National Academies Press: OpenBook
« Previous: Appendix B: Summary from the Workshop Proceedings
Suggested Citation:"Appendix C: SCRM Policy, Guidance, and Standards." National Academies of Sciences, Engineering, and Medicine. 2019. The Growing Threat to Air Force Mission-Critical Electronics: Lethality at Risk: Unclassified Summary. Washington, DC: The National Academies Press. doi: 10.17226/25475.
×
Page 63
Suggested Citation:"Appendix C: SCRM Policy, Guidance, and Standards." National Academies of Sciences, Engineering, and Medicine. 2019. The Growing Threat to Air Force Mission-Critical Electronics: Lethality at Risk: Unclassified Summary. Washington, DC: The National Academies Press. doi: 10.17226/25475.
×
Page 64
Suggested Citation:"Appendix C: SCRM Policy, Guidance, and Standards." National Academies of Sciences, Engineering, and Medicine. 2019. The Growing Threat to Air Force Mission-Critical Electronics: Lethality at Risk: Unclassified Summary. Washington, DC: The National Academies Press. doi: 10.17226/25475.
×
Page 65
Suggested Citation:"Appendix C: SCRM Policy, Guidance, and Standards." National Academies of Sciences, Engineering, and Medicine. 2019. The Growing Threat to Air Force Mission-Critical Electronics: Lethality at Risk: Unclassified Summary. Washington, DC: The National Academies Press. doi: 10.17226/25475.
×
Page 66
Suggested Citation:"Appendix C: SCRM Policy, Guidance, and Standards." National Academies of Sciences, Engineering, and Medicine. 2019. The Growing Threat to Air Force Mission-Critical Electronics: Lethality at Risk: Unclassified Summary. Washington, DC: The National Academies Press. doi: 10.17226/25475.
×
Page 67

Below is the uncorrected machine-read text of this chapter, intended to provide our own search engines and external engines with highly rich, chapter-representative searchable text of each book. Because it is UNCORRECTED material, please consider the following text as a useful but insufficient proxy for the authoritative book pages.

C SCRM Policy, Guidance, and Standards The current influential policies, guidance, and standards that supply chain risk management (SCRM) practitioners will need to comply and implement program protections within the Department of Defense (DoD) and U.S. Air Force (USAF) acquisition life cycle are listed below by organization, including the Air Force Life Cycle Management Center(AFLCMC), the Air Force Life Cycle Management Center’s Cryptologic and Cyber Systems Division (AFLCMC/HNC), the Trusted Systems Network (TSN)—DoD(CIO) Working Group, the National Institute of Standards and Technology (NIST), the Committee on National Security Systems (CNSS), and the Intelligence Community. AIR FORCE LIFE CYCLE MANAGEMENT CENTER—CRYPTOLOGIC AND CYBER SYSTEMS DIVISION (AFLCMC/HNC) 1. HNC OI 63-1201, HNC Engineering Processes and Roles, 10 August 2016. 2. HNC OI 63-102, HNC Lifecycle Supply Chain Risk Management (SCRM), 20 July 2018. 3. HNC 63-510, Deficiency Reporting Investigation and Resolution, 30 June 2016. 4. GM 2017-101, Risk Management Framework Information Technology, 13 November 2017. 63

64 Lethality at Risk AIR FORCE LIFE CYCLE MANAGEMENT CENTER (AFLCMC) The following are/will be recent releases: 1. AFLCMC CPI/CC Identification, pending release. 2. AFLCMC (Anti-Tamper Guide), pending release. 3. AFLCMC (TSN Center of Excellence CONOPS), pending release. 4. AFLCMC Standard Process, Program Protection Planning and System Secu- rity Engineering, v. 1.0, AFLCMC/EZSP/EZSI, 16 November 2017. 5. AFLCMC Standard Process, Life Cycle Sustainment Plans, AFLCMC/LG-LZ, 1 October 2017. 6. AFLCMC Standard Process, Risk and Issue Management (RIM) in Acquisi- tion Programs, AFLCMC/AZE, 17 November 2017. 7. AFLCMC Standard Process, Cybersecurity Assessment and Authorization, AFLCMC/EZA/EZB/EZC, 21 June 2018. 8. AFLCMC Internal Process Guide, Weapon System Supply Chain Risk Man- agement (WS SCRM), version 1.0, AFLCMC/LG-LZ, 30 November 2016. U.S. AIR FORCE 1. AFI 63-101/20-101, Integrated Life Cycle Management, 9 May 2017. 2. AFMCI 63-1201, Implementing Operational Safety Suitability and Effec- tiveness (OSS&E) and Life Cycle Systems Engineering (LCSE), 28 March 2017. 3. AFPAM 63-113, Program Protection Planning for Life Cycle Management, 17 October 2013. 4. AFPAM 63-128, Integrated Life Cycle Management, 10 July 2014. 5. AFPD 63-1/20-1, Integrated Life Cycle Management, 3 June 2016. 6. AFI 90-901, Operational Risk Management, as amended, 1 April 2000. 7. AFGM2018-63-146-01, Air Force Guidance Memorandum for Rapid Ac- quisition Activities, 13 June 2018. DEPARTMENT OF DEFENSE 1. Deputy Assistant Secretary of Defense Systems Engineering (DASD/SE), Program Protection Plan (PPP) Outline and Guidance, version 1.0, July 2011. [Version 2, in process.] 2. DoD Guide, Key Practices and Implementation Guide for the DoD Com- prehensive National Cybersecurity Initiative 11 (CNCI) Supply Chain Risk Management (SCRM) Pilot Program, 25 February 2010.

