Criticality analysis and the supply chain: Leveraging representational assurance

System builders who plan to acquire information and communication technology (ICT) products must consider two key risk factors (among many) while planning for the acquisition and design of their systems. They must understand the inter-relationships of all assembled products in any new planned system in terms of its resilience under attack. These system owners will also increasingly assess the risks they may inherit from a global interconnected supply chain. To address these concerns, the recommendation in this paper is for providers of Commercial-Off-the-Shelf (COTS) technology products to perform a criticality analysis on their own products to gauge resilience, rather than later be confronted by an acquirer attempting to solely reverse engineer the system as part of supply chain due-diligence. This paper illustrates the roles that technology providers and system owners each play in following the outlined approach that highlights key risk factors of the tiered suppliers for product elements deemed most critical. ICT COTS providers who do not want to divulge sensitive information about their suppliers can use a “representational assurance” approach to convey meaningful information to potential acquirers without undue disclosure. Analytical graphics such as “Treemaps” can help all parties illustrate where to best focus their attention regarding critical operational risk and supply chain risk. The same data that providers track internally to manage product assurance can be leveraged to support meaningful representational assurance to acquirers. This approach improves the current state where data disclosure by technology providers is seen by acquirers, despite being unrealistic, as the best means to gain confidence in the technology supply chain.