Navy awards deal for holistic cyber supply chain monitoring of airborne systems

Naval Air Systems Command has given Fortress Government Solutions a $95 million contract to implement a new software platform able to provide continuous monitoring of the service’s supply chain.

Under the five-year indefinite delivery/indefinite quantity (IDIQ) contract announced Wednesday, Fortress will deliver a suite of cyber supply chain risk management (C-SCRM) capabilities — including software, analytics, reporting tools and additional integration services. The platform will provide NAVAIR with detailed insights into its massive supplier base and alert program offices about potential risks, according to Don Archer, president of the company.

“This will be the first time NAVAIR has adopted a program that will give them the ability to look at any product [and] any system across the NAVAIR enterprise, dig into what the risks are associated with that product and then remediate those,” Archer told DefenseScoop in an interview.

Securing the Defense Department’s domestic supply chain has been a top priority under the second Trump administration, with officials highlighting concerns over adversaries infiltrating the American industrial base and exploiting data. The Pentagon has recently sought to reduce foreign-made hardware and software used in systems, as well as promote U.S.-based manufacturing.

The Navy’s new platform is derived from Fortress’s commercial C-SCRM offering and modifies it for use in the defense sector, Archer explained. It comprises tools that not only detail the entire supply chain of NAVAIR’s programs — which includes multibillion-dollar programs like the F-35 Lightning II fighter jet and MQ-25 Stingray drone — but also conduct continuous monitoring of vendors and their products, he said.

The comprehensive assessment for vendors will include a range of factors beyond potential cybersecurity risks, such as technology, operational location and financial health risks, Archer noted. The C-SCRM platform will also provide an analysis for the individual products and components in each of NAVAIR’s programs.

“We’re talking about NAVAIR being able to be alerted of vulnerabilities and exploits as they happen, and then be able to pinpoint exactly where those things and those vulnerabilities live in their supply chains,” Archer said. “What command, what asset, who’s monitoring it? Where does that thing live?”

In the past, responsibility for cyber supply chain management and mitigation has largely been shouldered by the defense industrial base. But despite the Pentagon knowing that risks do exist, liability is often shifted down the industrial base to subcontractors and other small businesses that don’t have the adequate tools to protect their data from adversarial infiltration, he said. 

By integrating Fortress’s C-SCRM platform and investing in continuous monitoring tools, Archer said the Navy is now taking some ownership of the issue to help lessen the burden for vendors.

“It’s important to us to ensure that the capabilities we’re building are actually secure, that we are actually working with the best vendors, and that we’re putting pressure in giving fidelity to the government of where their vendors may be at risk,” he told DefenseScoop.