Securing any supply chain is a complex, evolving, and cyclical set of exercises, often complete with much trial and error. While achieving a 100 percent secure supply chain may never be a realistic goal, it is very realistic and very possible to greatly reduce the risk your supply chain faces. Part of effective risk reduction includes understanding your risk tolerance. An important step in developing an accurate risk tolerance picture is to incorporate the practice of criticality analysis early into your agency’s SCRM cycle, as well as follow-through criticality analysis throughout the acquisition and product lifecycle. The U.S. Department of Defense (DoD) defines criticality analysis as the primary method by which mission-critical functions and components are identified and prioritized. It is an end-to-end functional decomposition of the system which involves:
- Identifying and prioritizing system mission threads;
- Decomposing the mission threads into their mission-critical functions; and
- Identifying the system components (hardware, software, and firmware) that implement those functions; i.e., components that are critical to the mission effectiveness of the system or an interfaced network.
Sending the Adversary Packing
While the process described is defined by DoD, criticality analysis is a highly effective tool when utilized in both government and commercial sectors with the overarching goal to protect one’s supply chain by simply making the adversary’s job more difficult. Generally speaking, adversarial activity will gravitate towards the path of least resistance. Criticality analysis leads to greater protection of your most valuable mission assets, which in turn makes those assets a more difficult target for the adversary. The adversary thrives on successfully achieving their goals. Criticality analysis and greater protection of your critical assets can go a long way in dissuading the adversary from persistent threat on those assets. Important to note: your most critical asset is integral to the continuation of operations versus simply where you spend the most money.
Key Points in Kick Starting Criticality Analysis in Your SCRM Program
Implement Criticality Analysis in the Design Process for Greatest Impact
Criticality analysis should begin with the system engineering and design process. While criticality analysis can be effective at any point in the acquisition and product lifecycle, there is a far greater chance of avoidance of mission failure and cost reduction when implemented initially in the earliest of stages.
Establish Follow-Thru Criticality Analysis Throughout the Acquisition/Product Lifecycle For Continued Mission Assurance
Criticality analysis doesn’t stop once the product or component has been purchased and put into use. This is a particularly important point in parts deemed critical to mission success. Reoccurring criticality analysis reviews throughout the lifecycle provide the benefit of:
- possible upgrade or downgrade of level of criticality based on new or changing mission objectives,
- the opportunity to re-survey new surrounding components that may have been introduced into the mission after the initial purchase of the item being analyzed,
- opportunities to identify successes and failures throughout the lifecycle, and document in a historical criticality analysis catalog for future acquisitions and design process.
Understand Neighboring Components Criticality Analysis and Cross-Cutting Mission Criticality Analysis
Developing a criticality analysis library will assist in mapping out the criticality of your overall project. The task of mapping out criticality can provide a cross-cutting view of how SCRM decisions affect other projects. Additionally, a criticality analysis library can assist in the actual design process by helping engineers understand if there are risks posed by other components or mission equipment that may ultimately cause the failure of the component or equipment being analyzed.
Given the constraints on the government budget and investor pressures on public companies to produce profits, it is important to know how to best allocate limited resources and keep the adversaries out. We cannot protect everything – we must determine what is the most important to focus on and the level of rigor that should be applied. This is not necessarily tied to the amount of money spent on the effort; moreover, the criticality is focused on the biggest impact to continuing operations should the operations be interrupted. For this reason, criticality analysis is the first step in a good approach to supply chain risk management.