The National Academies Press

Currently Skimming:

Discussion of Selected Topics from the Restricted Report
Pages 8-47

The Chapter Skim interface presents what we've algorithmically identified as the most significant single chunk of text within every page in the chapter.
Select key terms on the right to highlight them within pages of the chapter.

From page 8... ... focuses on five principal missions that are dependent on access to secure and reliable microelectronic components. Read the entire page →
From page 9... ... And, it does so in all weather conditions. Electronics are a major contribu tor to the net increase of 50,000 in targets per sortie from World War II to Operation Iraqi Freedom."2 THREATS TO THE SUPPLY CHAIN OF MICROELECTRONICS IN USAF WEAPON SYSTEMS Microelectronics components used in USAF weapons are an obvious target for malicious acts, especially when they are readily identified in program protection plans (PPPs) Read the entire page →
From page 10... ... However, third-party purchasers of ICs are rarely provisioned with the proper equipment to detect malicious or fraudulent circuits and often not trained enough to use such equipment to perform the more complicated inspection protocols.7 The intelligence community traditionally focuses on the adversary, assessing the presence and likelihood of a threat to U.S. national security. Read the entire page →
From page 11... ... In the intelligence community, where protection of U.S. supply chains is concerned, the presence of a vulnerability does not necessarily introduce a threat, just the potential for one, just as the discovery of a threat may not indicate a high level of risk. Read the entire page →
From page 12... ... Each Military Department is directed to support the JFAC by: • Providing SwA and HwA capabilities and resources, and support for the JFAC and management construct; • Assisting in the formulation of JFAC operational requirements; • Developing R&D budget requirements in coordination with the JFAC; • Nominating SwA and HwA capabilities and sustain inventory; • Developing a communication plan to manage interactions between the JFAC support staff, members, and program offices; and • Providing SwA and HwA capabilities to DoD programs and interact with program offices in accordance with each DoD components' communication plan. Furthermore, each service maintains a Damage Assessment Management Office (DAMO) Read the entire page →
From page 13... ... , the new Supplier Assessment Working Group, and the USAF Supply Chain Risk Management Working Group, all headed by SAF/AQD. The USAF SCRM Campaign Plan in review includes 11 levels of effort (LOEs) Read the entire page →
From page 14... ... Supply Chain Risk Management (SCRM) Campaign Plan are as follows: LOE 1: Codify SCRM Governance LOE 2: Develop Common Analytic Tools LOE 3: Develop Risk Profiles LOE 4: Develop SCRM Education, Training, and Awareness LOE 5: Establish Intel Informed Processes LOE 6: Periodic Review of Software and Services LOE 7: Interagency Coordination LOE 8: Synchronize Policies LOE 9: Enhance Contract Language LOE 10: Identify Critical Assets LOE 11: Establish Standardized Metrics community -- AFOSI,9 SAF/AA,10 SAF/AQ,11 SAF/CIO/A6,12 SAF/IA,13 AF/A2,14 AF/A4,15 AFMC,16 AFSPC,17 and other Major Commands (MAJCOMs) Read the entire page →
From page 15... ... 22 DoD, 2017, Report of the Defense Science Board Task Force on Cyber Supply Chain, Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics, Washington, DC, February. Read the entire page →
From page 16... ... Synek, 2018, "Malware Strikes Semiconductor Manufacturer TSMC Causing Assembly Line Shut Down," TECHSPOT, August 4, https://www.techspot.com/news/75817-malware-strikes-semi conductor-manufacturer-tsmc-causing-assembly-line.html. Read the entire page →
From page 17... ... and Oversight to Reduce Supply Chain Risk."g 2016 Congressional Research Service (CRS) , Overview of industry; limited applicability to "U.S. Read the entire page →
From page 18... ... House of Representatives Commit A tee on Armed Services Subcommittee on Oversight and Investigations," October 28, 2015, http://docs.house.gov/ meetings/AS/AS06/20151028/104057/HHRG-114-AS06-Wstate-BaldwinK-20151028.pdf. g AO, Counterfeit Parts: DoD Needs to Improve Reporting and Oversight to Reduce Supply Chain Risk, Washington, G DC, p. Read the entire page →
From page 19... ... Senate, Washington, DC, October. 28 DoD, 2017, Report of the Defense Science Board Task Force on Cyber Supply Chain, Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics Washington, DC, February. Read the entire page →
From page 20... ... that are intended to create a culture within the USAF acquisition community that under stands that cyber resiliency is critical for mission assurance. Unfortunately, this plan lacks the LOAs intended to emphasize protection of program information -- for example, LOE 4: Develop SCRM Education, Training, and Awareness; LOE 6: Periodic Review of Software and Services; or LOE 9: Enhance Contract Language, which are part of the sustainment SCRM Campaign Plan highlighted earlier. Read the entire page →
