The Department of Defense Office of Inspector General (DoDIG) was assigned to determine whether the Air Force Space Command implemented an adequate supply chain risk management program for four critical strategic systems — specifically, the agency conducted a detailed review of the Space Based Infrared System and a limited review of the Air Force Satellite Control Network, the Family of Advanced Beyond Line-of-Sight Terminals and the Global Positioning System.
The DoDIG conducted an audit in response to a reporting requirement contained in House Report 114-537, to accompany House Report 4909, the National Defense Authorization Act for Fiscal Year 2017. This is the second in a series of audits on supply chain risk management for DoD strategic capabilities in response to the Congressional requirement.
- The Space Based Infrared System is a follow-on capability to the Defense Support Program satellites, which help protect the U.S. and its allies by detecting missile launches, space launches, and nuclear detonation
- The Air Force Satellite Control Network is a global system providing command, control, and communications for space vehicles
- The Family of Advanced Beyond Lineâ€‘ofâ€‘Sight Terminals develops nuclear event-survivable terminals capable of communicating with satellite constellations using jam-resistant, low probability of intercept and low probability of detection waveforms for airborne, ground-fixed, and transportable applications
- The Global Positioning System is a constellation of orbiting satellites that provides navigation data to military and civilian users all over the world.
The supply chain is the sequence of activities necessary to provide an end user with a finished product or system (from raw material to finished product). The activities include designing, manufacturing, producing, packaging, handling, storing, transporting, operating, maintaining, and disposing.
Supply chain risk is the vulnerability that an adversary may sabotage, maliciously introduce an unwanted function, or otherwise compromise the design, integrity, manufacturing, production, distribution, installation, operation, or maintenance of a system. The adversary may take these actions to surveil, deny, disrupt, or otherwise degrade the function, use, or operation of the system.
DoD supply chain risk management policy requires DoD organizations to identify critical information and communications technology components, purchase those components from trusted suppliers, and test and evaluate critical components for malicious threats.
The Air Force Space Command established initiatives to manage supply chain risk for the Space Based Infrared System but did not fully implement DoD supply chain risk management policy. This occurred because the Air Force Space Command did not take the steps and establish the controls and oversight necessary to:
- Conduct a thorough criticality analysis and identify all critical components and associated suppliers to manage risks to the system throughout its lifecycle
- Submit complete and accurate requests to conduct threat assessments of critical component suppliers
- Require the purchase of all application-specific integrated circuits from trusted suppliers using trusted processes that are accredited
- Ensure the use of rigorous test and evaluation capabilities, including developmental, acceptance, and operational testing.
In addition, the organization's limited review of three other Air Force Space Command critical systems revealed concerns similar to those found with the Space Based Infrared System supply chain risk management. As a result, an adversary has opportunity to infiltrate the Air Force Space Command supply chain and sabotage, maliciously introduce an unwanted function, or otherwise compromise the design or integrity of the critical hardware, software, and firmware.
The DoDIG recommends that the Air Force Space Command Commander develop a plan of action, with milestones, for the Space Based Infrared System to comply with DoD supply chain risk management policy. The plan should establish controls and oversight and require Air Force Space Command personnel to develop internal procedures or establish contract requirements to:
- Improve the accuracy of the critical components list to manage risks to the Space Based Infrared System throughout its life cycle and require the identification of all critical logic-bearing hardware, software, and firmware, and the associated suppliers
- Improve the accuracy of the requests for supplier threat assessments and require the prioritization of the critical components on the requests and the inclusion of all key information needed to conduct the assessments
- Determine the risk posture and potential mitigations for all application-specific integrated circuits not procured from a trusted supplier using trusted processes that are accredited
- Ensure the use of rigorous test and evaluation capabilities, including developmental, acceptance, and operational testing, and require establishment of verification and validation procedures for critical logic-bearing hardware, software, and firmware.
The DoDIG also recommends that the Air Force Space Command Commander conduct a detailed review of the supply chain risk management for the Air Force Satellite Control Network, Family of Advanced Beyond Line-of-Sight Terminals, and Global Positioning System programs, and all other programs deemed critical to the Air Force Space Command, to ensure compliance with DoD supply chain risk management policy. If deficiencies are identified, Air Force Space Command officials must develop a plan of action with milestones to correct the deficiencies.
Management Comments and the DoDIG Response
The Air Force Space Command Space and Missile Systems Center Vice Commander, responding for the Air Force Space Command Commander, agreed with the recommendations and stated that the Air Force Space Command will improve the supply chain risk management for the Space Based Infrared System and:
- Conduct a criticality analysis to accurately identify and compile a parts list for all critical components
- Produce a critical components list that includes the break down for all logic-bearing devices to the component level and provide them with a request for information that includes all key information necessary to conduct threat assessments of critical item suppliers
- Use the supplier threat assessment reports to determine the risk posture and identify potential mitigations for application specific integrated circuits not procured from a trusted supplier using trusted processes that are accredited
- Incorporate modernized requirements and verification processes to ensure the security of the program and perform verification and validation of these requirements using program protection surveys, independent third party assessors, and developmental and operational tests.
In addition, the Vice Commander agreed to conduct a supply chain risk management review of the Air Force Satellite Control Network, Family of Advanced Beyond Line-of-Sight Terminals, and Global Positioning System programs, and other programs deemed critical to the Air Force Space Command, to ensure compliance with DoD supply chain risk management policy.
The comments from the Vice Commander addressed the DoDIG's recommendations; therefore, the recommendations are resolved and will remain open. The recommendations will be closed once the Vice Commander provides the documentation showing that the actions have been completed.
Related documents — DODIG-2018-143_REDACTED.PDF
The Department of Defense Office of Inspector General was established in 1982. The mission of the DoD OIG, as established by the Inspector General Act of 1978, as amended, (5 U.S.C. Appendix); and implemented by DoD Directive 5106.01, "Inspector General of the Department of Defense," is to serve as an independent and objective office in DoD to:
- Conduct, supervise, monitor, and initiate audits, evaluations, and investigations relating to programs and operations of the Department of Defense
- Provide leadership and coordination and recommend policies for activities designed to promote economy, efficiency, and effectiveness in the administration of, and to prevent and detect fraud and abuse in, such programs and operations
- Provide a means for keeping the Secretary of Defense and the Congress fully and currently informed about problems and deficiencies relating to the administration of such programs and operations and the necessity for and progress of corrective action.