Defense Industry Companies Launch Supply Chain Cybersecurity Task Force

supply chain 2 responsive default security

The Defense Industrial Base Sector Coordinating Council (DIB SCC) announced the chartering of the Supply Chain Cybersecurity Industry Task Force to identify, prioritize, oversee and drive adoption of implementable solutions to protect controlled unclassified information throughout the supply chain.

Mike Gordon, Chief Information Security Officer (CISO) for Lockheed Martin, chairs the DIB SCC. Gordon explained, "This task force will use the DIB SCC construct to serve as a focal point for industry collaboration across the supply chain, leveraging input and efforts from small to large companies. Our objective is to help identify and implement adversarial-focused solutions that enhance the cyber posture of companies throughout the multi-tier supply chain."

"We recognize that nation states and other attackers are aggressively targeting suppliers at all tiers of the DIB supply chain in an effort to steal or alter intellectual property and DoD information residing on company networks," said J.C. Dodson, Vice President, Cybersecurity and Global CISO, for BAE Systems. "This task force will help to ensure the appropriate level of collaboration to eliminate vulnerabilities and protect critical national security information."

The formation of the task force marks the continued evolution of information sharing and collaboration within the defense industry, but sharply focuses on supply chain cybersecurity activities and will serve as an on-going mechanism to drive change to improve the resilience of the DIB. "By creating a focused construct for repeatable idea generation, and a trial and execution engine under the DIB SCC, industry will better be able to coordinate and partner with DoD task forces and agencies focused on the same problem," said Dr. Michael Papay, Vice President and CISO for Northrop Grumman Corporation (NGC).

Initial focus areas for the task force include evolving requirements to focus on advanced persistent threat (APT) tactics, enhancing oversight and accountability, driving implementation of paradigm changing approaches and establishing enduring partnerships across industry and with the DoD. Jeff Brown, Vice President and CISO, Raytheon Company, said, "There is no one single solution that can secure the supply chain. We need to bridge potential technical solutions and multi-tier implementation approaches to enhance protections throughout the supply chain."

Task Force members are comprised of small, medium and large companies who form the DIB SCC. Founding members of Task Force are BAE Systems, Boeing, Lockheed Martin, Northrop Grumman and Raytheon. "The importance of working together to address this issue cannot be understated, input from companies of all sizes is important to ensuring proposed approaches will actually work," said Scott Regalado, Sr. Director, Information Security and Boeing Sr. leadership representative, Boeing Company.

Steve Shirley, Executive Director, National Defense Information Sharing and Analysis Center (NDISAC) explained that US national policy for critical infrastructure protection encourages the creation of sector coordinating councils (SCCs) and counterpart US Government coordinating councils (GCCs). Shirley, who is also SCC Vice Chairman, noted the underlying policy affords an exemption to the Federal Advisory Committee Act, and is a means to conduct iterative dialogs to drive collaborative solutions between Government and Industry. "There's a higher potential for an optimal outcome when there is a collaborative process," Shirley emphasized. The DIB SCC is nested within the NDISAC for administrative and staff support.

ON DEMAND: Business-impacting events such as severe weather, man-made disasters, and supply chain disruption are increasing in frequency and making impacts around the globe.

In today's rapidly evolving security landscape, organizations face an ever-growing array of disruptive events, security threats and risks. Traditional reactive approaches to security intelligence often leave businesses vulnerable and ill-prepared to anticipate and mitigate emerging threats that could impact the safety of their people, facilities or operations.