From page 21... ... ICD 731 specifically notes the importance of participation from subject matter experts outside the intelligence community, including acquisition, program offices, and other relevant functions to encompass a clear understanding of all stages of the defense supply chain. The directive also calls for the integration of security measures at all points in the supply chain where foreign intelligence entities could penetrate or compromise the process, requiring the establishment for a formal community to address SCRM matters.32 It is important to understand the nature of vulnerabilities that pose threats to the weapon system as a function of the particular stage in the supply chain life cycle. Read the entire page →
From page 22... ... Effective implementation of the sustainment SCRM Campaign Plan highlighted earlier in this report could mitigate this gap. The predominance of supply chain vulnerabilities after the fielding of a weapon system occur as operations conducted in cyberspace. Read the entire page →
From page 23... ... This acquisition prac tice could introduce considerable vulnerabilities during operation of the weapon system, as software and firmware updates are routinely provided by maintenance staff over unclassified networks.33 An increased emphasis on risk-based analysis in the supply chain of the sus tainment community reveals a growing concern over counterfeits as carriers for a malicious cyber threat. A 2012 Senate Armed Services inquiry found overwhelming evidence that companies in China are the primary source of counterfeit electronic parts in the defense supply chain.34 Figure 5 illustrates the increased threat to legacy systems for counterfeit parts. Read the entire page →
From page 24... ... FIGURE (GIDEP) was identified as insufficient throughout DoD and industry partners by the Senate Armed Services Committee. Read the entire page →
From page 25... ... This creates a target of opportunity for adversaries to introduce counterfeit or tainted parts during the maintenance and sustainment phase of the supply chain. MAINTENANCE AND SUSTAINMENT CONSIDERATIONS Expanding Threat Vectors over the Next 5 Years Understanding the threats facing USAF weapons systems over the next 5 years and beyond requires a very detailed understanding of the vulnerabilities of the components within the system. Read the entire page →
From page 26... ... Senate, 2012, Inquiry into Counterfeit Electronic Parts in the Department of Defense Supply Chain, Report 112-167, Report of the Committee on Armed Services, Washington, DC, May 21. 40 Semiconductor Engineering, 2018, "Security Gap Grows," July 9, https://semiengineering.com/ security-gap-grows/. Read the entire page →
From page 27... ... Eisenhower School for National Security and Resource Strategy; National Defense University, Fort McNair, Washington, DC. 46 DoD, 2017, Report of the Defense Science Board Task Force on Cyber Supply Chain, Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics, Washington, DC, February. Read the entire page →
From page 28... ... Understanding the com plexity and dynamism of the microelectronic supply chain requires systems-level expertise as well as subject matter experts from the microelectronics community, which is often beyond the capabilities resident in individual USAF program offices. Within the USAF, this important function appears to be addressed episodically and is disconnected and highly dependent on the individual efforts of staff within each program office. Read the entire page →
From page 29... ... ; (2) protection of critical design information; and (3) Read the entire page →
From page 30... ... that describe the layout and functionality of the electronic part. It is in the design phase when microelectronics are in their easiest to-understand form. Read the entire page →
From page 31... ... Release of design information to adversaries who can at leisure study the de sign for inherent vulnerabilities to aid in subsequent attack vectors is a realistic threat. Fabrication Concerns This issue was brought to the forefront a few years ago by the sale of IBM's microelectronic fabrication divisions in East Fishkill, New York, and Essex Junction, Vermont, that performed secure fabrication of semiconductor parts for the U.S. Read the entire page →
From page 32... ... -- the world's largest pure-play foundry, with 56 percent market share in 2017 -- to build 51 TRUST = Trusted Integrated Circuits; TIC = Trusted Integrated Chips; IRIS = Integrity and Reliability of Integrated Circuits. 52 The split fab model is where the front-end transistors are fabricated in an untrusted fabrication facility and the back-end wiring levels (which ultimately define the IC's function) Read the entire page →
From page 33... ... DARPA has a long his tory of technology programs that have developed advanced packaging approaches for the high-density heterogeneous integration of electronics parts. Read the entire page →
From page 34... ... The Department's mechanisms for tracking inventory obsolescence and vulnerabilities in microelectronic parts are inadequate" (U.S. Department of Defense, 2017, Report of the Defense Science Board Task Force on Cyber Supply Chain, Office of the Under Secretary of Defense for Acquisition, Technology, and Lo gistics, Washington, DC, April) Read the entire page →