Appendix C 65 3. DoD Guide, Risk Management Guide for DoD Acquisition, Sixth Edition, Version 1.0, August 2006. 4. DoD 5220.22-M, National Industrial Security Program Operating Manual (NISPOM), 18 May 2016. 5. DoDD 5200.47E, Anti-Tamper (AT), Change 1, 28 August 2017. 6. DoDD 5240.02, Counterintelligence (CI), 17 March 2015. 7. DoDI 4140.01, DoD Supply Chain Materiel Management Policy, 14 Sep- tember 2017. 8. DoDI 4140.67, DoD Counterfeit Prevention Policy, 25 October 2017. 9. DoDI 5000.02, Operation of the Defense Acquisition System, 10 August 2017. [Especially Enclosure 14 Item 3.b. (7).] 10. DoDI 5200.39, Critical Program Information (CPI) Protection Within Re- search, Development, Test, and Evaluation (RDT&E), 17 November 2017. 11. DoDI 5200.44, Protection of Mission-Critical Functions to Achieve Trusted Systems and Networks, 27 July 2017. 12. DoDI O-5240.24, Counterintelligence (CI) Activities Supporting Research, Development, and Acquisition (RDA), 15 October 2013. 13. DoDI 8320.04, Item Unique Identification (IUID) Standards for Tangible Personal Property, 14 November 2017. 14. DoDI 8500.01, Cybersecurity, 14 March 2014. 15. DoDI 8510.01, Risk Management Framework (RMF) for DoD Information Technology (IT), 12 March 2014. 16. DoDI 8581.01, Cybersecurity for Space Systems Used by the DoD, in review 2018. 17. DoDM 5240.01, Procedures Governing the Conduct of DoD Intelligence Ac- tivities, 8 August 2016. [Defines U.S. Person and USPI.] 18. Principle Deputy Under Secretary of Defense for Acquisition, Technology, and Logistics, Memorandum, Document Streamlining—Program Protection Plan (PPP), 18 July 2011. 19. DASD/SE, DoD Risk, Issue, and Opportunity Management Guide for Defense Acquisition Programs, January 2017. 20. Defense Acquisition Guide (DAG), Chapter 3, Systems Engineering, current release. 21. DAG, Chapter 7, Intelligence Support and Acquisition, current release. 22. DAG, Chapter 9, Program Protection, current release. 23. Defense Standardization Program Office, SD-22, Diminishing Manufac- turing Sources and Material Shortages, A Guidebook of Best Practices for Implementing a Robust DMSMS Management Program, January 2016. 24. JCIDS, Manual for the Joint Capabilities Integration and Development System (JCIDS), 12 February 2015, including errata as of 18 December 2015. [P. F-I-8, Appendix I, Item e. Threat Assessment item 2 c (2) (d).]

