It’s no secret that cybersecurity attacks are an increasingly common threat to supply chains, both commercial and agency-related. Notable instances are in the news on a weekly basis, such as the recent Anthem breach and CENTCOM’s social media hack. But supply chain threats go beyond cyber attacks, encroaching upon all levels of critical infrastructure. As these types of threats become more widespread, Supply Chain Risk Management (SCRM) strategies must also adapt to function as strong as counter measures.
The Department of Energy has emerged as an agency leading the effort toward a broad, comprehensive approach to SCRM. Don Adcock, as the Acting Chief Information Officer with the Department of Energy, recently detailed the agency’s existing program in an official blog.
“The Enterprise Supply Chain Risk Management (eSCRM) Program provides the Department with a robust toolset of defense-in-breadth and defense-in-depth enterprise capabilities,” he wrote.
Energy established the program as it exists now in 2012. The agency had other pockets of SCRM support prior to that time, but no enterprise-level program.
Adcock described the shifting nature of SCRM, saying that it has matured from looking at components of the supply chain, itself, to a broader understanding of the global nature of the supply chain.
“At Energy, we have really developed a robust holistic program that not only has been very well-received across the federal space, but we are someone you can benchmark yourself against. We are a model program for others (agencies) to follow,” he said.
Adcock discussed the program as a way to assess the overall health of a company, envisioning eSCRM as a sort of insurance policy. Even with a broad program that aims to serve as a preventative measure against threats, Adcock emphasized the need to stay vigilant.
“There are always going to be people who try to disrupt the supply chain, interrupt the chain. There are always going to be people who try to attack. I don’t think we’re ever going to be 100 percent safe.”
The ongoing nature of supply chain threats, whether they be cyber attacks or counterfeit parts, underscores the need for an evolving SCRM strategy.
Mr. Adcock’s blog on the eSCRM program can be read, in full, below.
Feb. 12, 2015
By Don Adcock, Acting Chief Information Officer
Cybersecurity attacks disrupt, destroy, and compromise components across manufacturing supply chains and create risks that transcend agencies, departments, and organizations. Cyber risk is especially acute in critical infrastructure, where there is increasing reliance on information communication technology (ICT) components and systems. Historically, supply chain risk management (SCRM) efforts focused on security, resiliency, and logistics; however, the emergence of cybersecurity risk within the Nation’s supply chain requires an augmented SCRM approach that focuses on product integrity.
The Enterprise Supply Chain Risk Management (eSCRM) Program provides the Department with a robust toolset of defense-in-breadth and defense-in-depth enterprise capabilities. The Program includes Agency-specific SCRM policies and procedures delivered through a Supply Chain Risk Management-Resource Center (SCRM-RC), which institutionalize SCRM practices, reduce costs, build trust into systems, and provide essential services. The SCRM-RC is a centralized Focal Point that directly supports supply chain risk-based decisions executed by undersecretarial organizations and PMs. Specifically, the SCRM-RC is a prevention, detection, and reporting mechanism that promotes product integrity through:
- SCRM SMEs;
- Training, Outreach, and Awareness;
- Supply Chain Risk Modeling;
- Incident Management Support;
- Program administration; and
- Metrics and Key Performance Indicators.
SCRM-RC outputs are unique to each capability offering and includes high-level SCRM advice, detailed supply chain risk assessments, as well as subject matter expertise, in support of criticality and prioritization analysis. The eSCRM Program services are accessible via the Enterprise SCRM mailbox at: enterpriseSCRM@hq.doe.gov.