DoD ICT-SCRM Requirements

The DoD recently released a memo regarding DoD Commercial Off The Shelf (COTS) Information and Communications Technology Supply Chain Risk Management.

The memo had two attachments:

• Attachment A - COTS Risk Categories
• Attachment B - ICT-SCRM Requirements

This article covers Appendix B. Attachment B provides ICT-SCRM requirements for DoD components deploying COTS products, where DoD components are expected to include the following where applicable: 

Attachment B - ICT-SCRM Requirements

1. Ensure vendors adhere to NDAA FYl 9 Section 889 - Prohibition on Certain Telecommunications and Video Surveillance Services or Equipment from Huawei, ZTE, Hytera, Hikvision, Dahua by including FAR clause 52.204-24.
2. In accordance with 15 CFR 7.109(d)(5), ensure products by Kaspersky Labs, and any of its successors and assignees, are excluded by including FAR 52.204-23 Prohibition on Contracting for Hardware, Software, and Services Developed or Provided by Kaspersky Lab Covered Entities. 
3. For National security systems, verify in Supplier Performance Risk System (SPRS) that none of the proposed products appear on the NSS Restrict list in accordance with 10 U.S.C. 3252 (252.239-7017 Notice of Supply Chain Risk) 
4. If a COTS product is identified by National Information Assurance Partnership (NIAP) as approved by a Common Criteria Testing Laboratories (CCTLs) ensure protection profile is implemented and mitigate or resolve identified vulnerabilities. The P-ISSM must also review the technology being accepted or connected as part of the cybersecurity accreditation process to ensure configuration compliance. 
5. Prioritize software integrity in accordance with OMB Memorandum 22-18. Software integrity is key to protecting Federal systems from nation state and criminal actors seeking to disrupt our nation's critical functions. One way to achieve this is by Federal agencies adopting software from software producers who can attest to complying with the Government-specified secure software development practices, as described in NIST Guidance. The DoD will advocate for voluntary, independent assessments to validate adherence to secure development practices. 
6. Validate the minimum NIST SP 800-53 R5 controls are implemented in accordance with DoDI 8510.01 and the Assess and Approve baseline in the RMF Knowledge Service.  
   1. (SR-2) Supply Chain Risk Management Plan: For any mature implementation of ICT-SCRM, there must be a documented plan to lead an organization's efforts.
   2. (SR-3) Supply Chain Controls and Processes: The existence of NIST SP 800- 161 R1 demonstrates the need for controls and processes to implement ICT-SCRM.
   3. (SR-4) Provenance: The ability to manage supply chain risk is fundamentally tied to an ability to know the suppliers of all components and services used for mission execution. The vendor must document, monitor, and maintain valid provenance of the system components and ensure system components are genuine. 
   4. (SR-6) Supplier Assessments and Reviews: The ability to determine cybersecurity risk from the supply chain must come from assessments and reviews of suppliers that support the mission.
   5. (SR-9) Tamper Resistance and Detection: Implement a tamper protection program for the system, system component, or system service. 
7. Obtain the following artifacts as part of the security authorization process: 
   1. Hardware and software inventory list.
   2. Hardware and device certifications and approvals.
   3. Incident response plan.
   4. Software Certification test results or attestations/memorandums.
   5. Supply Chain Risk Management Policy.
   6. List of all implemented Security Technical Implementation Guides (STIGs)
8. Ensure vendor adheres to the DoD issued Security Requirements Guides (SRG) and any accompanying STIG.