Supply Chain Risk Management Trixie Brewer HQ AFMC/A4R FOUO - For - - PowerPoint PPT Presentation

▶

Sep 18, 2022 105 likes •237 views

FOUO For Official Use Only Air Force Materiel Command Supply Chain Risk Management Trixie Brewer HQ AFMC/A4R FOUO - For Official Use Only FOUO For Official Use Only Great Power Competition, Military Civilian Fusion Under great

SLIDE 1

FOUO - For Official Use Only FOUO – For Official Use Only

Air Force Materiel Command

Supply Chain Risk Management

Trixie Brewer HQ AFMC/A4R

SLIDE 2

FOUO - For Official Use Only FOUO – For Official Use Only

Deliver and Support Agile War-Winning Capabilities

Great Power Competition, Military – Civilian Fusion

 Under great power competition, we see the fusion of military and commercial sectors, where

adversaries are weaponizing commercial activity as a means of degrading US military capability.

 Examples include:  Russia’s cornering of rare earth element markets; and the use of cartel-like actions  China’s practices of commercial entity exploitation  Weaponized Mergers & Acquisitions (M&A)  Pressuring partner companies to transfer technology as normal business  Exploiting networks of scientific, academic, & business contacts to steal IP & tech secrets  Controlling ports via targeted ownership & insertion of Chinese-owned tech for access to

transiting goods

 Exploitation of DoD commercial supply chains to introduce counterfeit parts  Focused kinetic warfare-based strategies to exploit the commercial domain: Anti-Access/Area-

Denial (A2AD) & Disruption

SLIDE 3

FOUO - For Official Use Only FOUO – For Official Use Only

Deliver and Support Agile War-Winning Capabilities

Risk Lurking in the Industrial Base

The domain of warfare is expanding well beyond the battlefield to create a new contested space!

Warfare on the Battlefield

Warfare Against Supply Lines Feeding the Battle

Warfare Against War Supporting Production Capability

Warfare Against the Industrial Base to Shape War Commercial Industrial Base 3 2 1 4

Inte tell llec ectual tual proper erty ty th theft Cybe ber, , softw tware are, , and hardwa ware re att ttack cks We Weaponiz

nized

ed M&A &A

SLIDE 4

FOUO - For Official Use Only FOUO – For Official Use Only

Deliver and Support Agile War-Winning Capabilities

Program Offices

(AFLCMC)

DoD & SAF/HAF Labs

(AFRL)

A B C

Nuclear Enterprise

(AFNWC)

Testing

(AFTC)

Installation Support

(IMSC)

Enterprise SCRM Sustainment

(AFSC)

Enterprise SCRM Operational View

 Centralized, integrated function

comprised of AF, AFMC and Center resources that coordinate for effective, efficient SCRM

 An integrated function brings

effectiveness and efficiency in:

 Processes  Tools  Communication  Coordination  Program Management

EN LG / A4

TSN AFOSI & A2 JA

SLIDE 5

FOUO - For Official Use Only FOUO – For Official Use Only

Deliver and Support Agile War-Winning Capabilities

Network Illumination

674 Sub-Tier Suppliers Identified

SLIDE 6

FOUO - For Official Use Only FOUO – For Official Use Only

Deliver and Support Agile War-Winning Capabilities

Risk Findings

Weight (10pts) 1.00 1.00 2.00 2.50 1.00 2.50 Supplier Risk Involvement of Risky Foreign Entity Number

