Mitigating Supply Chain Risks

March 1, 2021 | Posted by: Michael Gerenser

The State of the Defense Industrial Base 

For decades outsourcing manufacturing to foreign nations has become the new normal across all industries. But now the United States is coming face-to-face with the consequences of handing control of technology and the supply chain to foreign entities. Our entire Defense Industrial Base (DIB) and our nation’s critical infrastructure is at risk from several significant factors including sole-source suppliers, material obsolescence, diminishing manufacturing sources, the erosion of U.S.-based infrastructure, and foreign dependency.

supply chain risksAn NDIA Vital Signs report from early 2020 underscores the state of U.S. Defense Industrial Base with a worryingly mediocre “C” grade. The report singles out three highly intertwined areas of concern: cybersecurity, production inputs, and the supply chain.  From its peak in 1979, U.S. manufacturing has declined significantly ever since, down 7.1 million manufacturing jobs by 2017. Offshoring our manufacturing to countries such as China may have saved money in the short term, but it has greatly crippled our country’s flexibility and security today. A 2018 Presidential Task Force report identified a significant supply chain risk associated with foreign provision, including counterfeits, lack of traceability, and insufficient quality controls throughout the supply tiers. In fact, the document linked above states that the “imports of electronics lack the level of scrutiny placed on U.S. manufacturers, driving lower yields and higher rates of failures in downstream production, and raising the risk of ‘Trojan’ chips and viruses infiltrating U.S. defense systems.”

external software development leads to supply chain risksThe supply chain risks of foreign outsourcing are not limited to just hardware. Outsourcing software development to third parties in foreign nations is all too common. Developers from India, Romania, Brazil, or the Philippines command salaries up to five times lesser than software engineers based in North America, making it irresistible for many companies to tap into this cheap global talent pool. But outsourcing software development to coders from foreign nations may lead to serious national security risks due to lax or undocumented security policies, quality control issues, intellectual property theft, and cyber vulnerabilities, just to name a few.

Indeed, vulnerabilities within software platforms used by government contractors present a growing source of supply chain risk. One of the most significant software breaches — the SolwarWinds hack — happened recently when suspected Russian hackers infiltrated federal agencies through a contractor’s software. Cybersecurity experts are calling this breach inevitable: the company had poor cybersecurity hygiene, and had outsourced its software development to Eastern Europe. As the DoD relies more on third-party suppliers for IT needs, these types of supply chain attacks are likely to become more common.

Taking action to secure supply chain risks

The United States still has the greatest military and defense equipment in the world, but if we don’t address the issues with our supply chain, we are going to get beaten by near-peer adversaries. Over the past few years, the supply chain has suddenly come under increased scrutiny, as it matters not just who is building the solution, but where it gets engineered, sourced, built, and supported.

The DoD is already taking action through the new Cybersecurity Maturity Model Certification (CMMC) standards, designed to enhance the cybersecurity posture of the Defense Industrial Base as well as other critical market verticals. CMMC will provide increased assurance to the DoD that a company can adequately protect sensitive unclassified information, accounting for information flow down to subcontractors in a multi-tier supply chain. One of the most significant changes for DoD contractors under the CMMC is the need to undergo external security audits, which will help filter out nefarious entities and shell companies. Already the DHS and GSA are imposing CMMC standards on their own supply chains, and government contractors will be following suit quickly.

How REDCOM mitigates supply chain risks

REDCOM is one of the few tech companies that always resisted the impulse to outsource. While competitors rushed to offshore as many jobs as possible, REDCOM realized that the risks to security and quality far outweighed any potential cost savings.

Because the products we build at REDCOM are at the heart of mission-critical communications networks in the defense sector, we take the development of hardware and software very seriously. In fact, we are so concerned with security and supply chain management that we own and operate a manufacturing facility at our main campus in Victor, NY. REDCOM designs, engineers, and manufactures all of our products right here in the United States, and we work only with vetted and trusted suppliers to ensure that we source the best and most reliable components for every product. REDCOM has proactively addressed every step of the supply chain to reduce risk, making our products TAA compliant.

From a software perspective, all our engineers are U.S. persons working out of our headquarters. The same internal development team that handles new development is also responsible for patches and support. We do not outsource software engineering to developers from foreign nations. REDCOM does leverage open-source software where it makes sense, but we only select software that we have vetted and has been proven and thoroughly tested by the industry. In fact, large open-source software packages (i.e. Apache, OpenSSL, and FreeBSD) have established review and vetting processes that tightly control the content of their releases.

REDCOM is always working to improve our security posture. Here are just some of the things we are focusing on:

  • We are constantly evolving our cybersecurity policy and honing our cyber incident response procedures.
  • We use NIST 800-171 as our foundation and will be targeting CMMC certification as that becomes available to us in the DoD’s phased approach.
  • Wherever possible we have moved away from commercial cloud platforms in favor of FedRAMP-approved GovCloud platforms.
  • Our manufacturing business unit REDCOM EMS is focused on meeting and exceeding the most rigorous industry standards, with a quality management system certified to ISO 9001:2015, AS9100D:2016 (aviation, space, & defense), and ISO 13485 (medical devices).

The REDCOM Advantage

REDCOM’s stance on supply chain security and cybersecurity gives us several distinct advantages for our customers, including:

  • Shorter turns on development – with all software and hardware engineering efforts under one roof, we can adapt quickly to customer requirements without compromising security.
  • U.S.-based manufacturing – Our manufacturing lines are located in upstate NY, within our wholly-owned secure facility.
  • U.S.-based support – All support calls are answered and resolved by our in-house technical staff in upstate NY.
  • Focused roadmap — Our focused roadmap drives specialized solutions for our targeted customer segments in the commercial, strategic, and tactical marketplaces. The way we have structured our business allows us to pivot quickly to emerging trends in the marketplace and keep up with DoD directives.
  • Established certification cadence — Our predictable certification cadence ensures our products comply with the latest guidance from certifying organizations such as FIPS, JITC, and the NSA. This ensures our products are constantly being validated for interoperability and cybersecurity.