BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

Similar documents
Operation IMPACT (Injured Military Pursuing Assisted Career Transition)

JOB ANNOUNCEMENT. Chief Security Officer, Cheniere Energy, Inc.

How To Become A Northrop Grumman Supplier

Northrop Grumman Corporation

Software Quality Subcontractor Survey Questionnaire INSTRUCTIONS FOR PURCHASE ORDER ATTACHMENT Q-201

Implementation of the DoD Management Control Program for Navy Acquisition Category II and III Programs (D )

How To Do Business With Northrop Grumman

Northrop Grumman ecatalog/purchasing Card Supplier Enablement Guide Global Procurement Services

How DCMA Helps To Ensure Good Measurements

SAIC Corporate and Small Business Introduction

NDIA Program Management

Security Architecture: From Start to Sustainment. Tim Owen, Chief Engineer SMS DGI Cyber Security Conference June 2013

UNITED STATES DEPARTMENT OF EDUCATION OFFICE OF INSPECTOR GENERAL

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT

Civil Aviation and CyberSecurity Dr. Daniel P. Johnson Honeywell Aerospace Advanced Technology

Cyber Supply Chain Risk Management Portal

Rapheal Holder From Platform to Service in the Network Centric Value Chain October 23, Internal Information Services

F-35 Joint Strike Fighter Autonomic Logistics Supply Chain

CIP Supply Chain Risk Management (RM ) Statement of Jacob S. Olcott Vice President, BitSight Technologies January 28, 2016

Department of Defense DIRECTIVE

Army Regulation Product Assurance. Army Quality Program. Headquarters Department of the Army Washington, DC 25 February 2014 UNCLASSIFIED

Camber Quality Assurance (QA) Approach

OFFICE OF THE SECRETARY OF DEFENSE 1700 DEFENSE PENTAGON WASHINGTON, DC

ICAO Procurement Process Briefing

IT-CNP, Inc. Capability Statement

2015 Program Excellence Award

1.1 Identification This is the Subcontractor Management Plan, document number XYZ035, for the SYSTEM Z project.

PatchPlus Consulting, Inc. A Woman and Service Disabled Veteran-Owned Small Business

The rise of third party relationships means rise in risk and regulation. Non-compliance is risky business for financial institutions

FREQUENTLY ASKED QUESTIONS

Position Descriptions. Aerospace

Best Practices for the Acquisition of COTS-Based Software Systems (CBSS): Experiences from the Space Systems Domain

BETTER BUYING POWER 2.0 INITIATIVES DESCRIPTIONS

Implementing Program Protection and Cybersecurity

Federal Bureau of Investigation s Integrity and Compliance Program

Enterprise Capabilities Descriptions

CUSTOMER KEYNOTE Hal Buddenbohm

Department of Defense INSTRUCTION

AEROSPACE QUALITY MANAGEMENT SYSTEM

Managing the Supply Chain Using the Malcolm Baldrige Model

R000. Revision Summary Revision Number Date Description of Revisions R000 Feb. 18, 2011 Initial issue of the document.

Suggested Language to Incorporate System Security Engineering for Trusted Systems and Networks into Department of Defense Requests for Proposals

2016 CORPORATE BRIEF ProSol Overview & Core Capabilities

The Software Supply Chain Integrity Framework. Defining Risks and Responsibilities for Securing Software in the Global Supply Chain.

Vindicator Security Solutions. Security for Mission-Critical Applications

CYBERSECURITY CHALLENGES FOR DOD ACQUISITION PROGRAMS. Steve Mills DAU-South

STATEMENT BY DAVID DEVRIES PRINCIPAL DEPUTY DEPARTMENT OF DEFENSE CHIEF INFORMATION OFFICER BEFORE THE

Bringing Control to Global Supply Management Business Process Management (BPM) and Advanced Project Management Practices

QUALITY MANAGEMENT SYSTEM FOR THE AEROSPACE INDUSTRY

UNCLASSIFIED. UNCLASSIFIED Office of Secretary Of Defense Page 1 of 9 R-1 Line #139

Services we provide. Tel:

1.040 Project Management

Addendum 529 (5/13) Page 1 of 5

QUALITY MANAGEMENT SYSTEM REVIEW AND APPROVAL TEMPLATE (DOE G A, Appendix A, )

