Supply Chain Dilemmas

pdf

ABSTRACT

Supply chains for complex integrated software systems can have elements drawn from vendor components, open source components, networked services, and custom development. As sourcing becomes more extensive and diverse, there is often a corresponding loss of transparency, which diminishes both ability to support confident test and evaluation (T&E) and capacity to fairly allocate accountability. 

 

It is instructive to compare engineering practices for diversely-sourced integration with practices typical of fully organic supply chains, where an organization implements a bias to build rather than buy, with exceptions for open source. These organic supply chains afford high levels of transparency and control, which in turn can facilitate creation and sustainment of bodies of direct evidence that can support confident, efficient, and continuous T&E judgments. 

 

A dilemma in at-scale systems engineering is how to achieve the benefits now seen in many organic supply chains, but in a context of diversely sourced supply chains for integration. The benefits are highly desirable, combining higher levels of assurance with rapid adaptability. For example, many of the larger-scale adoptions of formal methods are in organic contexts and are driven by immediate business needs. Despite these experiences, however, the benefits of direct evidence (vs. process compliance) may seem inaccessible to integrators, given the reality of business and acquisition norms. 

 

But perhaps not. This talk examines the challenges of integration supply chains and offers some potential approaches.

BIO

Dr. William Scherlis assumed the role of office director for DARPA’s Information Innovation Office (I2O) in September 2019. In this role he leads program managers in the development of programs, technologies, and capabilities to ensure information advantage for the United States and its allies, and coordinates this work across the Department of Defense and U.S. government.

Scherlis joined DARPA from Carnegie Mellon University (CMU), where he is a professor of computer science. He served for 12 years as director of CMU's Institute for Software Research (ISR), overseeing research and educational programs related to software development, cybersecurity, privacy engineering, Internet of Things, network analysis, mobility, systems assurance, and other topics. During 2012 and early 2013 he was the acting chief technology officer for the Software Engineering Institute, a Department of Defense FFRDC at CMU.

Earlier in his career, Scherlis served as a program manager and later in the Senior Executive Service at DARPA, developing programs in areas such as software technology, computer security, and information infrastructure. At DARPA, he also participated in the initiation of the High Performance Computing and Communications (HPCC) program (now NITRD) and in defining the concept for CERT-like security organizations, hundreds of which now operate in more than 90 countries.

Scherlis has led multiple national studies including the National Research Council study committee that produced the report “Critical Code: Software Producibility for Defense” in 2010. He also served multiple terms as a member of DARPA’s Information Science and Technology Study Group. He has been an advisor to major technology firms, defense companies, and venture investors, and has served as program chair for a number of technical conferences including the ACM Foundations of Software Engineering Symposium and the ACM Symposium on Partial Evaluation and Program Manipulation. He is a fellow of the IEEE and a Lifetime National Associate of the National Academy of Sciences.

Scherlis joined the CMU faculty after completing an undergraduate degree in applied mathematics at Harvard University, a year in the Department of Artificial Intelligence at the University of Edinburgh as a John Knox Fellow, and a doctorate program in computer science at Stanford University. His personal research relates to software assurance, cybersecurity, software analysis, and assured safe concurrency.

Tags:
License: CC-2.5
Submitted by William Scherlis on