A Pentagon official on Tuesday said the department is working on new opportunities to improve industry’s ability to track the security of their software supply chain, citing a recent example where her office had to work with an unnamed company whose technology was compromised.
Michele Iversen, DoD’s director of risk assessment and operational integration, told attendees at a Fifth Domain
event on Tuesday the department is working to better inform vendors of potential supply chain risks, specifically malicious code that may be conspicuously embedded in software.
“We don’t really have visibility that we need to know where the threats are. Gaining visibility of those threats is going to be key, having the basic due diligence across the board from all of our purchases,” Iversen said. “We’ve seen the adversary be very creative in how they attack the supply chain.”
Iversen cited the example of the unnamed company that unknowingly provided compromised tools to the Pentagon to highlight the larger supply chain issues the department is working to mend.
“We are looking at a technology right now with a company that was compromised and had a big cyber security vulnerability. We have seen that bad things coming from those products,” Iversen said.
The Pentagon’s CIO office has spent the last nine months working through avenues to improve risk management, according to Iversen, including developing new best practices that would delineate the level of due diligence for making supply chain decisions for a simple acquisition effort versus a major weapons platform.
Iversen added that her office is also considering a tool that would provide industry with publicly available information to assist with supply chain decisions and where to avoid purchasing certain software.
“When people are going to look and make their purchases, they have information available to them,” Iversen said.