NASA doesn’t carry out any of its space or aeronautic missions without deep contractor support. To that end, the agency has overhauled enterprisewide how it deals with the critical issue of managing risk in its vast supply chain.
The change stemmed from a several-year initiative known as Mission Support Future Architecture Program. MAP, in the agency’s words, aims to “transform mission support services to an enterprise operating model while maintaining mission focus.”
And the work of Kanitra Tyler has been a critical part of such efforts. She’s the supply chain risk management (SCRM) service element lead at NASA. Her team falls within the Office of Cybersecurity Services in the NASA CIO’s office.
Before MAP, the 11 NASA centers inconsistently managed and addressed enterprisewide needs, including dealings with the agency’s many suppliers, Tyler explained during Federal News Network’s Cyber Leaders Exchange 2023.
“The problem came in that cybersecurity was also being inconsistently applied, depending on which center you went to,” Tyler said. “So now, supply chain risk management, like other cybersecurity services, is delivered from an enterprise perspective.”
She pointed out that the cyber SCRM program for information and communications technology is one of several supplier-related efforts. For example, whereas her group assesses risk, NASA’s Office of Safety and Mission Assurance directly audits players in the supply chain for a variety of factors related to the safety of humans and physical systems.
Tyler said her SCRM team “covers the entire lifecycle of what we would normally refer to as a system, something that is providing a service or delivering some function or capability for the enterprise.” Tyler defined lifecycle as covering the design, acquisition, deployment and distribution, maintenance and eventual decommissioning phases.
“We’re looking at all of those threats and vulnerabilities that may be intentionally or unintentionally introduced that will compromise any of that IT — or operational technology for that matter — at any stage of that lifecycle,” she said.
She oversees services affecting a broad portfolio. Policy for “covered articles” include anything that might gather, process or store controlled, unclassified NASA information, including cloud computing services providers, she said. To be precise. what’s covered is defined by Section 11-101 of Title 40, Tyler added.
The agency’s procurement operation has a class deviation in place requiring suppliers to identify all items (or articles) to the Office of the CIO — not just those at higher classification levels — that they intend to use in the performance of contracts with NASA.
“Anything that is touching that nonpublic NASA information … is what we ask them to report back to us. Our policy states that no contract shall be awarded until after that submission has happened from the offeror and that we in the Office of the CIO have given the OK to actually have that offeror come in and begin to perform.”
Tyler also chairs the agency’s Supply Chain Security Working Group. It supports the principal adviser for enterprise protection, all under the charter of NASA’s deputy administrator. A counterpart, the Supply Chain Resiliency Board, deals with other potential supplier-centered concerns beyond cybersecurity.
The agency’s Office of Safety and Mission Assurance has the authority to audit suppliers directly. Tyler said the SRCM team applies open source research and commercial risk management software to assess the ICT supply base.
But all of these efforts require collaboration, both across NASA and with its suppliers and contractors. “We want to build partnerships with our suppliers,” she said. “We would hope that they are being honest, and we never have to play the False Claims Act card. That’s never a fun thing.”
Tyler added, “I feel like supply chain cybersecurity, all of these things, are about having those relationships in place where we are going to be honest — even when the truth hurts.”
Supply chain risk management becomes more complicated when considering prime contractors themselves bring multiple subcontractors and partners of their own supply chains to bear on work that they do with NASA or any agency. Tyler said the ICT SCRM team uses two processes to get at risks at those deeper levels.
One is the CAT SCAN, which stands for “covered article and technology supply chain assessment needed.” Tyler described the information request as a very reactive process.
“The other is the proactive supplier engagement process,” she said. “We’re reaching out to the suppliers, starting the building of that relationship.” Suppliers receive highly specific questions, focused on their own supply chain risk management programs.
“Or they may call it ‘global resilience,’ ” Tyler said. “There are a lot of different names for it. But we want them to tell us how they are protecting their supply chains. Who are their suppliers? Do they know down to that fourth tier, that fifth tier?”
