Summary of Findings and Recommendations
The committee distilled its findings into several recommendations based on examination of evidence gleaned from the best practices observed in the commercial world, sectors of the U.S. government, and the defense industry. These recommendations highlight necessary steps for the U.S. Air Force (USAF) to improve acquisition and sustainment of mission-critical electronics needed for the warfighter. The committee is cognizant that the challenges facing the USAF to ensure that the electronic components in its weapon systems are both secure and reliable are daunting and will require considerable attention from the highest levels of the organization; the committee believes that the following recommendations are achievable and constitute an important and necessary foundation to build upon.
LEAD SUPPLY CHAIN RISK MANAGEMENT FROM THE TOP
Finding: Delegating supply chain risk management (SCRM) to the program offices results in costly duplication of effort and nonuniform implementation of policy and practices, and presents yet another threat vector.
Finding: The threat to USAF microelectronic components spans the entire life cycle of USAF weapon systems. Understanding both security and reliability of the system starts at the earliest stages of research and design and impacts every acquisition decision from system development to sustainment of the platform. Currently, each phase of the life cycle is organizationally distributed across the USAF.
Finding: An effective SCRM program requires a robust information protection strategy that spans all stages of the weapon system to ensure the protection of program information relating to critical technologies and capabilities.
Recommendation: The USAF must authorize, implement, and monitor at the highest level of the organization for supply chain risk management (SCRM) to be effective.
Finding: The committee believes that the responsible organization should be the Air Force Materiel Command (AFMC), given its responsibility for the Air Force Research Laboratory (AFRL), Air Force Life Cycle Management Center (AFLCMC/EN), and Air Force Sustainment Centers (AFSCs), as well as its geographical relationship with the National Air and Space Intelligence Center (NASIC).
Recommendation: The USAF should establish a central office—the Program Protection Office—that has the responsibility and authority to implement a holistic approach to protecting program information across the acquisition enterprise that includes an integrated supply chain threat assessment and risk management program—from research and development (Air Force Research Laboratory, AFRL), through acquisition (Office of the Assistant Secretary of the Air Force for Acquisition, Technology, and Logistics, SAF/AQ), to sustainment (Air Force Materiel Command, AFMC). The Air Force Office of Special Investigations (AFOSI) Program Protection Office is a critical component of this new office.
Recommendation: The USAF Program Protection Office must have unfettered access to program office vulnerability information and risk mitigation plans; must be able to direct the use of red teams to proactively probe and identify risks; must establish enforceable rules for protecting program information at all stages of the program; must have the authority to hold program managers accountable for implementation of threat mitigation actions; and must be resourced to develop gold standard risk supply chain assessment tools that are incorporated into the program protection plans.
CAPITALIZE ON U.S. GOVERNMENT-LEVEL MODERNIZATION EFFORTS
Finding: The whole-of-government is working to improve onshore electronics capabilities in programs such as the Microelectronics Innovation for National Security and Economic Competitiveness (MINSEC). If successful, these efforts may mitigate the risks associated with access to critical components and pace of technology development. The USAF can implement the underlying programs in
MINSEC to improve provenance controls, protect critical program information (CPI) from nontrusted suppliers, and improve security of components in sustainment programs.
Recommendation: The USAF should be an early adopter for U.S. government-level programs that are focused on improving capability concurrently with increasing security and reliability in weapon systems.
Recommendation: The USAF should work closely with the Microelectronics Innovation for National Security and Economic Competitiveness (MINSEC) program to help to inform decisions on creating, evolving, and maintaining a Department of Defense-specific, trusted, and verified electronic components library repository. Subsequently, once obsolete or compromised components are identified, this effort will inform modernization requirements to reduce the threat landscape and increase resilience into the future.
DEVELOP USAF-LEVEL SUSTAINMENT PROCESS
Finding: The USAF can leverage commercial best practices to improve the security posture in the design and manufacturing stages of leading-edge electronic components for new weapon systems; however, sustainment time frames for USAF weapon systems are unique and, therefore, must be the focus of the USAF.