From page 35... ... Many of the current challenges facing the USAF acquisition community result from attempts to absorb uncontrolled complex technical and geo-economic advancements that are diametrically opposed to DoD and USAF basic require ments for system assurance into the current management structure of USAF programs. Assigning intelligence community threat assessment methodologies, along with concurrent development of vulnerability assessment and risk mitiga tion tools in the rapidly emerging technology landscape, to USAF program staff trained in traditional oversight focused roles and processes in the expectation that the workforce will recognize, self-organize, and adopt appropriate behaviors has proven unsuccessful. Read the entire page →
From page 36... ... However, the imposition of SCRM processes potentially introduces schedule delays and cost increases that are viewed as immediate risks to mission success. Based on an informal survey of six USAF program offices conducted during the early stages of this study, there is little doubt that USAF program offices are striving to be diligent in implementing an effective SCRM program. Read the entire page →
From page 37... ... Importantly, all of the programs reported that they did not have the necessary people with the appropriate expertise to ensure trust in the supply chain of their components. USAF program offices are facing an overwhelming list of policies and guid ance. Read the entire page →
From page 38... ... Because SCRM is primarily con cerned with the "integrity" component of the security objectives triad of "confi dentiality-integrity-availability," assurances that the integrity of mission-critical components are unchallenged as they travel through a global supply chain is not something that the program offices are equipped to validate. Current DoD policy specifies that all-source intelligence be used by program offices in making supply chain risk decisions. Read the entire page →
From page 39... ... Moreover, the uncertainties in long-term funding needed to implement MINSEC could significantly limit the effectiveness of the strategy. However, even if MINSEC is fully successful, the USAF will still need to establish its own in-house competence in SCRM to ensure end-to-end control of microelectronic components used in USAF systems, especially in the sustainment phase of the acquisition life cycle. Read the entire page →
From page 40... ... Most recently, the 2017 Defense Science Board (DSB) Cyber Supply Chain study noted, "Program management offices are responsible for creating Program Protection Plans. Read the entire page →
From page 41... ... supply chains; develop standards for supply chain threat assessments to ensure analytic rigor; and promulgate rules of engage ment for information sharing across government and industry partners support ing U.S. supply chains. Read the entire page →
From page 42... ... The framework, as described up to this point, does not change based on a par ticular stage of the supply chain life cycle. The life cycle itself becomes a significant factor when an adversary's capabilities are applied. Read the entire page →
From page 43... ... A threat assessment uses the latest available information to determine if there is specific and credible evidence that an acquisition item might be targeted by Foreign Intelligence Entities (FIEs) or other adversaries."66 The intelligence community SCRM model is displayed as a flow of analytic processes illustrated in Figure 11.67 Unlike the SCRM process described above, the USAF acquisition community does not have the same level of oversight as the program offices. Read the entire page →
From page 44... ... As described by the intelligence community SCRM model, an enterprise approach implemented across all USAF weapon program offices would provide a more ef fective mechanism for defining mission-critical risk assessments and would enable a more holistic approach to developing impact analyses to inform both modern ization investment needs and workforce training requirements. The key to this approach is a robust threat assessment component informed by subject matter expertise. Read the entire page →
From page 45... ... Processes commercial chip makers use to ameliorate supply chain risk can offer examples of best practices that can guide USAF procurement of microelectronic components. One major fabless producer outlined for the committee an overview of its approach to supply chain risk management. Read the entire page →
From page 46... ... This practice of advertising re cent buys of microelectronic components is a very poor OPSEC practice and puts critical USAF electronics information at risk. As an example, a couple of years ago Lockheed Martin was awarded a DoD contract modification of over $104 million to procure and deliver over 80,000 Xilinx FPGAs required for building Joint Strike Fighter (F-35) Read the entire page →
From page 47... ... Other reports have documented the reality that program offices lack visibility into the complex supply chain of the microelectronic components used in the weapon systems. This report also finds this to be the case for the USAF. Read the entire page →

