Cybersecurity and Supply Chain Risk Management Are Not Simply Additive: Implications for Directions in Risk Assessment, Risk Mitigation, and Research to Secure the Supply of Defense Industrial Products

Abstract

In mid-2019, the Air Force Research Laboratory (AFRL) asked RAND Project AIR FORCE(PAF) for assistance understanding how cyber-related risks compare with other risks to its defense-industrial supply chainsa scope that included supply chains for hardware, not supply chains for software per se and exploring implications for risk assessment and mitigation and for research. Over the next 18 months, PAF sought to characterize cyber-related risks to supply chains and identify directions for addressing the distinct unique, exceptional, and sometimes reinforcing challenges that cyber-related risks pose to defense-industrial supply chains and, hence, to supply chain risk management (SCRM).This report discusses that PAF research effort. The effort was part of a larger undertaking that also explored national security policies at the nexus of cybersecurity and SCRM, as well as tools and frameworks for addressing cyber-related risks. The report complements a body of recent RAND work, including several studies on the cybersecurity of Department of the Air Force weapon systems and industrial control systems, cyber vulnerabilities, and global supply chain risks. It should be of interest to those seeking to secure the supply of defense industrial products from the risks of cyberattacks, primarily from the perspective of SCRM, and across research and policy communities.The research reported here was commissioned by AFRL and conducted within the ResourceManagement Program of RAND Project AIR FORCE as part of a fiscal year 2020 project,Cybersecurity of the Air Force Industrial Supply Chain.

Document Details

Document Type

Technical Report

Publication Date

Dec 01, 2020

Accession Number

AD1217096

Entities

Tags