Recommendation: Because many of the legacy platforms employ similar electronic components and share an already fragile supply chain, the USAF should develop an enterprise-wide vulnerability assessment and risk management capability to better share information across the program offices in a timely fashion.
Recommendation: The USAF should implement a platform-by-platform review of critical electronic components and work with the Joint Federated Assurance Center or similar Department of Defense organization to ensure a secure and trusted supply of critical components for all sustainment programs.
EMPLOY SYSTEM-LEVEL OPERATIONAL SECURITY
Finding: One of the easiest and most cost-effective ways to aid the adversary and weaken USAF mission effectiveness is to allow insight into U.S. capabilities and operations.
Finding: Poor operational security (OPSEC) practices expose critical USAF electronics and weapon systems information to risk. These include undesirable practices
such as making readily available unprotected program protection plans (PPPs), allowing electronics to be designed on Internet-connected computers, and the open publication of critical weapon system parts lists and processes. Many of these practices are intended to support contracting “best practices” such as full and open competition. However, this behavior enables the adversary to steal or exfiltrate critical program information (CPI) from unsecured information technology (IT) systems with little to no effort. Poor OPSEC is especially damaging because once the information is obtained, it then allows the adversary to expend as much time as needed to identify exploitable vulnerabilities—often before the weapon system has even been fielded.
Finding: Protecting program information must be a priority at all stages of the acquisition life cycle.
Finding: This level of security awareness must extend beyond acquisition of new weapon systems and be used to inform acquisition approaches for legacy platforms in sustainment.
Recommendation: The USAF must enforce existing operational security (OPSEC) policies across the entire weapon system life cycle—from initial design to sustainment of existing systems—and as new threats emerge, promulgate new policies throughout the enterprise to protect USAF weapon systems.
Recommendation: The USAF should adopt secure design environments and methodologies by ensuring that mission-critical design activities are performed only in secure design environments, with licensed and vetted design tools and intellectual property libraries. All components should incorporate “assured-by-design” strategies.
Recommendation: Early in the design process, the USAF should proactively assess what electronic components will require a trusted fabrication and packaging capability and then develop acquisition and sustainment strategies to support those requirements. The acquisition strategy should also consider technology obsolescence as a risk to the program and incorporate options for technology modernization.
EXPAND SUPPLY CHAIN MONITORING
Finding: The Air Force Office of Special Investigations (AFOSI) has the responsibility to monitor and investigate threats to the microelectronics supply chain. The AFOSI Program Protection Office does not have sufficient resources (funding or
manpower) to move toward a proactive stance to protect USAF systems. Staffing limitations hinder AFOSI’s ability to identify threats to supply chains in time to have operational relevance.
Finding: Additional training and subject matter expertise for SCRM are needed within the USAF program and sustainment offices that support the technical complexities of the weapon system.
Recommendation: The USAF should increase funding and staffing of the Air Force Office of Special Investigations (AFOSI), and related investigative efforts, to move from a reactive to a proactive threat assessment and risk management posture.
Recommendation: The USAF should ensure that sustainment personnel have access to the same supply chain risk management training and threat intelligence as the acquisition community.
IMPLEMENT PROGRAM INFORMATION PROTECTION PROGRAM (SYSTEMSECURE)
Finding: The USAF does not have a culture of proactive security assurance that emphasizes protecting program information at all stages of the acquisition life cycle.
Recommendation: Analogous to the U.S. Navy’s Submarine Safety Program (SUBSAFE) and the newly created Cybersecurity Safety Program (CYBERSAFE), the USAF should establish a “SystemSecure” program. SystemSecure should focus on increasing awareness across the USAF on the need for aggressive protection of program information, including proactive supply chain monitoring and remediation whenever risks are identified.