The small computer chips in just about everything from weapon systems to IT platforms often take a long and winding supply chain journey before joining Department of Defense networks.
So the Navy recently acquired a new supply chain risk assessment tool from KSM Consulting for quicker analysis of its microelectronics and to serve as an example in monitoring broader supply chains for IT-related products.
To determine if a product is safe for the Navy’s networks, analysts pore over documents that show if a company is vulnerable to adversary influence. Much of that requires collecting financial records, public data and private information held by the DOD, a process that on average takes around 80 hours of work — or, “a bunch of googling,” John Roach, executive vice president of data analytics at KSM Consulting, told FedScoop.
“We have automated all of that data gathering process,” Roach said in an interview.
The new tool acquired by Naval Surface Warfare Center-Crane Division — the Automated Microelectronics Analysis & Reporting Optimization (AMARO) solution — uses natural language processing to gather public and private information on companies in the microelectronic supply chain and extract important text. This allows analysts to get straight to the point determining a company’s supply chain trustworthiness.
AMARO is cloud-native and built to be scaled. It also shows a path forward for broader supply chain management tools on other IT-related products the DOD has been looking for.
“We are excited to roll out this technology to the field,” said Adam Hauch, supply chain awareness and security technical lead for DOD. “The AMARO tool will allow us to quickly and thoroughly examine the supply chain of commercial microelectronics, as well as identify vulnerabilities and over-reliance in a more strategic manner.”
Microelectronics are the core of DOD’s vast hardware-based networks and can cause major problems if they are faulty or compromised by adversaries, Roach said.
“At the end of the day everyone thinks about software, but the software also controls some piece of hardware,” he said.
The acquisition comes as senior DOD officials have said they are looking to move to a zero-trust model for microelectronics. That would mean the department assumes a level of risk inherent in the product, requiring security checks at every step of the way instead of a one-and-done approval.
Even in a zero-trust approach, Roach said supply chain monitoring will still be needed for chips and other products. Having better insights into the supply chain will give the Navy and other parts of the DOD more information on a host of challenges, from deciding whether to buy new products or repair existing ones to determining where threats from foreign ownership are.
“This is a capability that will directly lead to improving our supply chain awareness and security,” Hauch said.