Conclusions
Improvements needed at the scale necessary to ensure a secure and reliable supply of microelectronic components for USAF weapon systems cannot be effectively implemented at the program level. Delegating supply chain risk management to the program offices not only results in costly duplication of effort but also creates nonuniform implementation of policy and practices and presents yet another threat vector.
For a supply chain risk management and threat assessment program to be effective, it must be authorized, implemented, and monitored from the highest levels of the USAF. The threat to USAF microelectronic components spans the entire life cycle of USAF weapon systems. Security and reliability start at the earliest stages of research and development through acquisition of the system to sustainment of the platform. Each phase of the life cycle is currently organizationally distributed across the USAF.
The plethora of existing and new SCRM policies imposes many challenges for program offices regarding implementation and determining acceptable risk responses. The tasks are compounded by the complexities of the supply chain as highlighted throughout this report. New requirements on handling critical components, the prevalence of counterfeits, analyzing vulnerabilities, and determining appropriate risk responses are time-consuming and potentially overwhelming to the engineering resources available to the program offices. Current policy requires that program offices obtain all-source intelligence information on potential threats, determine the level of risk to their weapon system, and then proactively develop risk mitigation strategies that may require alteration of their program plans through the
implementation of countermeasures. This level of attention requires considerable manpower and expertise. However, due to limits in staffing and technical expertise, program offices are performing these functions without a detailed understanding of the potential vulnerabilities in the platform and therefore, unknowingly assuming risk.
The current program efforts are genuine but lacking in experience and quality to implement the policies and achieve meaningful results. These observances represent a “best effort” by the programs but fall short of being effective. Due to the imbalance in the cost-benefit trade-off, it is not in the program’s best interest to proactively look for vulnerabilities within its systems. However, by providing standardized, approved assessment tools and access to both component expertise and threat information through a central organization that is resourced appropriately, the USAF would realize reduction in time and effort and generate improved results in both system security and reliability.
The assessment of threats facing the microelectronics community is daunting, but the USAF can mitigate many of the immediate challenges by implementing better OPSEC policies for all weapon systems—not just those in the early stages of the acquisition life cycle. Protecting program information must become a priority. Finally, the USAF is not facing this challenge alone. The whole of government approach outlined in the MINSEC program should be fully leveraged by whatever approach the USAF develops to address the challenge of ensuring secure and reliable electronics in USAF weapon systems.