From page 8...

... focuses on five principal missions that are dependent on access to secure and reliable microelectronic components.

Read the entire page →

From page 9...

... And, it does so in all weather conditions. Electronics are a major contribu tor to the net increase of 50,000 in targets per sortie from World War II to Operation Iraqi Freedom."2 THREATS TO THE SUPPLY CHAIN OF MICROELECTRONICS IN USAF WEAPON SYSTEMS Microelectronics components used in USAF weapons are an obvious target for malicious acts, especially when they are readily identified in program protection plans (PPPs)

Read the entire page →

From page 10...

... However, third-party purchasers of ICs are rarely provisioned with the proper equipment to detect malicious or fraudulent circuits and often not trained enough to use such equipment to perform the more complicated inspection protocols.7 The intelligence community traditionally focuses on the adversary, assessing the presence and likelihood of a threat to U.S. national security.

Read the entire page →

From page 11...

... In the intelligence community, where protection of U.S. supply chains is concerned, the presence of a vulnerability does not necessarily introduce a threat, just the potential for one, just as the discovery of a threat may not indicate a high level of risk.

Read the entire page →

From page 12...

... Each Military Department is directed to support the JFAC by: • Providing SwA and HwA capabilities and resources, and support for the JFAC and management construct; • Assisting in the formulation of JFAC operational requirements; • Developing R&D budget requirements in coordination with the JFAC; • Nominating SwA and HwA capabilities and sustain inventory; • Developing a communication plan to manage interactions between the JFAC support staff, members, and program offices; and • Providing SwA and HwA capabilities to DoD programs and interact with program offices in accordance with each DoD components' communication plan. Furthermore, each service maintains a Damage Assessment Management Office (DAMO)

Read the entire page →

From page 13...

... , the new Supplier Assessment Working Group, and the USAF Supply Chain Risk Management Working Group, all headed by SAF/AQD. The USAF SCRM Campaign Plan in review includes 11 levels of effort (LOEs)

Read the entire page →

From page 14...

... Supply Chain Risk Management (SCRM) Campaign Plan are as follows: LOE 1: Codify SCRM Governance LOE 2: Develop Common Analytic Tools LOE 3: Develop Risk Profiles LOE 4: Develop SCRM Education, Training, and Awareness LOE 5: Establish Intel Informed Processes LOE 6: Periodic Review of Software and Services LOE 7: Interagency Coordination LOE 8: Synchronize Policies LOE 9: Enhance Contract Language LOE 10: Identify Critical Assets LOE 11: Establish Standardized Metrics community -- AFOSI,9 SAF/AA,10 SAF/AQ,11 SAF/CIO/A6,12 SAF/IA,13 AF/A2,14 AF/A4,15 AFMC,16 AFSPC,17 and other Major Commands (MAJCOMs)

Read the entire page →

From page 15...

... 22 DoD, 2017, Report of the Defense Science Board Task Force on Cyber Supply Chain, Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics, Washington, DC, February.

Read the entire page →

From page 16...

... Synek, 2018, "Malware Strikes Semiconductor Manufacturer TSMC Causing Assembly Line Shut Down," TECHSPOT, August 4, https://www.techspot.com/news/75817-malware-strikes-semi conductor-manufacturer-tsmc-causing-assembly-line.html.

Read the entire page →

From page 17...

... and Oversight to Reduce Supply Chain Risk."g 2016 Congressional Research Service (CRS) , Overview of industry; limited applicability to "U.S.

Read the entire page →

From page 18...

... House of Representatives Commit A tee on Armed Services Subcommittee on Oversight and Investigations," October 28, 2015, http://docs.house.gov/ meetings/AS/AS06/20151028/104057/HHRG-114-AS06-Wstate-BaldwinK-20151028.pdf. g AO, Counterfeit Parts: DoD Needs to Improve Reporting and Oversight to Reduce Supply Chain Risk, Washington, G DC, p.

Read the entire page →

From page 19...

... Senate, Washington, DC, October. 28 DoD, 2017, Report of the Defense Science Board Task Force on Cyber Supply Chain, Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics Washington, DC, February.

Read the entire page →

From page 20...

... that are intended to create a culture within the USAF acquisition community that under stands that cyber resiliency is critical for mission assurance. Unfortunately, this plan lacks the LOAs intended to emphasize protection of program information -- for example, LOE 4: Develop SCRM Education, Training, and Awareness; LOE 6: Periodic Review of Software and Services; or LOE 9: Enhance Contract Language, which are part of the sustainment SCRM Campaign Plan highlighted earlier.

