National Academies Press: OpenBook
« Previous: Appendix B: Summary from the Workshop Proceedings
Suggested Citation:"Appendix C: SCRM Policy, Guidance, and Standards." National Academies of Sciences, Engineering, and Medicine. 2019. The Growing Threat to Air Force Mission-Critical Electronics: Lethality at Risk: Unclassified Summary. Washington, DC: The National Academies Press. doi: 10.17226/25475.
×

C

SCRM Policy, Guidance, and Standards

The current influential policies, guidance, and standards that supply chain risk management (SCRM) practitioners will need to comply and implement program protections within the Department of Defense (DoD) and U.S. Air Force (USAF) acquisition life cycle are listed below by organization, including the Air Force Life Cycle Management Center(AFLCMC), the Air Force Life Cycle Management Center’s Cryptologic and Cyber Systems Division (AFLCMC/HNC), the Trusted Systems Network (TSN)—DoD(CIO) Working Group, the National Institute of Standards and Technology (NIST), the Committee on National Security Systems (CNSS), and the Intelligence Community.

AIR FORCE LIFE CYCLE MANAGEMENT CENTER—CRYPTOLOGIC AND CYBER SYSTEMS DIVISION (AFLCMC/HNC)

  1. HNC OI 63-1201, HNC Engineering Processes and Roles, 10 August 2016.
  2. HNC OI 63-102, HNC Lifecycle Supply Chain Risk Management (SCRM), 20 July 2018.
  3. HNC 63-510, Deficiency Reporting Investigation and Resolution, 30 June 2016.
  4. GM 2017-101, Risk Management Framework Information Technology, 13 November 2017.
Suggested Citation:"Appendix C: SCRM Policy, Guidance, and Standards." National Academies of Sciences, Engineering, and Medicine. 2019. The Growing Threat to Air Force Mission-Critical Electronics: Lethality at Risk: Unclassified Summary. Washington, DC: The National Academies Press. doi: 10.17226/25475.
×

AIR FORCE LIFE CYCLE MANAGEMENT CENTER (AFLCMC)

The following are/will be recent releases:

  1. AFLCMC CPI/CC Identification, pending release.
  2. AFLCMC (Anti-Tamper Guide), pending release.
  3. AFLCMC (TSN Center of Excellence CONOPS), pending release.
  4. AFLCMC Standard Process, Program Protection Planning and System Security Engineering, v. 1.0, AFLCMC/EZSP/EZSI, 16 November 2017.
  5. AFLCMC Standard Process, Life Cycle Sustainment Plans, AFLCMC/LG-LZ, 1 October 2017.
  6. AFLCMC Standard Process, Risk and Issue Management (RIM) in Acquisition Programs, AFLCMC/AZE, 17 November 2017.
  7. AFLCMC Standard Process, Cybersecurity Assessment and Authorization, AFLCMC/EZA/EZB/EZC, 21 June 2018.
  8. AFLCMC Internal Process Guide, Weapon System Supply Chain Risk Management (WS SCRM), version 1.0, AFLCMC/LG-LZ, 30 November 2016.

U.S. AIR FORCE

  1. AFI 63-101/20-101, Integrated Life Cycle Management, 9 May 2017.
  2. AFMCI 63-1201, Implementing Operational Safety Suitability and Effectiveness (OSS&E) and Life Cycle Systems Engineering (LCSE), 28 March 2017.
  3. AFPAM 63-113, Program Protection Planning for Life Cycle Management, 17 October 2013.
  4. AFPAM 63-128, Integrated Life Cycle Management, 10 July 2014.
  5. AFPD 63-1/20-1, Integrated Life Cycle Management, 3 June 2016.
  6. AFI 90-901, Operational Risk Management, as amended, 1 April 2000.
  7. AFGM2018-63-146-01, Air Force Guidance Memorandum for Rapid Acquisition Activities, 13 June 2018.

