Estimated reading time: 6 minutes

The Fourth Pillar of Defense Acquisition: Cybersecurity

If you are a provider of PCBs and/or electronics manufacturing services to the Department of Defense (DoD) and their prime contractors, you have no doubt noticed a significant increase in the number of Defense Federal Acquisition Regulation Supplement (DFARS) flow-downs, scrutiny of your data management, audits of your cybersecurity processes, and inquiries into the status of your compliance with a variety of cybersecurity initiatives.

There has been a constant flow of reports and initiatives over the past two years that point directly to increased emphasis on cybersecurity by the DoD within the Defense Industrial Base Supply Chain. These reports all coalesce around further strengthening critical cybersecurity programs and initiatives within the DoD and provide the roadmap to compliance and elevating your organization to position for continued participation in the defense sectors of our industry.

We have clearly entered a paradigm shift, with cybersecurity now joining cost, schedule, and performance as the Fourth Pillar of Defense Acquisition.

Referencing the DoD “Deliver Uncompromised” pilot program mandated by the National Defense Appropriations Act (NDAA) and the associated MITRE Corporation study from August 2018 ^[1], the first course of action (COA) detailed is to elevate security as a primary metric in the DoD acquisition and sustainment process. The report states:

• It is vital to “Deliver Uncompromised” that security have equal status to cost, schedule, and performance

• The revision of DoD 5000.02 (Operation of the Defense Acquisition System) to make security the “Fourth Pillar” of acquisition planning—equal in emphasis to cost, schedule, and performance

• Utilize acquisition tools and contract leverage and reinforce the objective of “Deliver Uncompromised” through the use of positive and negative incentives

Encouragingly, there is also language in the report that recognizes there are hard costs associated with the DoD supply chain implementing the requisite cybersecurity measures, and several tax incentive measures are detailed for consideration, further analysis, and discussion to offset the costs.

The key takeaway is that all PCB fabricators and electronics manufacturing service providers providing electronics products to the defense sector need to immediately heighten awareness and proactively address cybersecurity if they desire to continue supporting the DoD and their prime contractors.

In terms of the actual gates in the evaluation process that all proffers to the DoD will soon be subjected to a “go, no-go” initial bid analysis that evaluates cybersecurity hardening as the first gate to pass through for offers to be considered before the long-standing DoD contracts analysis process evaluating quality, cost, schedule appears most logical to me.

In September 2018, the “Report to President Donald J. Trump by the Interagency Task Force in Fulfillment of Executive Order 13806” was released. Titled “Assessing and Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States,” it is an in-depth and fascinating look at the defense industrial base including PCBs and circuit card assemblies for DoD systems ^[2].

In Section VI of the report, “Ten Risk Archetypes Threatening America’s Manufacturing and Industrial Base,” we find more compelling direction and comment that underscores the threat that cyber-related crime poses to our national security.

Quoting the report, “The defense manufacturing supply chain flows goods and critical supporting information through multiple organizations of varying size and sophistication to transform raw materials into components, subassemblies, and ultimately, finished products and systems that meet DoD performance specifications and requirements. These supply chains rely upon an infinite number of touch points where digital and physical information flows through multiple networks both within and across manufacturers systems. In today’s digitized world, every one of these supply chain touch points represents a potential product security risk.”

In addition to data breaches, it is also noteworthy to point out that The Department of Homeland Security (DHS) reported that the critical manufacturing sector reported the highest number of cyber attacks on industrial control systems of any critical infrastructure sector with numerous threats emerging that had the potential to cause major disruption in manufacturing operations.

With the publication of the 2018 National Defense Strategy ^[3], U.S. Secretary of Defense General Jim Mattis stated, “Challenges to the U.S. military advantage represent another shift in the global security environment. For decades, the United States has enjoyed uncontested or dominant superiority in every operating domain. We could generally deploy our forces when we wanted, assemble them where we wanted, and operate how we wanted. Today, every domain is contested—air, land, sea, space, and cyberspace.”

In June 2016 (and as amended August 2018), the U.S. Secretary of Defense established the Printed Circuit Board and Interconnect Technology Executive Agent (PrCB EA) via DoD Instruction 5101.18E ^[4] with an original National Academy charter to develop a competitive network of trusted suppliers. To this end—and in a collaborative effort between IPC, the PrCB Executive Agent (NSWC-Crane), DoD, and other government and industry partners—IPC-1791 was developed to complement and expand the integrity assurance offered by the Trusted Access Program Office (TAPO) for microelectronics to address integrity assurance vulnerabilities related to the design, fabrication, and assembly of printed boards with initial emphasis on defense requirements.

The IPC-1791 (August 2018) standard, “Trusted Electronic Designer, Fabricator and Assembler Requirements” provides minimum requirements, policies, and procedures for printed board design, fabrication, and assembly organizations and/or companies to become trusted sources for markets requiring high levels of confidence in the integrity of delivered products. These trusted sources shall ensure quality, supply chain risk management (SCRM), security, and chain of custody (ChoC).

Expect to hear a lot about the IPC-1791 standard at IPC APEX EXPO in San Diego (January 26–31). If your company is involved in support of military electronics manufacturing, I would highly encourage you to attend to learn more.

In closing, I have had the pleasure and honor to serve on both the National Defense Industrial Association (NDIA) Executive Order 13806 Electronics Working Group and the IPC Trusted Supplier Task Group over the past two years as many of these initiatives and standards have evolved. Serving with many others from the electronics industry, DoD, Commerce, and beyond, I have developed an incredible respect for all principals involved, and have witnessed first-hand their hard work, leadership, deep thinking, and unwavering dedication to providing a framework to protect our nation’s most sensitive defense information.

Electronics, and the associated electronic manufacturing supply chain, are key components of all military systems. As such, our industry has a responsibility to both embrace and solve for the challenges associated with secure management of the vast amount of sensitive technical data that flows through our organizations’ networks and within our supply chains.

Our nation’s security depends on the electronics industry performing at a high-level regarding cybersecurity, and there is compelling evidence to suggest that the ability of your company to continue to support DoD electronics manufacturing also depends upon it.

References

1. Nissen, C., Gronager, J., Metzer, R., & Rishikof, H. “Deliver Uncompromised: A Strategy for Supply Chain Security and Resilience in Response to the Changing Character of War.” MITRE Corporation, August 2018.

2. Office of the Under Secretary of Defense for Acquisition and Sustainment, and the Office of the Deputy Assistant Secretary of Defense for Industrial Policy. “Assessing and Strengthening the Manufacturing and Defense Industrial Base and Supply Chain Resiliency of the United States: Report to President Donald J. Trump by the Interagency Task Force in Fulfillment of Executive Order 13806.” September 2018.

3. United States Department of Defense. “Summary of the 2018 National Defense Strategy of the United States of America: Sharpening the American Military’s Competitive Edge.” 2018.

4. Office of the Under Secretary of Defense for Acquisition and Sustainment. “DoD Directive 5101.18E: DoD Executive Agent for Printed Circuit Board and Interconnect Technology.” June 12, 2016.