 

DoD Official Envisions Faster ‘Secure Pipeline’ to Help Small Business Tech Contractors Protect Information

Kudos to Jaspreet Gill Breaking Defense for filing the following report: 

The Defense Department is considering extending a “secure pipeline” to small businesses to help them protect the department’s controlled unclassified information (CUI) while also speeding up their software deliveries, according to an official in the DoD Chief Information Office (CIO).

“One of the challenges we’re finding dealing with the smaller industries and others that haven’t worked in the defense space is our adversaries will attack our weakest links, and if folks aren’t ready for nation-state advanced persistent threat attacks, our sensitive information can be compromised,” Robert Vietmeyer, director for cloud and software modernization, said at a virtual Potomac Officers Club event today. (1) 

What Next? 

To that point, the DoD CIO is working with the deputy under-secretary of defense and the under-secretary of defense for acquisition and sustainment to “make investments” to help small businesses in the Cybersecurity Maturity Model Certification (CMMC) 2.0 program, which aims to strengthen the cybersecurity of the defense industrial base by holding contractors accountable for following best practices to protect their network.

“I’d like to see us expand beyond just the protection, but how do we give a development pipeline, a software factory capability that can enable the small business not just to safeguard DoD CUI but actually give them… a secure pipeline that would enable them to accelerate their potential delivery into the DoD environment as well as protecting that software through its development cycles?” Vietmeyer said. 

While that last part is just a concept right now, DoD is already trying to work on helping businesses protect its information, as the White House’s National Cyber Strategy called “industry and government to pick up a greater share because of the challenges we’re facing from a cyber defense perspective,” he said.

“In my mind, these are some of these avenues that we’re looking at an idea phase now to see if we can put resources behind it,” he added.

The National Cyber Strategy, released in March, seeks to “rebalance” the responsibility of defending cybersecurity to the “most capable and best-positioned actors” in the US. According to the strategy, the “burden” of responsibility would be shifted to larger businesses and the government in the face of threats from state actors like Russia and China.  

Meanwhile, DoD last month submitted its own long-awaited cyber strategy to Congress. In a March interview with Breaking Defense, DoD CIO John Sherman said the strategy would “directly align” with the National Cyber Strategy. 

While the strategy is classified, a public fact sheet laid out the main themes, including maximizing “cyber capabilities in support of integrated deterrence,” countering adversaries and partnering with allies and partners to defend the cyber domain.” (1)  

https://oodaloop.com/archive/2023/04/28/usg-projects-at-speed-and-scale-the-disadvantages-of-ota-and-securing-the-emerging-technology-it-supply-chain/

https://oodaloop.com/archive/2023/03/13/secure-global-and-domestic-it-supply-chains-and-the-future-of-emerging-technology-innovation/

Global Supply Chain Sensemaking

https://oodaloop.com/archive/2023/06/15/the-state-departments-sustained-500m-commitment-to-bolster-global-computer-chip-supply-chain-security-as-prescribed-by-the-2021-ooda-stratigame/

https://oodaloop.com/archive/2021/11/22/scenario-planning-for-global-computer-chip-supply-chain-disruption-results-of-an-ooda-stratigame/

https://oodaloop.com/archive/2021/10/07/chinas-formal-bid-for-global-dominance-of-the-semiconductor-supply-chain/