New Reference Model Addresses Supply Chain Security

White paper from SAIC and the Supply Chain Management Center addresses the challenge of keeping distributed, global networks secure from threats with a well-defined and integrated model built upon a dynamic governance structure that unites hardware and software planning

June 16, 2009

5 Min Read


COLLEGE PARK, Md., June 15 /PRNewswire-USNewswire/ --A collaborative white paper, Building A Cyber Supply Chain Assurance Reference Model, released today by Science Applications International Corporation (SAIC) (NYSE: SAI) and the Supply Chain Management Center at the University of Maryland's Robert H. Smith School of Business, tackles the nation's cyber threat -- now elevated to a presidential imperative -- with an outline for an innovative model that applies end-to-end supply chain management to cyber security for the first time.

The white paper marks the final phase of a six-month project and addresses a key discovery - that global cyber supply chains today are as fragmented as physical supply chains were 15 years ago. The paper follows the Obama administration announcement of a White House cyber czar to develop strategy to protect the nation's government and private computer networks while balancing national security and economic concerns. With the cyber industry increasingly spread across many different countries around the world, globalization has intensified the potential threats.

"There are strong parallels in the evolution of the global supply chain that can be applied to the field of cyber security," said Sandor Boyson, co-director of the Supply Chain Management Center at the University of Maryland's Robert H. Smith School of Business, a former Smith School chief information officer and one of the project's key researchers. "Both disciplines have labored to gain visibility over operations and establish more collaborative and robust business ecosystems with customers, distributors and suppliers on a worldwide basis. In creating a framework that includes a common lexicon and by highlighting shared responsibilities, we hope to heighten awareness of this interlaced, larger supply chain world and the need to create a governance structure that is adaptive enough to meet real-world challenges."

Drawing best practices from the evolution of the global supply chain, researchers from the Smith School's Supply Chain Management Center address the challenge of keeping distributed, global networks secure from threats with a well-defined and integrated model built upon a dynamic governance structure that unites hardware and software planning. The result offers potential for a significant advance in combating cyber threats, viruses and attacks and represents a dramatic paradigm shift from current industry practices.

"It is a national security imperative in a global economy that we have confidence in the supply chains of integrated systems and the integrity of the people, processes and technology that comprise them," said Hart Rossman, chief technology officer for Cyber Security Solutions at SAIC and a senior research fellow of the Supply Chain Management Center at the University of Maryland's Robert H. Smith School of Business. "The fusion of these two dynamic disciplines -- supply chain risk management and cyber security -- will help address emerging threats and vulnerabilities presented in the sourcing of IT solutions worldwide. The framework identifies interdependencies between system development life cycleactivitiesacross the supply chain, providing insight and guidance to create flexible mitigation strategies according to the risk appetite of an organization."

The Cyber Supply Chain Assurance Reference Model defines not only key actors, processes, and vulnerabilities, but also identifies strategic interdependencies at each node of the international production/sustainment chain. Among the paper's key findings are:

-- A fully integrated cyber supply chain requires the coordination of what researchers describe as "defense in depth," the process of securing/hardening core systems and their constituent parts during the build and deploy phases of the lifecycle; and "defense in breadth," the process of securing the global web of actors who use and maintain a system including customers, system integrators and suppliers. -- There is a lack of visibility and coherence across the cyber supply chain which prevents effective orchestration and synchronization. -- There is a clear need for structured incentives and relationship drivers which facilitate management of shared risk. -- Lack of communication between the cyber and physical supply chain domains is constraining advancement. -- Most organizations mistakenly view themselves as the terminus in the cyber supply chain and do not recognize the need for accountability within all internal function areas, as well as among all suppliers, customers and partners.

The four-phase project drew on insight and best practices across disciplines. The first phase included a literature review, while phase two incorporated input following extensive interviews with experts in the areas of policy making and governance, acquisitions, hardware, software, network and systems-integration assurance. In phase three, researchers compiled interview results, analyzed findings and presented a prototype Cyber Supply Chain Assurance Reference Model to a focus group of 30 government and industry executives. The research team included Boyson, Thomas Corsi, co-director of the Smith School's Supply Chain Management Center, and Rossman. A copy of the paper, Building A Cyber-Supply Chain Assurance Reference Model, is available at:

The project was funded through SAIC's Strategic University Alliances initiative, which focuses on campus activities in support of the company's strategic goals, particularly strengthening the science and technology core of SAIC. The next stage of research will begin later this month and will focus on field work with a select group of public and private organizations to validate the reference model and develop data collection tools.

With cyber security targeted as an area of strategic emphasis, the U.S. government is expected to work closely with security companies and other private companies to help secure U.S. interests - especially the government and key infrastructure - from future attacks.


SAIC is a FORTUNE 500(R) scientific, engineering, and technology applications company that uses its deep domain knowledge to solve problems of vital importance to the nation and the world, in national security, energy and the environment, critical infrastructure, and health. The company's approximately 45,000 employees serve customers in the U.S. Department of Defense, the intelligence community, the U.S. Department of Homeland Security, other U.S. Government civil agencies and selected commercial markets. SAIC had annual revenues of $10.1 billion for its fiscal year ended January 31, 2009. For more information, visit SAIC: From Science to Solutions(R)

About theUniversityof Maryland'sRobertH.SmithSchoolof Business

The Robert H. Smith School of Business is an internationally recognized leader in management education and research. One of 13 colleges and schools at the University of Maryland, College Park, the Smith School offers undergraduate, full-time and part-time MBA, executive MBA, MS, PhD, and executive education programs, as well as outreach services to the corporate community. The school offers its degree, custom and certification programs in learning locations in North America and Asia.

Contact: Carrie Handwerker 301-405-5833 [email protected]

Melissa Koskovich 703-676-6762 [email protected]

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights