Category Archives: Risk Management

Supply Chain Risk Management Reliability Standards

A Proposed Rule by the Federal Energy Regulatory Commission …

The Federal Energy Regulatory Commission (Commission) proposes to approve supply chain risk management Reliability Standards CIP-013-1 (Cyber Security – Supply Chain Risk Management), CIP-005-6 (Cyber Security – Electronic Security Perimeter(s)) and CIP-010-3 (Cyber Security – Configuration Change Management and Vulnerability Assessments). The North American Electric Reliability Corporation (NERC), the Commission-certified Electric Reliability Organization, submitted the proposed Reliability Standards for Commission approval in response to a Commission directive. In addition, the Commission proposes that NERC develop and submit certain modifications to the supply chain risk management Reliability Standards.

More at

Docket DARS-2015-0038, Detection and Avoidance of Counterfeit Electronic Parts–Further Implementation (DFARS Case 2014-D005

Comment period is closed for Docket DARS-2015-0038, Detection and Avoidance of Counterfeit Electronic Parts–Further Implementation (DFARS Case 2014-D005).
Written comments are available at

Defense Federal Acquisition Regulation Supplement: Requirements Relating to Supply Chain Risk

DoD has adopted as final, with changes, an interim rule amending the Defense Federal Acquisition Regulation Supplement (DFARS) to implement a section of the National Defense Authorization Act (NDAA) for Fiscal Year (FY) 2011, as amended by the NDAA for FY 2013. This final rule allows DoD to consider the impact of supply chain risk in specified types of procurements related to national security systems. …

More at Federal Register

Federal Register | Public Inspection: Revised Critical Infrastructure Protection Reliability Standards

“The Federal Energy Regulatory Commission (Commission) proposes to approve seven critical infrastructure protection (CIP) Reliability Standards …

“… the global supply chain also enables opportunities for adversaries to directly or indirectly affect the management or operations of companies that may result in risks to the end user. Supply chain risks may include the insertion of counterfeits,
unauthorized production, tampering, theft, or insertion of malicious software, as well as poor manufacturing and development practices. To address these risks, NIST developed SP 800-161 to provide guidance and controls that can be used to comply with Federal Information Processing Standard 199 Standards for Security Categorization of Federal Information and Information Systems for Federal Government Information Systems. …”

via Federal Register.

Homeland Security Foundation of America Focuses on Counterfeit Mitigation in the DHS Supply Chain. –

Homeland Security Foundation of America (HSFA) Public Safety Committee Chairman, Matthew Anthes, announced a plan to help identify vulnerabilities within the U.S. Department of Homeland Security (DHS) supply chain. This new effort stems from a recent publication titled, “Maintaining a Secure Homeland: A Plan to keep Counterfeit Parts out of the Supply Chain”, in which HSFA discusses risks associated with government agencies using counterfeit parts. In this white paper, HSFA recommends the U.S. Department of Homeland Security (DHS) and other law enforcement agencies implement a risk based process for the procurement of components no longer available from Original Equipment Manufacturers (OEM) or their authorized distributors.

via Homeland Security Foundation of America.

Auto insurers accused of pushing cheap and sometimes dangerous repairs –

Think of “Performance Based Logistics” as a form of insurance …

“Car repair shops say auto insurance companies are coercing them to use cheap parts and sometimes dangerous practices to fix vehicles involved in accidents.”

More at

“Risk Based Thinking” Vs. “Faith Based Thinking”

“Risk based thinking” and “risk based approaches” have become popular themes in a number of quality, project and technical management circles, including counterfeit part avoidance and detection practices. The final rule under DFARS Case 2012-D055 discusses the use of a risk-based approach for a contractor counterfeit electronic part detection and avoidance system. New industry standards introduce risk based thinking when selecting tests and inspections to detect counterfeit parts.

In the following article, Dr. David E. Frick describes the hazards of ascribing levels of risk based on esoteric analysis versus risk assessments supported by empirical data and defensible estimates …

David E. Frick, Ph.D., “The Fallacy of Quantifying Risk“, Defense AT&L Magazine, September–October 2012, p.18-21

In recent opinion piece, quality management system expert, Chris Paris (author of Eyesore 9001) discusses problems facing users with new “risk based thinking” requirements and offers an important warning …

What is ISO 9001′s “Risk-Based Thinking” Anyway?

As with other applications of “risk based thinking”, when studying basis of counterfeit part risk assessment methods, the user community should should beware of “faith based thinking” approaches that transfer risk vs reduce risk to the end user.

NOTE: For those of you in the New York City area next week, Chris Paris will be speaking on the subject of “risk based thinking” at an event sponsored by the NY/NJ Metro Section of ASQ – “Risky Business: Surviving the Future of ISO 9001:2015

“Cybersecurity Standards: Managing Risk and Creating Resilience” – IEEE

Collier, Zachary A; DiMase, Daniel; Walters, Steve; Tehranipoor, Mark Mohammad; Lambert, James H.; Linkov, Igor, “Cybersecurity Standards: Managing Risk and Creating Resilience,” Computer , vol.47, no.9, pp.70,76, Sept. 2014

doi: 10.1109/MC.2013.448

Abstract: A risk-based cybersecurity framework must continuously assimilate new information and track changing stakeholder priorities and adversarial capabilities, using decision-analysis tools to link technical data with expert judgment.

Available through IEEE

Wanted: evidence-based cyber risk ratings (The Problem With Cyber Insurance)

The issues described in this article are very similar to the challanges to quantifying a risk-based approach to counterfeit electronic part avoidance and detection….

The Problem With Cyber Insurance – Information Week / DARKReading

Practical Solutions for Eliminating Risk of Counterfeit Parts – 2013 SAE Counterfeit Parts Avoidance Conference

Tyler Moore, Director of Supply Assurance for Arrow Electronics, gave this presentation at the SAE 2013 Counterfeit Parts Avoidance Symposium held Sept. 27, 2013, in Montreal, Canada.