SAIC HBCU/MSI Overview

Streamline your staffing process with a vendor management system that fits your business

Cybersecurity Delivering Confidence in the Cyber Domain

Legislative Language

THE UNDER SECRETARY OF DEFENSE 3010 DEFENSE PENTAGON WASHINGTON, DC

Adding a Security Assurance Dimension to Supply Chain Practices

Knowledge is power in supply chain management

GE Oil & Gas. Quality at. GE Oil & Gas. GE imagination at work QUALITY

age e Keith Glennan VP & CTO Northrop Grumman keith.glennan@ngc.com

SENTINEL AUDIT V: STATUS OF

ODIG-AUD (ATTN: Audit Suggestions) Department of Defense Inspector General 400 Army Navy Drive (Room 801) Arlington, VA

Quality Assurance Program Plan. July U.S. Department of Energy Office of Legacy Management

Achieving Desired Results with Less: Supply Chain Management. Vincent Feck, Colonel, USAF Commander DCMA Lockheed Martin Fort Worth

REPORT ON INDEPENDENT EVALUATION AND ASSESSMENT OF INTERNAL CONTROL FOR CONTRACT OVERSIGHT

CHAPTER TEN. Quality Assurance and Quality Control MAINE RIGHT OF WAY MANUAL

Cybersecurity Throughout DoD Acquisition

System Security Engineering

SAN DIEGO S DEFENSE INDUSTRY AT A GLANCE

Statement of Danny Harris, Ph.D. Chief Information Officer U.S. Department of Education

Overview of SAE s AS6500 Manufacturing Management Program. David Karr Technical Advisor for Mfg/QA AFLCMC/EZSM david.karr@us.af.

Executive Summary. Cybersecurity cannot be completely solved, and will remain a risk we must actively manage.

Labor Category For MOBIS SIN 874-1:

The Systems Security Engineering Capability Maturity Model (SSE-CMM)

Consultancy Services Proposal

Management of the Supply Chain: Excipients & APIs. Janeen Skutnik Wilkinson Director, Quality Strategy Pfizer

PROPOSAL XXX INFRASTRUCTURE MIGRATION PROJECT (RFP 20XX.XX.XX)

OASIS One Acquisition Solution for Integrated Services

SOLUTION BRIEF: CA CLARITY GRANTS MANAGER. CA Clarity Grants Manager

Software: Driving Innovation for Engineered Products. Page

TechNet Land Forces South Small Business Opportunities. Carey Webster Director, Federal Information Solutions Deltek

Military Engines. Pratt & Whitney. Aftermarket Services

UNITED STATES AIR FORCE. Air Force Product Support Enterprise Vision

Transcription:

BEST PRACTICES IN CYBER SUPPLY CHAIN RISK MANAGEMENT Northrop Grumman Corporation Trusted, Innovative, World-Class Supply Chain INTERVIEWS Kevin Engfer Director, Supplier Mission Assurance, Northrop Grumman Information Systems Michael Ozmun Information Security (Enterprise Shared Services)

The Next New Things in Risk Management Supply Chain Leadership Council coordinates best practices and information sharing across the company. Supplier Assessment Management System (SAMS) provides objective measurement criteria for supplier performance in eight major categories. Supplier cybersecurity questionnaires identify areas where mentoring and additional training is required and Northrop Grumman Corporation provides guidance to its suppliers. Company Overview A producer of aerospace and defense technology, Northrop Grumman Corporation (NGC) is the fifth largest defense contractor in the world, and in the top 100 of Fortune 500 companies in the United States. NGC is a federated company; each of its four sectors is run by a sector president and each sector is responsible for its own profit and loss. The four sectors include: Aerospace/Aircrafts: provides manned and unmanned aircraft systems, space systems, and advanced technologies. Customers include NASA, the Department of Defense and commercial providers. Electronic Systems: provides airborne radar, navigation systems, electronic countermeasures, precision weapons, airspace management systems, space payloads, marine and naval systems, communications systems, and government system. It includes legacy businesses from the Westinghouse acquisition. Technical Services: provides life-cycle solutions and long-term services for global customers. Key capabilities include platform sustainment and modernization, advanced training solutions, hightechnology engineering services, and operationally responsive systems. Information Systems: provides advanced information solutions for defense, intelligence, civil agency, and commercial customers, including cybersecurity solutions; command and control systems; network communications solutions; and intelligence, surveillance, and reconnaissance systems. Customers range from federal and state governments to commercial providers in the aerospace industry. 2

