“Attached is the final report of the Defense Science Board Task Force on Cyber Supply Chain. The task force assessed the organization, missions, and authorities that encompass the use of microelectronics and components in Department of Defense (DoD) weapons systems. The task force addressed:
- practices to mitigate malicious supply chain risk and latent vulnerabilities, and whether opportunities exist to modify or strengthen these practices;
- current Department program protection processes, as well as other practices to detect and assess potential vulnerabilities in hardware and software;
- the extent to which commercial off the shelf vulnerabilities have been reported and impact the security of DoD systems; and
- interagency activities that DoD could better leverage to reduce supply chain risks.
The task force found that the capital cost of maintaining a DoD-owned Trusted Foundry is not a feasible expense. The task force recommends that the Department develop a long-term strategy for access to state-of-the-art commercial foundry capabilities that does not rely exclusively on trust; and continue research and development (R&D) investments of DoD agencies for a technology-enabled strategy that fosters new tools to better defend against cyber supply chain attacks.
The task force concluded that the Under Secretary of Defense for Acquisition, Technology and Logistics (USD(AT&L)) must strengthen lifecycle protection policies, enterprise implementation support, and R&D programs to ensure that DoD weapons systems are designed, fielded, and sustained in a way that reduces the likelihood and consequences of cyber supply chain attacks.”