Read the entire page →

From page 21...

... ICD 731 specifically notes the importance of participation from subject matter experts outside the intelligence community, including acquisition, program offices, and other relevant functions to encompass a clear understanding of all stages of the defense supply chain. The directive also calls for the integration of security measures at all points in the supply chain where foreign intelligence entities could penetrate or compromise the process, requiring the establishment for a formal community to address SCRM matters.32 It is important to understand the nature of vulnerabilities that pose threats to the weapon system as a function of the particular stage in the supply chain life cycle.

Read the entire page →

From page 22...

... Effective implementation of the sustainment SCRM Campaign Plan highlighted earlier in this report could mitigate this gap. The predominance of supply chain vulnerabilities after the fielding of a weapon system occur as operations conducted in cyberspace.

Read the entire page →

From page 23...

... This acquisition prac tice could introduce considerable vulnerabilities during operation of the weapon system, as software and firmware updates are routinely provided by maintenance staff over unclassified networks.33 An increased emphasis on risk-based analysis in the supply chain of the sus tainment community reveals a growing concern over counterfeits as carriers for a malicious cyber threat. A 2012 Senate Armed Services inquiry found overwhelming evidence that companies in China are the primary source of counterfeit electronic parts in the defense supply chain.34 Figure 5 illustrates the increased threat to legacy systems for counterfeit parts.

Read the entire page →

From page 24...

... FIGURE (GIDEP) was identified as insufficient throughout DoD and industry partners by the Senate Armed Services Committee.

Read the entire page →

From page 25...

... This creates a target of opportunity for adversaries to introduce counterfeit or tainted parts during the maintenance and sustainment phase of the supply chain. MAINTENANCE AND SUSTAINMENT CONSIDERATIONS Expanding Threat Vectors over the Next 5 Years Understanding the threats facing USAF weapons systems over the next 5 years and beyond requires a very detailed understanding of the vulnerabilities of the components within the system.

Read the entire page →

From page 26...

... Senate, 2012, Inquiry into Counterfeit Electronic Parts in the Department of Defense Supply Chain, Report 112-167, Report of the Committee on Armed Services, Washington, DC, May 21. 40 Semiconductor Engineering, 2018, "Security Gap Grows," July 9, https://semiengineering.com/ security-gap-grows/.

Read the entire page →

From page 27...

... Eisenhower School for National Security and Resource Strategy; National Defense University, Fort McNair, Washington, DC. 46 DoD, 2017, Report of the Defense Science Board Task Force on Cyber Supply Chain, Office of the Under Secretary of Defense for Acquisition, Technology, and Logistics, Washington, DC, February.

Read the entire page →

From page 28...

... Understanding the com plexity and dynamism of the microelectronic supply chain requires systems-level expertise as well as subject matter experts from the microelectronics community, which is often beyond the capabilities resident in individual USAF program offices. Within the USAF, this important function appears to be addressed episodically and is disconnected and highly dependent on the individual efforts of staff within each program office.

Read the entire page →

From page 29...

... ; (2) protection of critical design information; and (3)

Read the entire page →

From page 30...

... that describe the layout and functionality of the electronic part. It is in the design phase when microelectronics are in their easiest to-understand form.

Read the entire page →

From page 31...

... Release of design information to adversaries who can at leisure study the de sign for inherent vulnerabilities to aid in subsequent attack vectors is a realistic threat. Fabrication Concerns This issue was brought to the forefront a few years ago by the sale of IBM's microelectronic fabrication divisions in East Fishkill, New York, and Essex Junction, Vermont, that performed secure fabrication of semiconductor parts for the U.S.

Read the entire page →

From page 32...

... -- the world's largest pure-play foundry, with 56 percent market share in 2017 -- to build 51 TRUST = Trusted Integrated Circuits; TIC = Trusted Integrated Chips; IRIS = Integrity and Reliability of Integrated Circuits. 52 The split fab model is where the front-end transistors are fabricated in an untrusted fabrication facility and the back-end wiring levels (which ultimately define the IC's function)

Read the entire page →

From page 33...

... DARPA has a long his tory of technology programs that have developed advanced packaging approaches for the high-density heterogeneous integration of electronics parts.

Read the entire page →

From page 34...

... The Department's mechanisms for tracking inventory obsolescence and vulnerabilities in microelectronic parts are inadequate" (U.S. Department of Defense, 2017, Report of the Defense Science Board Task Force on Cyber Supply Chain, Office of the Under Secretary of Defense for Acquisition, Technology, and Lo gistics, Washington, DC, April)

Read the entire page →

From page 35...

