Integration of Supply Chain Risk Management into the Enterprise Risk Management Program for the Department of Defense
S. Raschid Muller, Corey E. Thomas
Citation: Proceedings of the 2022 International Conference on Research in Management & Technovation, Viet Ha Hoang, Vijender Kumar Solanki, Nguyen Thi Hong Nga, Shivani Agarwal (eds). ACSIS, Vol. 34, pages 37–41 (2022)
Abstract. This paper explores supply chain risk management (SCRM) integration into the enterprise risk management (ERM) program across the Department of Defense for three main reasons: responsibility, necessity, and visibility. Multiple laws, orders, policies, strategies, and standards hold Federal leaders responsible for their agencies' performance. The current global nature of the DoD's supply chain, its dependency on information technology, and the constant threats in the cyber realm make it necessary to integrate SCRM into the ERM program. Should DoD leadership lose sight of these threats, the impact on the enterprise could be catastrophic. As a result, DoD leaders must maintain the visibility of the supply chain as part of the ERM program. While many organizations have treated SCRM and ERM separately throughout the years, technology and the exponential growth of cyber threats have brought those days to a close. The importance of the supply chain to mission accomplishment, coupled with persistent threats in the cyber-realm, dictates the integration of SCRM and ERM as a requirement. This paper explains the issues above while giving multiple examples of why integration is imperative. Should the DoD make SCRM part of its ERM program, the chances of remaining a dominant global force will continue well into the future for Cybersecurity professionals working in U.S. organizations.
- U.S. Chief Financial Officers Council (USCFOC), Playbook: enterprise risk management for the U.S. federal government, 2016
- U.S. Government Accountability Office (GAO), Enterprise risk management: selected agencies’ experiences illustrate practices in managing risk, 17-63. (2016).
- Donovan, S., OMB circular no. A-123: management’s responsibility for enterprise risk management and internal control, 2016
- Association for Federal Enterprise Risk Management (AFERM), Federal enterprise risk management survey results, (2019).
- Office of Management and Budget (OMB). Circular no. A-130: Management of federal information resources. 2000.
- Federal Acquisition Supply Chain Act (FASCA) of 2018, Title II of the SECURE Technology Act (Strengthening and Enhancing Cyber-capabilities by Utilizing Risk Exposure) (H.R. 7327, 41 USC Chap. 13 Subchap. III and Chap. 47, P.L. 115-390)
- Obama, B. The comprehensive national cybersecurity initiative, 2009.
- Obama, B. National strategy for global supply chain security, 2012.
- Department of Defense Instruction (DoDI) 4140.01. DoD Supply Chain Material Management , 2019.
- Boyens, J., Paulsen, C., Moorthy, R., & Bartol, N., Supply chain risk management practices for federal information systems and organizations. National Institute of Standards and Technology (NIST) Special Publication (SP) 800-161. 2015
- Cimpanu, C., Logitech wireless USB dongles vulnerable to new hijacking flaws, 2019
- Scannel, T., Curkovic, S., & Wagner, B. Integration of ISO 31000:2009 and supply chain risk management. American Journal of Industrial and Business Management, 3, 367-77., 2013.
- Department of Defense Manual (DoDM) 4140.01, vol.1. DoD Supply Chain Material Management Procedures: Operational Requirements.
- U.S. Government Accountability Office (GAO) 18- 667T, Information security: supply chain, 2018.
- Department of Defense Instruction (DoDI) 5200.44, Protection of Mission Critical Functions to Achieve Trusted Sysxtems and Networks., 2018
- U.S. Department of Defense, Defense Science Board (DoDDSB), Task force report: resilient military systems and the advance cyber threat, 2013.
- Department of Defense Instruction (DoDI) 5000.02, Operation of the Defense Acquisition System, (2019).