enterprisesecuritymag

Identifying Risk and Maintaining National Security

By Eric Bonnell, SVP, Manager–Technology and Asset Risk, Atlantic Union Bank

As I sit back and I look over the course of the past nine months and surmise how very different our world is today than it was in early March 2020. There are several reasons for this, of course, you can’t easily look beyond the identifiable COVID-19 pandemic, but what you should also see is how the world changed and was pushed forward with the use of technology. I believe the “it” verbiage in technology and intelligence for the next few years will be supply change risk management (SCRM). My experience over the past few years provided me with a great deal of intelligent technology both from commercial vendors and inside the government that provided “illumination”. We in the Department of Defense (DoD) need to look left of Committee on Foreign Investment in the United States (CFIUS) to secure our supply chains for our Defense Industrial Base(DIB). In layman’s terms, the whole of government needs to be able to help our supply chains on the front side, instead of when they are poised to be purchased by our adversary or lose a critical element in our supply chain.

This heightened sense of SCRM has produced many emerging capabilities of Supply Chain Risk Tools (SCRT). What will be the most critical is choosing the right SCRTs I believe will become one of the biggest discriminators in the race to secure supply chains globally, with each agency or company being able to infuse commercially available risk management capability infused with artificial intelligence and machine learning to do predictive analysis on supply chains. The SCRT along with information sharing will be the game-changer. We need to focus as a nation on what components create our supply chains and not solely focused on companies specific to get our arms around risk. We need technology to define common risk factors whether it be material, workforce, technology, fraud, ownership, P&L that are core link for many supply chains, and ensure that as a nation we buy down the risk in the US and with strategic allied partners. We need to use these SCRT to provide DoD and other federal partners a real-time look at what the market sees, through open-source and publicly available feeds. We then can ingest that information and cross-map it with intelligence information, to assist with solutions to our key supply chains to shore them up and bring them back to the United States, to ensure that our country has the capability to defend herself against any adversary.

The big question is what are the right risk factors and how do you quantify risk, as risk is not the same for all, and how do you dial-up risk in certain areas and dial it down for others? We need the federal agencies to work together with commercial SCRT to provide the right solution.

A truly brilliant example of this happened in the crisis of the COVID-19 pandemic when I was lucky to be able to serve as the lead for acceleration for the FEMA Supply Chain. In late March 2020, we needed solutions to enable data-driven decisions on multiple factors of risk virtually in real time. In my time at DoD, I was exposed to the DoD Advana platform which is a DoD supply chain tool that we already were ingesting multiple data fees from other government agencies, as well as a commercial supplier of risk that provided automated risk analysis with over 60,000 public data feeds. When we merged all the various data into the DoD Advana platform enhanced with the commercial risk management tool we quickly identified real-time risks to the supply chain. Based on this and the critical effort of information sharing between federal agencies we were able to assess from that data the following: first that a particular vendor we all were working with did not have the production capacity to deliver all that they had signed up for with multiple purchase orders from FEMA, HHS, and DoD. This capability provided DoD the data prior to the company advising that they would be late in delivery which could have an increased risk to not only our servicemen and women but civilians. We were able to address with the vendor and ensure that the nation’s need was met. If we did not have commercial risk technology incorporated with the DoD Advana platform with the assistance of artificial intelligence and machine learning, combined with information sharing we never would’ve found this and lives could have been lost.

The DoD Joint Acquisition Task Force (JATF), in partnership with the Air Force Innovation Office (AFWERX) team, used DoD Advana enhanced capability and was able to perform almost fully automated due diligence and validation of PPE proposals within eight hours of proposal submission. During the peak period from late March 2020 to May 2020 AFWERX team with data from the DoD Advana enhanced platform processed over 3,000 proposal submissions. This effort of using data to drive decisions directly affected and illuminated valid sources of PPE within days of implementation. The capability remains in place, illuminating and vetting potential vendor capacity and sources around the world to enable resourcing of material solutions that are critical to the COVID-19 response, including direct support to Operation Warp Speed.

This is just a sample of what we need to do as a nation to buy down the risk. We learned a great deal from this crisis, but what I think resonates is that we are all connected to supply chains and that we must work together to ensure we maintain the competitive edge for our national security.

DoD has moved forward over the past few years and worked to enforce security that is foundational to our supply chain with several efforts, as we see is, not one effort will be enough. It is the combination of the right tools, standards, information sharing. There are many factors to enable this such as Cybersecurity Maturity Model Certification rolling out in real-time for the DIB. The rewrite of the DoDI 5000.02, called The Adaptive Acquisition Framework (AAF) is the DoD’s transformational tool that improves the ability to deliver warfighting capability at the speed of relevance. DoD is changing the acquisition culture by simplifying policy, empowering program managers (PMs), tailoring acquisition approaches, conducting data-driven analysis, actively managing risk, and emphasizing sustainment. We can no longer look at any solution as the only solution and we have to remember that security and risk are not one size fits all, to one program or supply chain. Another tool we have to harden our supply chain is the Trusted Capital program. The Trusted Capital program is an investment ecosystem that fosters deal flow in the interest of national security, bringing corporate suppliers offering solutions that are critical to the defense industrial base together with trusted capital providers.

The Federal Government has taken action to move forward with SCRM and information sharing with Federal Acquisition Security Council (FASC), to which I am the DoD representative on the FASC council. The FASC is responsible for increasing information sharing within the federal government regarding supply chain risk and creating guidelines and practices for risk management. The FASC distributes the intelligence community’s supply change risk management (SCRM) threat analysis to federal civilian agencies making acquisitions decisions.

One thing is for certain, we have the incredible SCRT with commercial offers, that when merged with government platforms and information sharing we can get to the “left of CFIUS” and ensure our national security interest and stability of the US economy from adversarial influence…we all must remember ONE TEAM, ONE FIGHT!

Weekly Brief

Read Also

Digital identity - improving security and customer experience

Digital identity - improving security and customer experience

Margo Stephen, Head of Digital ID at Australia Post
Securing Telco Cloud for the 5G era

Securing Telco Cloud for the 5G era

Srinivas Bhattiprolu, Head of Advanced Consulting Service, Nokia Software
Risk Management in Times of Chaos. How To Survive It All?

Risk Management in Times of Chaos. How To Survive It All?

Magdalena Skorupa, Cyber Risk, Data Privacy & IT Compliance Director, Reckitt Benckiser Group
2021 - Are You Ready for the Future?

2021 - Are You Ready for the Future?

Sebastian Fuchs, Managing Director Manheim and RMS Continental Europe, Cox Automotive
How to Build A Successful Identity and Access Management (IAM) Program?

How to Build A Successful Identity and Access Management (IAM)...

Carlos Rodriguez, Director, IT Security & Risk, Citizens Property Insurance
Making Vulnerability Management Relevant to Your Organization's Needs

Making Vulnerability Management Relevant to Your Organization's Needs

Mike Holcomb, Director-Information Security, Fluor Corporation