DoD COTS Risk Categories

The DoD recently released a memo regarding DoD Commercial Off The Shelf (COTS) Information and Communications Technology Supply Chain Risk Management.

The memo had two attachments:

• Attachment A - COTS Risk Categories
• Attachment B - ICT-SCRM Requirements

This article covers Appendix A. Attachment A contains a list of twelve (12) risk categories and associated definitions:

Attachment A - COTS Risk Categories

1. Regulatory and Compliance. Changes in statutes, laws, policies, regulations, and/or agreements that materially impact a business or market sector and that can increase business operating costs, reduce the attractiveness of investment, or change the competitive landscape. Extends to the inability of a supplier to comply with a wide-arching sets of domestic or foreign statutes, laws, policies, regulations, and/or agreements established to avoid impacts to national security. This can include market practices, contract compliance, fraud, unethical practices, and other actions that are called into moral, ethical, or legal question.
2. Manufacturing & Supply. Either a single supplier or sector/market cannot meet market demand. This can be due to reduced throughput or production delays caused by capacity constraints, obsolescence, industrial limitations, market conditions and the supplier's practices across those markets, disrupted material delivery, and other conditions. Additional concerns include availability of supply, capacity to surge, sole-source, and concentration within or over-reliance on a single source.
3. Foreign Ownership, Control, or Influence (FOCI). A foreign interest has the power - whether through direct or indirect control, whether or not exercised- to direct or decide matters affecting the management or operations of a company in a manner which may result in unauthorized access to information or may adversely affect the performance of contracts and/or programs which support national security.
4. Political. The weakness of political powers and their legitimacy and control; inadequacy of their control schemes, policies and planning, or broad political conditions. May occur due to internal or geopolitical instability, interstate conflict, civil unrest, governmental collapse, political disputes (territorial, trade, etc.), corruption, terrorism, or other factors that can lead to disrupted supply chain operations, increased business operating costs, reduced attractiveness of investment, or altered competitive landscapes.
5. Technology & Cybersecurity. Involves the management of cybersecurity requirements for information and communications technology (ICT) systems, software, and networks, which are driven by threats such as cyber-terrorism, malware, data theft, and the advanced persistent threat (APT). Includes vulnerabilities and exposures of ICT system components produced by a specific supplier. Common risks include weaknesses in computation logic (code) found in software and hardware components that, when exploited, results in a negative impact to confidentiality, integrity, non-repudiation, or availability
6. Financial. A supplier cannot generate revenue or income resulting in the inability to meet financial obligations. Financial distress can lead to the inability to meet contractual obligations, hostile takeovers, or bankruptcy.
7. Economic. Factors that influence an economy are out of balance, leading to unpredictable fluctuations in growth, inflation, employment, and financial health. This instability can be episodic, meaning discrete events such as job loss, or it can be chronic, meaning sustained events such as variations to employee compensation. Either way, economic instability can lead to reduced investment and weakened consumer confidence. Multiple factors may cause instability and may include recession, sanctions, demand shocks, price volatility, inflation, and unemployment.
8. Product Quality & Design. Inherent design and quality problems ( e.g., raw materials, ingredients, production, logistics, packaging) which result in the item failing to meet performance specifications and quality standards set by industry or DoD. Includes items illegally created and sold under false pretenses. The items lack industry standard tests during the production phase ( e.g., pressure testing) or are counterfeit and non-MILSPEC items that could pose significant risk to the function and safety of the system, increased maintenance costs due to depreciation in quality, and added stresses due to an item's inability to function at true capacity.
9. Human Capital. Encompasses the human skills, knowledge, and actions that may impact a market's ability to produce goods and/or services to meet demand. This includes industrial disputes, labor availability and unrest, attrition of required skills, and consumer behavior that disrupts a given market or industry.
10. Environmental. Natural and manmade disasters that may disrupt supply chains. Natural disasters and other extreme weather conditions comprise the bulk of external environmental risk. Manmade disasters can arise from improper health and safety precautions, fires, spills, chemical leaks, and other environmental hazards.
11. Transportation & Distribution. A dynamic disruption within the transportation and logistics of moving a product from one point to another. The transportation industry is among the most risk-prone of all industries due to accidents, losses of cargo, driver shortages, and deteriorating infrastructure. These risks can cause shipment delays, supply chain disruptions, increased costs, and damaged reputations. In addition, the inability to predict and plan for disruptions in the logistics plan presents risk in meeting delivery requirements and maintaining operations.
12. Infrastructure. Consists of the availability and functioning of fundamental facilities and systems necessary to support an industry and its supply chains within a country, such as buildings, transportation networks, utilities, and equipment. Also includes how well those facilities and systems are protected from physical and cyber threats.