f Risk

Lenses Likelihood Difficulty

Mitigation Difficulty to Detect Severity

f Impact

Risk Score Boeing Thousands of documents related to 3 4 3 3 3 3 4.83 Texas Instruments Texas Instruments sold sensitive ele 3 2 3 3 2 3 4.50 Acronis Acronis’ Management has several ties to Russian government entities 3 1 3 3 1 3 4.25 Everspin Technologies Supplier’s lack of profitability increases its susceptibility to bankruptcy and foreign influence 2 3 3 3 1 3 4.25 Intel The AMD-THATIC joint venture will e 3 3 2 3 2 3 4.25 MobileIron MobileIron’s use of Acronis software in its provision of services to the DoD makes it a foreign influence and cyber risk 3 2 2 3 3 3 4.17 Imagination Technologies Shareholders of Imagination Tech, a 4 3 3 2 1 3 4.17 Xilinx Xilinx Inc.’s FPGAs are frequent targets for foreign acquisition & counterfeiting฀ 3 2 3 2 2 3 4.08 TSMC Taiwan Semiconductor Manufacturin 3 1 1 3 3 3 3.92 Aeroflex Cobham recently acquired Aeroflex 3 3 3 1 3 3 3.92 Marvell Chinese investors, including a PRC S 3 1 2 3 1 3 3.92 Xilinx Flextronics has a history of mislabel 1 2 3 3 3 2 3.92 Cypress Semiconductor Former Chairman of Cypress Semico 3 2 2 2 2 3 3.75 Fairchild Semiconductor Fairchild Semiconductor is a target f 3 2 2 2 2 3 3.75 GlobalFoundries An industrial tool virus infected the 2 2 3 2 1 3 3.75 Everspin Technologies Everspin Technologies is partially ow 3 1 2 3 2 2 3.67 Microsemi Microsemi accused of ITAR and FCA 2 3 2 2 2 3 3.67 GlobalFoundries UAE’s purchase of GlobalFoundries raises influence concerns about DoD’s reliance on it as a Trusted Foundry ฀ 2 2 1 3 2 3 3.67 Insyde Software Firmware made by Insyde Software 3 1 2 2 2 3 3.67 Lattice Semiconductor Lattice Semiconductor has been targ 3 3 2 3 1 2 3.67 DDC DDC was recently acquired by TransD 1 2 3 2 3 3.58 Xcerra Xcerra received an acquisition offer 3 2 2 2 1 3 3.58 Silicon Motion Malicious code can be uploaded to S 3 3 1 2 2 3 3.50 Acronis Russian Government-owned power 3 1 3 3 1 1 3.42 Acronis Acronis has a history of cyber securi 1 1 3 3 3 3.42 Microchip A Chinese company allegedly copie 3 2 1 2 2 3 3.42 Micron Micron and its innovations have bec 3 3 2 2 1 2 3.25 Harris Corporation A Harris Corporation contractor pled 1 2 2 2 3 3.17 Intersil Counterfeit Intersil chips have been 1 2 2 2 3 3.17 IDT Chinese and Pakistani investors atte 3 1 2 2 1 2 3.08

SLIDE 7

FOUO - For Official Use Only FOUO – For Official Use Only

Deliver and Support Agile War-Winning Capabilities

Risk Findings, Cont.

Weight (10pts) 1.00 1.00 2.00 2.50 1.00 2.50 Supplier Risk Involvement of Risky Foreign Entity Number

f Risk

Lenses Likelihood Difficulty

Mitigation Difficulty to Detect Severity

f Impact

Risk Score Microsemi ProASIC3 chips could have backdoor 1 1 2 3 3 3.00 Halo X-ES’s supplier, Halo Electronics, makes products that are prone to counterfeit substitution in the marketplace 1 1 2 2 2 2 2.92 NXP NXP products are often substituted 1 1 2 2 2 2 2.92 Pentair Pentair subsidiaries have a history o 2 3 1 2 2 2 2.92 Cobham Cobham faces an insider-trading pro 2 3 2 2 1 2.75 Marvell Marvell has a history of questionabl 1 1 2 3 1 1 2.75 Microchip Atmel was the previous target of Ch 2 2 2 1 2 2 2.75 Exar Reliance on Asian manufacturers fo 2 1 2 2 2 1 2.67 Intel Intel microprocessors are vulnerabl 1 1 2 1 3 2 2.67 Pericom Pericom’s integrated circuit chips are frequent targets for foreign acquisition and have been targeted by the PRC in the past 3 2 1 1 2 2 2.58 SMIC The Chinese Government is the larg 3 1 1 2 2 1 2.50 STMicroelectronics Multiple state-sponsored entities o 2 2 1 3 1 2.50 Texas Instruments Texas Instruments employees adve 3 1 1 1 1 2 2.33 Fairchild Semiconductor Fairchild has been engaged in a long 2 2 2 1 1 2.25 Intersil Intersil faced a lawsuit regarding its 2 2 2 1 1 2.25 ON Semiconductor ON Semiconductor focuses producti 1 2 1 1 2 2 2.25 Exar MaxLinear’s recent purchase of Exar could jeopardize Exar’s continued production and design of supplied parts 1 2 1 1 2 2.17 Harris Corporation

