It's not every day that you see an article that catches your attention. I mean...really catches your attention. But, that's exactly what happened to me this morning when i encountered this story describing how the Pentagon is tackling the critical issue of supply chain security based on a strategy called Deliver Uncompromised.
The story lays out an initiative in which billions of dollars worth of DoD contracts are awarded based on security assessments, and not simply cost and performance. To all of us at Sonatype who have long advocated for healthy innovation supply chains -- this move seems like a no brainer.
What a relief! Experts within the government are standing up and acknowledging that too little attention and resources are being directed toward protection of operational security or software assurance. These same experts state that, "responsibilities concerning threat information are siloed in ways that frustrate and delay fully informed and decisive action, isolating decision makers and mission owners from timely warning and action."
At Sonatype, we’ve long touted the teachings of Edwards Demings and the critical importance of "supply chain theory" in regards to software innovation and the use of open source and third party dependencies. Simply stated, we know that software development organizations (government and commercial alike) cannot innovate fast enough without "standing on the shoulders of giants" and borrowing ideas and code from others in the community. As Sir Isaac Newton once said: “I see further by standing on the shoulders of giants and I discover truth by building on previous discoveries.”
But, when you’re standing on top of others -- whether you're developing software, or missile systems -- it’s important to recognize that you’re only as strong as your weakest link. If you fail to consider this "supply chain" reality -- then you will soon be left to deal with the facts: “our adversaries are actively exploiting seams and shortcomings in areas such as information sharing, threat detection, and acquisition transparency.”
Fortunately, with proper governance, increased understanding of dependencies, and rapid feedback loops -- the strengths (and weaknesses) of your innovation supply chains will be laid bare for all to see. I applaud the DoD and Mitre for taking the initiative on this important front. Indeed, whether you’re talking about software applications, or national security, or both, there is an imminent need to better understand who you’re doing business with, and what’s coming into your house.