Page 7 - cdm-2014
P. 7
The approach employs widely accepted standards and industry best practices across each
phase of the product lifecycle. This product integrity program also extends to software as
Juniper has implemented a Software Development Lifecycle program.
The Juniper product integrity program addresses risk management from product concept to
delivery and disposal, and includes background checks for suppliers, vendors, and partners.
This program includes a holistic security approach to the product development lifecycle, relying
on a series of controls, education of employees and partners, and a continuous program of
review to identify opportunities for improvement.
The results have been very productive on a global basis. Thus far, the limited examples of
counterfeit or tainted Juniper equipment in the marketplace have been traced to purchases that
end users made from unauthorized or untrusted sources.
As the risk environment evolves and threats increase, managing risk across the product
lifecycle will demand continued vigilance and ongoing improvements.
In addition, industry led organizations like the Open Group Trust Technology Forum are working
diligently and collaboratively with government to develop consensus standards and best
practices to share broadly across the stakeholder community. Groups like the Alliance for Gray
Market and Counterfeit Abatement also are doing commendable work to address the challenges
of counterfeit product issues and expose the activities of criminals and others that seek to profit
from suspect acquisition practices.
What role does the government itself play in addressing this challenge?
First, rather than simply passing laws and implementing regulation and guidance that is
draconian, assigning culpability solely to the private sector, the government needs to look
internally and examine their own practices that contribute to the government’s supply chain risk.
The culture in the acquisition community must change and procurement professionals must be
trained and resourced to include security and risk management in acquisition decisions.
Additionally, the government should implement a requirement that acquisition of IT hardware
and software products and services be from trusted and authorized sources.
If there is a compelling justification for going outside of the authorized chain, such as for
replacement parts or obsolete equipment, then that reason should be documented in writing and
authorized by a Designated Approving Authority. This step alone will reduce the risk of
counterfeit, tainted, or malicious equipment in the government supply chain.
Secondly, the government must enhance the sharing of information about intrusions that are
attributed to supply chain vulnerabilities. That information should include the tactics, techniques,
and procedures employed by the bad guys, not sources and methods that tend to cause the
information to be classified, and share that information broadly across the stakeholder
community.
! " $ !
! # ! "