66 Lethality at Risk 25. MIL-HDBK-1785, Systems Security Engineering Program Management Requirements, notice of validation for use in acquisition, 22 April 2014. [Reactivated from 1 August 1995.] 26. Risk Management Framework (RMF) guidance, located at https://rmfks. osd.mil. TRUSTED SYSTEMS NETWORK GUIDANCE— DOD(CIO) WORKING GROUP 1. DASD/SE, Trusted Systems and Networks (TSN) Analysis, June 2014. 2. Trusted Systems and Networks (TSN) Information and Communications Technology (ICT) Risk Mitigation Guidebook (RMG), Version 2.0, Febru- ary 2014. 3. DASD/SE, Suggested Language to Incorporate System Security Engineer- ing for Trusted Systems and Networks (TSN) into Department of Defense Requests for Proposals, January 2014. NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY 1. NIST SP800-30r1, Guide for Conducting Risk Assessments, September 2012. 2. NIST SP800-37r1, Risk Management Framework for Information Systems and Organizations, June 10, 2014. [Rev. 2 INITIAL DRAFT released May 2018.] 3. NIST SP800-39, Managing Information Security Risk: Organization, Mis- sion, and Information System View, 1 March 2011. 4. NIST SP800-53r4, Security and Privacy Controls for Federal Information Systems and Organizations, April 2013. 5. NIST SP800-53r5, Initial Public Draft, Security and Privacy Controls for Federal Information Systems and Organizations, 15 August 2017. 6. NIST SP 800-137, Information Security Continuous Monitoring (ISCM) for Federal Information Systems and Organizations, September 2011. 7. NIST SP 800-60, Volume I, Guide for Mapping Types of Information and Types of Information Systems to Security Categories, August 2008. 8. NIST SP 800-60, Volume II, Appendices to Guide for Mapping Types of Information and Types of Information Systems to Security Categories, August 2008. 9. NIST SP800-160, Systems Security Engineering, November 2016. 10. NIST SP800-161, Supply Chain Risk Management Practices for Federal Information Systems and Organizations, April 2015. 11. NIST, Framework for Improving Critical Infrastructure Cybersecurity, version 1.1, Draft 2, 5 December 2017.

Appendix C 67 12. NIST Interagency Report (IR) 7622, Notional Supply Chain Risk Manage- ment Practices for Federal Information Systems, October 2012. COMMITTEE ON NATIONAL SECURITY SYSTEMS 1. CNSSD 505, Supply Chain Risk Management, 26 July 2017. 2. CNSSI No. 1253, Security Categorization and Control Selection for Na- tional Security Systems, 27 March 2014. 3. CNSSI No. 1254, Risk Management Framework Documentation, Data Element Standards, and Reciprocity Process for National Security Systems, August 2016. 4. CNSSI No. 4009, Glossary, 6 April 2015. 5. CNSSP 22, Cybersecurity Risk Management, August 2016. INTELLIGENCE COMMUNITY 1. Intelligence Community Directive (ICD) 731, Supply Chain Risk Manage- ment, 7 December 2013. 2. Intelligence Community Standard (ICS) 731, Supply Chain Criticality As- sessments, 2 October 2015. 3. ICS 731-02, Supply Chain Threat Assessments, 17 May 2016. 4. ICS 731-03, Supply Chain Information Sharing, 29 June 2017.

Next: Appendix D: SCRM-Specific NDAA/Public Laws (2009-2019) »
The Growing Threat to Air Force Mission-Critical Electronics: Lethality at Risk: Unclassified Summary Get This Book
×
Buy Paperback | $60.00
MyNAP members save 10% online.
Login or Register to save!
Download Free PDF

High-performance electronics are key to the U.S. Air Force’s (USAF’s) ability to deliver lethal effects at the time and location of their choosing. Additionally, these electronic systems must be able to withstand not only the rigors of the battlefield but be able to perform the needed mission while under cyber and electronic warfare (EW) attack. This requires a high degree of assurance that they are both physically reliable and resistant to adversary actions throughout their life cycle from design to sustainment.

In 2016, the National Academies of Sciences, Engineering, and Medicine convened a workshop titled Optimizing the Air Force Acquisition Strategy of Secure and Reliable Electronic Components, and released a summary of the workshop. This publication serves as a follow-on to provide recommendations to the USAF acquisition community.

  1. ×

    Welcome to OpenBook!

    You're looking at OpenBook, NAP.edu's online reading room since 1999. Based on feedback from you, our users, we've made some improvements that make it easier than ever to read thousands of publications on our website.

    Do you want to take a quick tour of the OpenBook's features?

    No Thanks Take a Tour »
  2. ×

    Show this book's table of contents, where you can jump to any chapter by name.

    « Back Next »
  3. ×

    ...or use these buttons to go back to the previous chapter or skip to the next one.

    « Back Next »
  4. ×

    Jump up to the previous page or down to the next one. Also, you can type in a page number and press Enter to go directly to that page in the book.

    « Back Next »
  5. ×

    To search the entire text of this book, type in your search term here and press Enter.

    « Back Next »
  6. ×

    Share a link to this book page on your preferred social network or via email.

    « Back Next »
  7. ×

    View our suggested citation for this chapter.

    « Back Next »
  8. ×

    Ready to take your reading offline? Click here to buy this book in print or download it as a free PDF, if available.

    « Back Next »
Stay Connected!