The Center for Education and Research in Information Assurance and Security (CERIAS)

The Center for Education and Research in
Information Assurance and Security (CERIAS)

Randall Brooks - Raytheon

Students: Spring 2023, unless noted otherwise, sessions will be virtual on Zoom.

Adding a Software Assurance Dimension to Supply Chain Practices

Mar 21, 2012

Download: Video Icon MP4 Video Size: 535.2MB  
Watch on Youtube Watch on YouTube


There is a long history of supply chain management, from which many related policies, practices, processes, and enabling artifacts have been developed and employed by those business enterprises that acquire hardware and software components from a third party. Traditionally, Supply Chain Risk Management (SCRM) has been the focal point of supply chain practices and has focused on business and contractual issues, although recent efforts have increasingly included engineering expertise for product quality evaluations.

This presentation advocates the introduction of a security assurance dimension to the SCRM process. It does not, however, propose the addition of an independent, parallel track of SCRM process for security assurance evaluation, but rather practical steps for augmenting those SCRM processes that already exist.

Just as is the case in legacy SCRM, the cyber dimension of SCRM is based on assessing and balancing risk vs. cost. The goal is to minimize the added costs associated with improved information assurance by efficiently incorporating relevant practices industry, government, and academia to provide a security assurance dimension into the supply chain process.

SCRM-relevant industry and government practices will be presented in this paper in such a way that supply chain staff can easily make use of them, even without a background in information security. Also, it will be clearly noted when subcontract management, information assurance engineering, or other business or technical expertise may be needed to complement traditional supply chain activities in the pursuit of cyber-based SCRM.
Points of discussion common to both hardware and to software component acquisition will include:

1. Acquirer business risk
2. End customer mission criticality and mission assurance
3. Subcontract management
4. Supplier secure development assessment
5. Supplier management practices for their suppliers
6. Supplier business assessment
7. Product assessment

Points of discussion peculiar to hardware component acquisition will include:
1. Quality vs. counterfeiting vs. malicious alteration
2. ASICS, FPGAs, and microprocessors
3. Information storage in volatile memory
4. Information storage in non-volatile memory and permanent disk storage

Points of discussion peculiar to software component acquisition will include:
1. COTS, contracted software, open source, and freeware
2. Software pedigree and provenance
3. License management of open source

About the Speaker

Mr. Brooks, a twelve year Raytheon employee, is an Engineering Fellow in the Cyber Defense Solutions business area in Largo, FL. He is a recipient of the Raytheon Excellence in Technology Meritorious and Distinguished Awards. He has developed and submitted 4 patents on Intrusion Detection and Prevention design and implementation with 3 Patents awarded. He is also a Certified Secure Software Lifecycle Professional (CSSLP), Certified Information Systems Security Professional (CISSP), Information Systems Security Engineering Professional (ISSEP), Information Systems Security Architecture Professional (ISSAP), and an Information Systems Security Management Professional (ISSMP). He is a graduate of Purdue University with a Bachelors of Science from the School of Computer Science.

Ways to Watch


Watch Now!

Over 500 videos of our weekly seminar and symposia keynotes are available on our YouTube Channel. Also check out Spaf's YouTube Channel. Subscribe today!