... Many of the current challenges facing the USAF acquisition community result from attempts to absorb uncontrolled complex technical and geo-economic advancements that are diametrically opposed to DoD and USAF basic require ments for system assurance into the current management structure of USAF programs. Assigning intelligence community threat assessment methodologies, along with concurrent development of vulnerability assessment and risk mitiga tion tools in the rapidly emerging technology landscape, to USAF program staff trained in traditional oversight focused roles and processes in the expectation that the workforce will recognize, self-organize, and adopt appropriate behaviors has proven unsuccessful.

Read the entire page →

From page 36...

... However, the imposition of SCRM processes potentially introduces schedule delays and cost increases that are viewed as immediate risks to mission success. Based on an informal survey of six USAF program offices conducted during the early stages of this study, there is little doubt that USAF program offices are striving to be diligent in implementing an effective SCRM program.

Read the entire page →

From page 37...

... Importantly, all of the programs reported that they did not have the necessary people with the appropriate expertise to ensure trust in the supply chain of their components. USAF program offices are facing an overwhelming list of policies and guid ance.

Read the entire page →

From page 38...

... Because SCRM is primarily con cerned with the "integrity" component of the security objectives triad of "confi dentiality-integrity-availability," assurances that the integrity of mission-critical components are unchallenged as they travel through a global supply chain is not something that the program offices are equipped to validate. Current DoD policy specifies that all-source intelligence be used by program offices in making supply chain risk decisions.

Read the entire page →

From page 39...

... Moreover, the uncertainties in long-term funding needed to implement MINSEC could significantly limit the effectiveness of the strategy. However, even if MINSEC is fully successful, the USAF will still need to establish its own in-house competence in SCRM to ensure end-to-end control of microelectronic components used in USAF systems, especially in the sustainment phase of the acquisition life cycle.

Read the entire page →

From page 40...

... Most recently, the 2017 Defense Science Board (DSB) Cyber Supply Chain study noted, "Program management offices are responsible for creating Program Protection Plans.

Read the entire page →

From page 41...

... supply chains; develop standards for supply chain threat assessments to ensure analytic rigor; and promulgate rules of engage ment for information sharing across government and industry partners support ing U.S. supply chains.

Read the entire page →

From page 42...

... The framework, as described up to this point, does not change based on a par ticular stage of the supply chain life cycle. The life cycle itself becomes a significant factor when an adversary's capabilities are applied.

Read the entire page →

From page 43...

... A threat assessment uses the latest available information to determine if there is specific and credible evidence that an acquisition item might be targeted by Foreign Intelligence Entities (FIEs) or other adversaries."66 The intelligence community SCRM model is displayed as a flow of analytic processes illustrated in Figure 11.67 Unlike the SCRM process described above, the USAF acquisition community does not have the same level of oversight as the program offices.

Read the entire page →

From page 44...

... As described by the intelligence community SCRM model, an enterprise approach implemented across all USAF weapon program offices would provide a more ef fective mechanism for defining mission-critical risk assessments and would enable a more holistic approach to developing impact analyses to inform both modern ization investment needs and workforce training requirements. The key to this approach is a robust threat assessment component informed by subject matter expertise.

Read the entire page →

From page 45...

... Processes commercial chip makers use to ameliorate supply chain risk can offer examples of best practices that can guide USAF procurement of microelectronic components. One major fabless producer outlined for the committee an overview of its approach to supply chain risk management.

Read the entire page →

From page 46...

... This practice of advertising re cent buys of microelectronic components is a very poor OPSEC practice and puts critical USAF electronics information at risk. As an example, a couple of years ago Lockheed Martin was awarded a DoD contract modification of over $104 million to procure and deliver over 80,000 Xilinx FPGAs required for building Joint Strike Fighter (F-35)

Read the entire page →

From page 47...

... Other reports have documented the reality that program offices lack visibility into the complex supply chain of the microelectronic components used in the weapon systems. This report also finds this to be the case for the USAF.

Read the entire page →

← Previous Chapter Skim

Next Chapter Skim →

This material may be derived from roughly machine-read images, and so is provided only to facilitate research.
More information on Chapter Skim is available.

Discussion of Selected Topics from the Restricted Report Pages 8-47

Discussion of Selected Topics from the Restricted Report
Pages 8-47