Spanning all four of these sectors are two distinct supply chains: Non-deliverable products for internal use which is managed centrally, and Deliverable products for customer use which are managed by the sector. NGC s vision is to be the most trusted, world-class, innovative supply-chain organization that delivers value to our customers through integration of highly skilled people, suppliers, processes, tools, and communications. 1 Figure 1. Supply Chain Leader Council (SCLC) Deliverable Supply Chains Aerospace / Aircraft Sector Technical Services Sector Electronic Systems Sector Information Services Sector Non-Deliverable Supply Chain Enterprise Shared Services Organizational Approach to Supply Chain Risk Management What is different about NGC compared to many other high tech companies is that its business is program based, rather than product based. Program requirements in each sector are defined by the customer and sector programs typically have unique supply chain requirements and suppliers. The kinds of suppliers and supply chain requirements for a B-2 bomber program, for example, will be quite different than those required for an information system. In addition to the four commercial sectors, NGC has a fifth corporate structure called Enterprise Shared Services (ESS). This organization drives common policies, procedures, processes and systems throughout the corporation for supply chain and other internal support services including IT infrastructure and cybersecurity, as well as human resources, legal and accounting. The ESS group directly manages the supply chain for non-deliverable purchases. 1 http://crreport.northropgrumman.com/ 3

The President of ESS is NGC s lead executive for Supply Chain. ESS coordinates the Supply Chain Leadership Council (SCLC), which develops basic policy and process guidelines for company-wide supply chain management from materials control and management to purchasing and transportation to assure consistency of practice and information sharing across the sectors. The SCLC is comprised of a small ESS team responsible for strategy and policy and each sector head of supply chain, generally a vice president. This cross-company management structure has been in place for many years at NGC. The management and oversight of supply chains and the hands-on risk management occurs at the sector and program level. According to Kevin Engfer, risk management tends to be a team sport through the product and program life cycle. At the program level, there are cross-functional subcontractor management teams that oversee all aspects of supplier performance. These teams bring together supply chain mission assurance, quality assurance, engineering or a technical specialist. Other members may be added as needed, such as a cyberengineering or import-export controls experts. Major subsystems typically have their own subcontractor management teams. Figure 2. Myriad Disciplines Required for Assurance Global Product Data Interoperability Summit, 2013 4

Business Case for Supply Chain Risk Management (SCRM) NGC has a long tradition of SCRM driven primarily by the nature of its business, types of products it develops, kinds of suppliers it uses, and its unique customer contract issues. It is critical for NGC to maintain its ability to deliver in an execution-based business environment. And, of course, it goes without saying that minimizing quality and security concerns is paramount when working to secure the nation s defense. Guiding Principles of SCRM First, the NGC supply chains tend to be oriented around the program life cycle. There are some types of requirements that are associated with development; others with manufacturing or services and support. Second, NGC manages supply chain related risk on a risk-basis, and these risks change with time. Technical risks, given the complexity of the systems and products, have always been top of mind. But, there are emerging risks that are bubbling to the top: cyber risks or, for products with long development cycles, supply chain continuity risks. Counterfeit risks are also a top-of-mind concern. Supplier Risk Management Systems Given the size and scope of NGC s business, suppliers play a key role in their success. In 2013 alone, the company spent more than $8 billion dollars with approximately 9,500 suppliers. 2 To measure supplier performance, NGC developed an internal web-based tool called Supplier Assessment Management Systems (SAMS). SAMS assessments provide an objective data relative to the supplier s technical, quality (mission assurance), cost, schedule, management, proposal, supply chain management and customer satisfaction performance. Ratings are based on a color scale of red (unsatisfactory), yellow (marginal), green (satisfactory) or blue (excellent). 2 http://crreport.northropgrumman.com/ 5

