Page 9 - index
P. 9
current risk environment, this is a dangerous practice that contributes to cybersecurity and
supply chain risk by increasing the possibility of receiving counterfeit, tainted, or even malicious
products and services.
In most cases when ICT products and services are not acquired directly from the OEM or from
their authorized partner / reseller channel, they are not eligible for warranties or technical
support, thus increasing business risk in addition to cyber risk.
Sadly, there are many documented examples of acquisitions that resulted in delivery of
equipment that did not properly function; instances where boxes appeared to have been
tampered with; and / or trying to determine at delivery if the product in the box is authentic or
even new. This presents unnecessary risk to the government, and should be of great concern
especially as it regards high impact and mission critical systems.
Many in government look at the private sector as the culprit in the growing cybersecurity and
supply chain risk management challenge. However, the opportunity for government to address
and implement solutions that will immediately reduce risk by addressing their dated acquisition
practices which focus on cost and schedule and do not consider security and authenticity as
primary measures of the procurement evaluation process is way past due.
Recently, we have seen language in Request for Information documents (RFI’s) and Request
for Proposals (RFP’s) that actually address this issue and require a prospective provider to
attest to the authenticity of the products and services offered, even validating that the
acquisition would be from an authorized OEM or one of their designated partners or resellers.
Those examples are sporadic and should become required practice in federal procurements.
Some argue that such practices would be cumbersome for acquirers attempting to deal with
obsolescence and the need to purchase replacement parts that may no longer be manufactured
by the OEM. This is a valid issue, but it too can be addressed. If a department or agency
decides to try maintaining and extending the life of a system where original parts are no longer
available, then an acquisition to procure such parts should include a Justification and Approval
(J & A) in writing and that is signed by an authorized designated approving authority. This
would shift any liability from the OEM to the acquirer who chooses to make such an acquisition
from the gray market, from an online broker, or some other untrusted source.
We also must remember that our adversaries know about these acquisition practices and they
have exploited the government’s systems and supply chain by flowing non-secure and non-
authentic products into broker and gray market channels used by procurement officials. The
often false presumption that the lower advertised pricing from unauthorized providers is saving
money and meeting acquisition requirements, can produce potentially debilitating results. In the
current risk environment and with a history of evidence illustrating the use of different tactics,
techniques, and procedures by criminals and adversaries to penetrate government systems and
supply chain through the acquisition process, it is a potentially dangerous approach to continue
practices that focus on cost and schedule without sufficient checks and balances to validate
authenticity of products and services purchased. Our national and homeland security demand
9 Cyber Warnings E-Magazine – June 2015 Edition
Copyright © Cyber Defense Magazine, All rights reserved worldwide
