A new Defense Department inspector general report found Air Force Space Command's supply chain could be vulnerable to adversary infiltration because of poorly implemented risk-management policies.
The DOD IG took an in-depth look at supply chain risk on the Air Force's Space-Based Infrared System and conducted a limited review of the service's Satellite Control Network, the Family of Advanced Beyond-Line-of-Sight Terminals and the GPS Next-Generation Operational Control Segment.
According to the report, released Aug. 16, the Air Force made some effort to establish risk controls on SBIRS, but fell short in several areas, largely in analyzing critical components, conducting threat assessments of suppliers who provide those parts and incorporating "rigorous test and evaluation" processes. The report notes that while AFSPC did conduct many of the required analyses, the work was not thorough enough to provide key security information.
Less intensive reviews of the AFSCN, FAB-T and GPS OCX supply chains yielded similar findings.
"As a result, an adversary has the opportunity to infiltrate the Air Force Space Command supply chain and sabotage, maliciously introduce an unwanted function, or otherwise compromise the design or integrity of the critical hardware, software and firmware," the report states.
In response, the Air Force said it plans to conduct a "criticality analysis" to identify and compile critical components and conduct threat assessments on major suppliers. AFSPC also plans to use those reports to identify risk and develop possible mitigations. The service plans to adopt more modernized reuqirements and verification processes -- assessed by an independent third party -- to make sure systems and components are secure.
AFSPC also plans to conduct a supply chain risk management review of AFSCN, FAB-T and GPS as well as other critical programs.