Cyber Supply Chain Risk Management (C‐SCRM) a System Security Engineering Role in the Future of Systems Engineering

Abstract

ABSTRACTThe future of Systems Engineering will include a holistic and integrated approach to managing system security to deliver cyber resilient and secure systems. This article presents Cyber Supply Chain Risk Management (C‐SCRM), a System Security Engineering Role, as an overlay to the 11 Security Concepts outlined in the IS21 paper entitled Security in the Future of Systems Engineering (FuSE), a Roadmap of Foundation Concepts. C‐SCRM is the process, tools, technology, and techniques by which global supply chain cyber threats and vulnerabilities undergo evaluation, how stakeholders assess likely system mission impacts, and select mitigations to reduce the risks. C‐SCRM performs a program System Security Engineering role in relation to procurements and subcontracts throughout the entire supply chain. This important new role requires proficiencies in system security engineering, supply chain risk management, software & firmware assurance, microelectronics ecosystem, and systems engineering. This new role's unique and differentiating responsibilities address the risk spectrum from counterfeit to maliciously modified components. C‐SCRM includes use cases as well as, more distinctively, the misuse cases not covered by other existing roles. C‐SCRM is responsible for not only ensuring the components integrated into subassemblies function as intended, but also for considering attack surfaces which may present opportunities for adversaries to gain access, affect system performance, deny service, or allow data exfiltration.