DEPARTMENT OF DEFENSE

  1. Deputy Assistant Secretary of Defense Systems Engineering (DASD/SE), Program Protection Plan (PPP) Outline and Guidance, version 1.0, July 2011. [Version 2, in process.]
  2. DoD Guide, Key Practices and Implementation Guide for the DoD Comprehensive National Cybersecurity Initiative 11 (CNCI) Supply Chain Risk Management (SCRM) Pilot Program, 25 February 2010.
Suggested Citation:"Appendix C: SCRM Policy, Guidance, and Standards." National Academies of Sciences, Engineering, and Medicine. 2019. The Growing Threat to Air Force Mission-Critical Electronics: Lethality at Risk: Unclassified Summary. Washington, DC: The National Academies Press. doi: 10.17226/25475.
×
  1. DoD Guide, Risk Management Guide for DoD Acquisition, Sixth Edition, Version 1.0, August 2006.
  2. DoD 5220.22-M, National Industrial Security Program Operating Manual (NISPOM), 18 May 2016.
  3. DoDD 5200.47E, Anti-Tamper (AT), Change 1, 28 August 2017.
  4. DoDD 5240.02, Counterintelligence (CI), 17 March 2015.
  5. DoDI 4140.01, DoD Supply Chain Materiel Management Policy, 14 September 2017.
  6. DoDI 4140.67, DoD Counterfeit Prevention Policy, 25 October 2017.
  7. DoDI 5000.02, Operation of the Defense Acquisition System, 10 August 2017. [Especially Enclosure 14 Item 3.b. (7).]
  8. DoDI 5200.39, Critical Program Information (CPI) Protection Within Research, Development, Test, and Evaluation (RDT&E), 17 November 2017.
  9. DoDI 5200.44, Protection of Mission-Critical Functions to Achieve Trusted Systems and Networks, 27 July 2017.
  10. DoDI O-5240.24, Counterintelligence (CI) Activities Supporting Research, Development, and Acquisition (RDA), 15 October 2013.
  11. DoDI 8320.04, Item Unique Identification (IUID) Standards for Tangible Personal Property, 14 November 2017.
  12. DoDI 8500.01, Cybersecurity, 14 March 2014.
  13. DoDI 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), 12 March 2014.
  14. DoDI 8581.01, Cybersecurity for Space Systems Used by the DoD, in review 2018.
  15. DoDM 5240.01, Procedures Governing the Conduct of DoD Intelligence Activities, 8 August 2016. [Defines U.S. Person and USPI.]
  16. Principle Deputy Under Secretary of Defense for Acquisition, Technology, and Logistics, Memorandum, Document Streamlining—Program Protection Plan (PPP), 18 July 2011.
  17. DASD/SE, DoD Risk, Issue, and Opportunity Management Guide for Defense Acquisition Programs, January 2017.
  18. Defense Acquisition Guide (DAG), Chapter 3, Systems Engineering, current release.
  19. DAG, Chapter 7, Intelligence Support and Acquisition, current release.
  20. DAG, Chapter 9, Program Protection, current release.
  21. Defense Standardization Program Office, SD-22, Diminishing Manufacturing Sources and Material Shortages, A Guidebook of Best Practices for Implementing a Robust DMSMS Management Program, January 2016.
  22. JCIDS, Manual for the Joint Capabilities Integration and Development System (JCIDS), 12 February 2015, including errata as of 18 December 2015. [P. F-I-8, Appendix I, Item e. Threat Assessment item 2 c (2) (d).]
Suggested Citation:"Appendix C: SCRM Policy, Guidance, and Standards." National Academies of Sciences, Engineering, and Medicine. 2019. The Growing Threat to Air Force Mission-Critical Electronics: Lethality at Risk: Unclassified Summary. Washington, DC: The National Academies Press. doi: 10.17226/25475.
×
  1. MIL-HDBK-1785, Systems Security Engineering Program Management Requirements, notice of validation for use in acquisition, 22 April 2014. [Reactivated from 1 August 1995.]
  2. Risk Management Framework (RMF) guidance, located at https://rmfks.osd.mil.

TRUSTED SYSTEMS NETWORK GUIDANCE—DOD(CIO) WORKING GROUP

  1. DASD/SE, Trusted Systems and Networks (TSN) Analysis, June 2014.
  2. Trusted Systems and Networks (TSN) Information and Communications Technology (ICT) Risk Mitigation Guidebook (RMG), Version 2.0, February 2014.
  3. DASD/SE, Suggested Language to Incorporate System Security Engineering for Trusted Systems and Networks (TSN) into Department of Defense Requests for Proposals, January 2014.

NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY

  1. NIST SP800-30r1, Guide for Conducting Risk Assessments, September 2012.
  2. NIST SP800-37r1, Risk Management Framework for Information Systems and Organizations, June 10, 2014. [Rev. 2 INITIAL DRAFT released May 2018.]
  3. NIST SP800-39, Managing Information Security Risk: Organization, Mission, and Information System View, 1 March 2011.
  4. NIST SP800-53r4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013.
  5. NIST SP800-53r5, Initial Public Draft, Security and Privacy Controls for Federal Information Systems and Organizations, 15 August 2017.
  6. NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, September 2011.
  7. NIST SP 800-60, Volume I, Guide for Mapping Types of Information and Types of Information Systems to Security Categories, August 2008.
  8. NIST SP 800-60, Volume II, Appendices to Guide for Mapping Types of Information and Types of Information Systems to Security Categories, August 2008.
  9. NIST SP800-160, Systems Security Engineering, November 2016.
  10. NIST SP800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, April 2015.
  11. NIST, Framework for Improving Critical Infrastructure Cybersecurity, version 1.1, Draft 2, 5 December 2017.
Suggested Citation:"Appendix C: SCRM Policy, Guidance, and Standards." National Academies of Sciences, Engineering, and Medicine. 2019. The Growing Threat to Air Force Mission-Critical Electronics: Lethality at Risk: Unclassified Summary. Washington, DC: The National Academies Press. doi: 10.17226/25475.
×
  1. NIST Interagency Report (IR) 7622, Notional Supply Chain Risk Management Practices for Federal Information Systems, October 2012.

COMMITTEE ON NATIONAL SECURITY SYSTEMS

  1. CNSSD 505, Supply Chain Risk Management, 26 July 2017.
  2. CNSSI No. 1253, Security Categorization and Control Selection for National Security Systems, 27 March 2014.
  3. CNSSI No. 1254, Risk Management Framework Documentation, Data Element Standards, and Reciprocity Process for National Security Systems, August 2016.
  4. CNSSI No. 4009, Glossary, 6 April 2015.
  5. CNSSP 22, Cybersecurity Risk Management, August 2016.

INTELLIGENCE COMMUNITY

  1. Intelligence Community Directive (ICD) 731, Supply Chain Risk Management, 7 December 2013.
  2. Intelligence Community Standard (ICS) 731, Supply Chain Criticality Assessments, 2 October 2015.
  3. ICS 731-02, Supply Chain Threat Assessments, 17 May 2016.
  4. ICS 731-03, Supply Chain Information Sharing, 29 June 2017.
Suggested Citation:"Appendix C: SCRM Policy, Guidance, and Standards." National Academies of Sciences, Engineering, and Medicine. 2019. The Growing Threat to Air Force Mission-Critical Electronics: Lethality at Risk: Unclassified Summary. Washington, DC: The National Academies Press. doi: 10.17226/25475.
×
Page 63
Suggested Citation:"Appendix C: SCRM Policy, Guidance, and Standards." National Academies of Sciences, Engineering, and Medicine. 2019. The Growing Threat to Air Force Mission-Critical Electronics: Lethality at Risk: Unclassified Summary. Washington, DC: The National Academies Press. doi: 10.17226/25475.
×
Page 64
Suggested Citation:"Appendix C: SCRM Policy, Guidance, and Standards." National Academies of Sciences, Engineering, and Medicine. 2019. The Growing Threat to Air Force Mission-Critical Electronics: Lethality at Risk: Unclassified Summary. Washington, DC: The National Academies Press. doi: 10.17226/25475.
×
Page 65
Suggested Citation:"Appendix C: SCRM Policy, Guidance, and Standards." National Academies of Sciences, Engineering, and Medicine. 2019. The Growing Threat to Air Force Mission-Critical Electronics: Lethality at Risk: Unclassified Summary. Washington, DC: The National Academies Press. doi: 10.17226/25475.
×
Page 66
Suggested Citation:"Appendix C: SCRM Policy, Guidance, and Standards." National Academies of Sciences, Engineering, and Medicine. 2019. The Growing Threat to Air Force Mission-Critical Electronics: Lethality at Risk: Unclassified Summary. Washington, DC: The National Academies Press. doi: 10.17226/25475.
×
Page 67
Next: Appendix D: SCRM-Specific NDAA/Public Laws (2009-2019) »
The Growing Threat to Air Force Mission-Critical Electronics: Lethality at Risk: Unclassified Summary Get This Book
×
Buy Paperback | $60.00 Buy Ebook | $48.99
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

High-performance electronics are key to the U.S. Air Force’s (USAF’s) ability to deliver lethal effects at the time and location of their choosing. Additionally, these electronic systems must be able to withstand not only the rigors of the battlefield but be able to perform the needed mission while under cyber and electronic warfare (EW) attack. This requires a high degree of assurance that they are both physically reliable and resistant to adversary actions throughout their life cycle from design to sustainment.

In 2016, the National Academies of Sciences, Engineering, and Medicine convened a workshop titled Optimizing the Air Force Acquisition Strategy of Secure and Reliable Electronic Components, and released a summary of the workshop. This publication serves as a follow-on to provide recommendations to the USAF acquisition community.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    Switch between the Original Pages, where you can read the report as it appeared in print, and Text Pages for the web version, where you can highlight and search the text.

    « Back Next »
  6. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  7. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  8. ×

    View our suggested citation for this chapter.

    « Back Next »
  9. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!