Figure 3. Supplier Assessment Management System (SAMS): 8 Categories of Assessment Management Responsiveness Program Management Risk/Opportunity Management Expert Staffing Proposal Team Commitment Proposal Strategy Proposal Adequacy and Negotiation Technical Product Performance Systems Engineering Software Engineering Logistics & Sustainment Part Materials & Processes Service Level Performance Cost Cost Financial Health Schedule Mission Assurance & Quality Quality Process Effectiveness Supply Chain Management Customer Satisfaction Criteria for Excellent Rating The SAMS Framework defines criteria against which a score is derived for each assessment area. The criteria for an excellent rating include: 1. Program Management: Consistently proactive and cooperative leadership; appropriate resources, tools and infrastructure available to support program requirements; risks and opportunity processes and procedures well integrated, captured, tracked and communicated; and availability of expert staffing. 2. Technical: Key performance parameters or systems attributes exceed design requirements; timely and accurate design, analysis, coding, verification and documentation for systems and software; detailed plan to support all elements. 6

3. Cost: Strong evidence of cost management; timely, accurate and complete invoicing; and strong financial health rating. 4. Schedule: Clearly measurable events and criteria for successful completion and with a time buffer. 5. Proposal: Management commitment demonstrated at all levels; creative and innovative solutions; proposal complete, on time and RFP compliant at affordable price; and acceptance of contract T&Cs. 6. Supply Chain Management: Robust sub-tier selection and qualifications NGC provided full visibility to lower tiers; fully engaged supply chain organizations with supplier management tools, resources/processes, surge capability and risk mitigation/opportunity capture systems in place. 7. Mission Assurance/Quality: Consistent, accurate and complete submittal of deliverables; consistently meet quality requirements; effective quality management systems with capability to detect quality issues early. 8. Customer Satisfaction: High degree of satisfaction with subcontract performance in terms of product quality and cost. The SAMS tool is used to assess performance and evaluate risk from the programs all the way up to the corporate level. It covers everything from purchase orders to major subcontracts. It can analyze how the supply chain is performing in key areas or to highlight a group of critical suppliers that support different sectors. It also provides the information to identify areas for improvement. One focus of attention are risks associated with single-source, small, and foreign businesses that may be more vulnerable to program performance deficiencies. 3 Another area of concern has been financial health of the supply base, given the downsizing in procurement and stresses in the defense industrial base. To address customer concerns and potential vulnerabilities, NGC includes financial health assessments of its suppliers in order get a fuller picture of the health of its supply base. OASIS: Many of its suppliers are local businesses situated near NGC operations. The Online Automated Supplier Information System (OASIS) creates a One Northrop approach across all of the sectors. This online portal provides suppliers with everything from terms and conditions to training. NGC also posts information videos on topics such as supplier chain security and identity management and supplier scorecards. 3 http://crreport.northropgrumman.com/ 7

Quality: NGC relies on supplier quality management system certifications to understand the basic capabilities of a supplier. Suppliers are required to implement and maintain a quality management system appropriate for the type of product or service being procured. If the risk is deemed to be high for a highlyengineered product, NGC has the right to perform periodic reviews. Typically, inspection teams from mission assurance, engineering and supply chain will verify that the right systems are in place to minimize performance and quality risks. NGC has a corporate approach to counterfeit material prevention which prescribes preventive measures, training, communication, counterfeit alert management, and procedures for comprehensive material assurance. The Enterprise Material Authenticity team, chartered by the Corporate Quality Council bringing together a team from quality, engineering, supply chain, contracts, and legal takes the lead on counterfeit parts protection efforts. Cyber Security in the Supply Chain Northrup Grumman has been a vocal proponent of the growing dangers of cyber risks to the supply chain risk. Given the nature of its business, NGC is acutely aware of the emerging vectors of attack through supply chain partners and components. Because program requirements are set by its customers, NGC has begun educating its customers about the need to build security into products and systems through the program life cycle, from design to delivery. This may require a shift in the culture of some of its customers, which have long been focused on investing in performance rather than security. The ESS cyber team develops new methodologies and standard tools to manage cyber risks. An increasing number of customers are requiring SC risk management plans, which include identification of the ways NGC manages particular risks associated with programs that include software development. NGC uses a couple of methodologies and a standard tool developed by ESS. Inspection requirements exist through the development process, and these inspections must be passed before a project can proceed. 8

Figure 4. Building Security into the Design Process Standards NGC adheres to the widely accepted standards for quality management, such as AS 9100, a quality management standard for the aerospace industry, and ISO 9000, and it looks for those capabilities in its major suppliers. NIST standards, like 7622 (Supply Chain Risk Management for Information Systems) is an area of increased attention and compliance efforts. 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information