She said NASA wants to know if suppliers are aware of and knowledgeable about their own supply chains and where “components, parts and pieces are coming from, to formulate that final product?”
NASA cyber SCRM: Getting down into the nitty-gritty
Among the specific risks that Tyler’s group watches for is foreign ownership, investment or control, particularly in software — including open source components. Of particular note, she said, are “countries that require you to share your intellectual property, share your consumer information or share whatever they ask for.”
Tyler referred to what the Defense Department calls the XBOM, a play on the term SBOM (software bill of materials).
“We need to know every part, piece and component whether it’s hardware, software or firmware. We need to know everything down to the paint on the box,” she said.
Added concerns for embedded systems start with knowing that an embedded system exists, even if invisible to its users, Tyler said. Then come questions about whether, over the typically lengthy duration of use, an embedded system’s original supplier remains extant. The provenance of spares down the line becomes an issue, as systems age and parts are only available from unauthorized resellers or brokers. She also cited the risk of receiving tampered or outright counterfeit parts.
On the SBOM front, Tyler said she’s getting up to speed by participating in an International Trade Commission SCRM task force sponsored by the Cybersecurity and Infrastructure Security Agency.
“We’re just kind of following CISA’s lead on things like the attestation letter, what should be in the SBOM, the minimum criteria, making sure that it’s machine readable, understanding the various formats,” she said. Tyler also participates in forums on software supply chain assurance at the National Institute of Standards and Technology, and she co-chairs the Hardware Bill of Materials (HBOM) Working Group that’s part of the CISA ITC SCRM task force.
All of these matter because cross-agency collaboration on SCRM is important, she said.
“One of the things that I try to stress at NASA is let’s not do what we’ve done so many times before: NASA-ize things,” Tyler said. “Let’s stay closely in lockstep with things that are happening at a higher level.”
That saves effort for NASA, said, adding that it helps “our suppliers, our partners, understand and know what to expect — as well as we understand and know what to expect.”
Along those same lines, NASA continues to make progress harmonizing SCRM efforts with the Defense Department. A memorandum of agreement circulating in NASA and in DOD’s Joint Federated Assurance Center would enable the two to share assessments for suppliers that they have in common.
Tyler has the right questioning and cautious temperament for a job focused on risk management. When asked if before her child was born a few years ago she bought a wireless baby monitor, Tyler replied, “I did not.”
As a former deputy chief information security officer, she said her technology perspective came down to: “Trust no one. So all of the wireless and baby monitors? No, no thank you.”
What’s on the horizon for NASA SCRM?
NASA’s supply chain risk management program for information and communications technology, like so many programs across NASA, must deal with thousands of suppliers.
That’s why the agency needs a risk management approach to reduce cyber threats to its ICT supply chain, said Kanitra Tyler, the agency’s SCRM service element lead.
Now that her group is collecting data on ICT suppliers, “over the next six to 12 months, we’re actually going to start taking a harder look at where the suppliers that we currently subscribe to sit,” she said. “Are they Tier 1, Tier 2 or Tier 3? And then we’ll assign some criticality.”
Some suppliers will rate an immediate alert if something happens or changes that reflect potential new risks, others might generate an email for later follow-up.
Tyler added that a supplier data repository operated by the Office of Safety and Mission Assurance, into which many components feed data, will become the de facto SCRM repository.
Also ahead, development of a SCRM incident response plan, “not to be confused with your basic operational or information technology incident,” Tyler said. NASA, the Cybersecurity and Infrastructure Security Agency and others are working out a precise definition of SCRM incident.
In the meantime, Tyler said her SCRM team sticks to the “SCRM Three Ps” that it devised as a sort of rubric for the program when it first formed:
- Provenance: integrity of a vendor’s supply chain and the products it delivers
- Pedigree: distribution channels (to ensure against any gray market or counterfeit products)
- Position: resiliency of the supplier and alignment with the often long lifecycles of NASA platforms
For more cyber tips and tactics, visit the Federal News Network Cyber Leaders Exchange 2023 event page.