The SEC caught the chief executive o

3 2 1 1 2 1 2.17 Silicon Labs Silicon Labs is overly reliant on 3 sma 1 1 2 3 1 2.17 Curtiss-Wright Curtiss-Wright’s sales to Russian entities raise concerns of foreign influence through reverse engineering 1 1 1 2 1 1 2.00 Halo Halo Electronics is susceptible to for 2 1 1 1 1 1 1.75 MobileIron MobileIron faces financial challenge 1 2 1 1 1 1.75 Pericom Pericom Semiconductor is susceptib 3 1 1 1 1 1.75 Global Foundries GlobalFoundries acquired IBM’s poorly-performing chip-manufacturing unit, placing it at financial risk 1 1 1 2 1 1.58 Microchip Microchip’s withdrawal of a severance package for employees indicates problematic and unethical business practices 1 1 1 2 1 1.58 Linear Tech Linear Technology has been sued by 2 1 1 1 1 1.50 Curtiss-Wright Overcharging government clients and gender discrimination undercut Curtiss-Wright’s business ethics 1 1 1 1 1 1.42 NXP NXP is threatened by financial issue 1 1 1 1 1 1.42 Micron Micron, who supplies DRAM chips to 1 1 1 1 1.25 Cypress Semiconductor Most Cypress Semiconductor parts l 1 1 2 1 1.17

SLIDE 8

FOUO - For Official Use Only FOUO – For Official Use Only

Deliver and Support Agile War-Winning Capabilities

Acronis: Foreign Influence

Acronis provided a backup & recovery advanced server to the Joint Stock Company Moscow Integrated

Power Company, a subsidiary of Gazprom, the state-owned enterprise that contributes a significant portion

f Russia’s GDP.
The Russian government is a direct Acronis customer and has significant connections beyond the above

Gazprom connection. But while Gazprom is a customer and not a supplier, this relationship is further evidence of the integration of Acronis with Russian interests.

Proprietary technology contained in the software sold to Russian government clients presents a risk of

reverse engineering and vulnerability identification within similar Acronis devices.

Business relationships with adversarial foreign governments could create dual loyalties and leave Acronis

vulnerable to coercion in the future.

Supplier Country Risk Lenses

Foreign Influence Acronis Singapore

Background Threat to Program

!

Replace Acronis with qualify alternative service providers such as Carbonite, Datto, and Symantec.
Determine if Acronis supports any other aspects or subsystems of the Target Program, or any associated

programs, to know degree of criticality and potential vulnerability to know degree of escalation.

Consider informing counterparts in the USN who also use Acronis services.
Determine how Acronis compartmentalizes and protects government customer data, where it's housed, and

who has access.

Mitigations

SLIDE 9

FOUO - For Official Use Only FOUO – For Official Use Only

Deliver and Support Agile War-Winning Capabilities

Acronis management connections to Russian government entities

SLIDE 10

FOUO - For Official Use Only FOUO – For Official Use Only

Deliver and Support Agile War-Winning Capabilities

AFMC SCRM Successes

 Approved AFMC Roadmap and Implementation Plan and Process  Numerous Programs completed assessments within AF/AFMC

 Enabled risk avoidance/mitigation

 AF Programs see value of AFMC/SCRM

 Fighter / Bomber (FB) Directorate  FB PEO working to perform assessments across Portfolio- FB prioritizing top 6-9 programs for

FY19/20 assessments

 Program estimates considered to be an economic win, 0.1% of program costs  Two CIFIUS Cases sent forward—M&A stopped by POTUS  Two additional assessments kicked off this CY (Vehicles, Synthetic Biology)

 AFMC and AF Working Groups

 Language to SAF/AQ for 63-101-coordinated with Space Cmd  Influenced DoD DASD (SCI) SCRM definition for DoDI 4140.01 & coordinated on AFPD 23-1 SCRM

definition

SLIDE 11

FOUO - For Official Use Only FOUO – For Official Use Only

Deliver and Support Agile War-Winning Capabilities

AFMC SCRM Way Ahead

 SAF& AFMC/A4 evaluate SCRM policies to ensure integrated and aligned  Continue to build Senior Leadership Support - Centers, Program Offices,

Command, & HAF/SAF/OSD - Awareness and Importance

 HQ AFMC/A4R establishing central contract vehicle-Provide AFMC Support

and SCRM Assessments-Build organic capability

 Continue to Perform Assessments and Fine Tune Processes and Tools  Continue to Work detailed Processes and Develop Relationships &

Collaboration (OSI, AFCEA, PCTTF, etc.)

 Standardize SCRM processes and tools Across AFMC  Evaluate and update CDRLS/DIIDs for Contracts

AFMC Leadership To Drive SCRM Evolution Across Command

SLIDE 12

FOUO - For Official Use Only FOUO – For Official Use Only

Deliver and Support Agile War-Winning Capabilities

SCRM Summary

 The resurgence of Great Power Competition has introduced an

asymmetric domain of warfare through the weaponization of the commercial industrial base.

 Major Readiness Factor…Supply Chain Risks need to be

addressed. We are at war every day

 Communication up, down and across the supply chain and

functional areas is critical to battling this major readiness risk. Supply Chain Risks are Real--SCRM is everyone’s responsibility.