Supply Chain Intelligence with ChainShield™
It’s not just for the government anymore.
Supply Chain Risk Management has steadily progressed into a critical security issue for commercial and private organizations in the last several years. This has been a U.S. Department of Defense area of concern for decades due to the magnitude of harm that compromised software and hardware components can potentially inflict on National Security Systems. Those threats also extend to Platform Information Technology (PIT) and other mission supporting IT infrastructure.
Gray Analytics and SAP National Security Services have developed a proprietary ChainShield™ Supply Chain Intelligence and Risk Management tool, which can help both U.S Government and commercial organizations analyze their current state of Supply Chain Risk Management and develop comprehensive solutions across all supply chain elements affecting confidentiality, integrity, and availability. Comprehensive Supply Chain Risk Management starts with technology, ends with people, and includes myriad processes in between. Many solutions for Supply Chain Risk Management fail to address one or more critical elements or have an imbalanced focus with software or system controls. Other solutions narrowly focus on manufacturing assurance within a specific ecosystem, while ignoring the threat potential from both external and internal sources and the complexities of end-to-end global supply chains.
With more than a decade of both enterprise cybersecurity and Supply Chain Risk Management support, Gray Analytics can help develop and implement effective, threat-specific measures tailored to each organization to secure their supply chains.
End-to-end security — Gray Analytics’ comprehensive approach.
Effective Supply Chain Risk Management is a hypercomplex objective that requires a dynamic, multi-faceted, and comprehensive approach. We tackle this problem by focusing on the key interrelated drivers of a secure supply chain, including:
- Real-time threat and vulnerability exploitation analyses,
- Selection and implementation of trusted security controls,
- Implementation of procurement- and acquisition-specific processes, and
- Ongoing assessments of supplier transparency and their own Supply Chain Risk Management efforts.
These interwoven relationships, and in many cases direct dependencies between elements, contribute to the complexity of a given supply chain. Gray Analytics attacks that complexity and associated ambiguity with proven technology and processes to ensure the integrity and security of your supply chain.
Our Team Discussing ChainShield™ at the 2020 NS2NOW Digital Summit
NIST guidance is key.
The National Institute of Standards and Technology (NIST) provides significant guidance for organizations to implement security controls to address Supply Chain Risk Management through technology, people, and process. Gray Analytics offers the rare ability to combine expert knowledge of and experience with NIST guidance with our proprietary Supply Chain Risk Management tool to help you implement the necessary security controls and procedures that address your organization’s unique requirements and objectives and ensure the security of your supply chain.
We saw a problem. Now we’re creating the solution.
In 2019, Gray Analytics envisioned TSAAF (Trusted Systems Assessment and Assurance Framework) as a tool for the detection, correlation, and reporting of supply chain anomalies based upon a respective company’s individual supply chain. Since then, engineers at Gray Analytics have been hard at work refining the architecture and requirements needed to build such a tool.
Gray Analytics partnered with SAP National Security Services (SAPNS2) in 2020 to develop this tool, which was renamed ChainShield™. The partnership team held The Great Masked Hackathon where staff from both companies joined and split into three teams, each competing to develop the first working prototype of ChainShield™. Their efforts were successful and Gray Analytics and SAPNS2 are now working together to complete the development of this tool, marketed and sold by NS2. ChainShield™ will allow both government and commercial clients to mitigate the risks to their supply chain by illuminating the individual pieces of the said supply chain.
What is Cyber Supply Chain Risk Management?
Cyber Supply Chain Risk Management (C-SCRM), as defined by the National Institute of Standards and Technology, is the process of identifying, assessing, and mitigating the risks associated with the distributed and interconnected nature of Information Technology (IT)/Operational Technology (OT) product and service supply chains. It covers the entire life cycle of a system (including design, development, distribution, deployment, acquisition, maintenance, and destruction) as supply chain threats and vulnerabilities may intentionally or unintentionally compromise an IT/OT product or service at any stage.
Additional C-SCRM Resources:
Within C-SCRM, there is a heightened degree of focus on policy, technical research, and foreign diplomacy to advance the agenda around securing the supply chains feeding the world’s largest economy, the economy of the United States. We provide below two helpful documents to help educate and advance internal efforts to secure DoD procurement and the systems and subsystems being developed:
The Defense Science Board established a Task Force to focus on the Cyber Supply Chain and outlined in this document observations and recommendations drawn from the Task Force’s deep review of this evasive and growing threat.
Additionally, the National Institute of Standards and Technology Special Publication 800-161 was created to raise awareness of “federal agencies on identifying, assessing, and mitigating information and communication technology (ICT) supply chain risks at all levels of their organizations.”
Highly adaptable — ChainShield™ can assist across Communities of Interest (COIs).
Gray Analytics and SAPNS2, with SAPNS2’s ChainShield™ offering, are uniquely positioned to assist with facilitating some level of compliance and policy adherence with many of the COIs and their corresponding directives:
- DoDI 5000.01/.02 & DAG 13 PPP
- Title III
- ICD 731
- DoDD 5105.22 & DoDM 5220.22
Critical Program Information:
- DoDI 5200.39
- DFARS 252.204-7012 & DoDI 8500.01
- DoDD 5205.16
Trusted Systems & Networks:
- DoDI 5200.44
National Security Systems:
- CNSSD 505
- DoDM 4140.01 v3/v4/v9 & DoDD 5200.47 E & 10 USC 2460 & DoDI 4151.20 & DAG Ch5
- DFARS 252.246-7007, 252.246-7008 & DoDI 4140.67 & 4140.01 & DoDD 5200.47 E