240507-A-OG608-1912

U.S. Air Force Tech. Sgt. Becker Almarsumi, a linguist with the 439th Supply Chain Operations Squadron, translates the exercise plan to U.S. Army Soldiers from 1st Battalion, 175th Infantry Regiment, Maryland National Guard, at African Lion 2024 (AL24) in Bizerte, Tunisia, May 7, 2024. AL24 marks the 20th anniversary of U.S. Africa Command’s premiere joint exercise led by U.S. Army Southern European Task Force, Africa (SETAF-AF), running from April 19 to May 31 across Morocco, Ghana, Senegal and Tunisia, with over 8,100 participants from 27 nations and NATO contingents. (U.S. Army Photo by Spc. Shawn Fogleman)

USAF Supply Chain Protection and Cyber Weapon System Infrastructure Accreditation

Published April 30, 2026
By 688 CW

Common attacks on large IT footprints frequently begin as supply chain breaches targeting IT devices or the supporting infrastructure for data centers, such as HVAC and SCADA systems. Components within these devices can be manufactured with malicious intent or hidden defects designed to be exploited at a later date. Furthermore, because the DoD supply process relies on competition, businesses may exploit profit margins by selling counterfeit or remanufactured products as new. How is the Air Force currently protecting, certifying, and ensuring the physical chain of custody for its IT supply chain and facility infrastructure, and what industry best practices should be adopted to ensure hardware quality and integrity?

Beyond physical custody, how can the Air Force subsequently accredit these IT systems and infrastructure tools in a more efficient, trackable, and consistent manner once they reach the network? Currently, IT systems are logged in the Enterprise Mission Assurance Support Service (eMASS) after receiving an Authority to Operate (ATO) following a Risk Management Framework (RMF) review. While each base enclave is expected to maintain an ATO for its network, enterprise and weapon system infrastructure residing at the base often leads to conflicts. Because the enterprise and each cyber weapon system do not have an overarching eMASS package, they require an individual eMASS package per tool as it is on-boarded.

Ultimately, how can the Air Force holistically merge physical supply chain defenses with reformed administrative accreditation processes to protect its critical IT networks from end to end?

Bond, Maj. Cash, "Redefining the Cyber Edge: Operational Technology Should be Foundational to Cyber Training Pipelines," AF Fellows, 2025.
- Bond directly answers this by explaining that traditional IT security often ignores mission-critical support infrastructure like HVAC and power systems, which are managed by highly vulnerable OT. To secure this infrastructure, he recommends the military adopt several commercial industry best practices, most notably "cross-functional teaming" that formally pairs IT data architects with OT engineers to build a collaborative working relationship. Furthermore, he advises using the Purdue Model to carefully segment IT and OT networks to create "digital blast zones" that contain breaches, and employing integrated, ontology-based vulnerability management alongside Adversary-Centric Security Testing to discover and manage unpatchable flaws in legacy OT devices.
Levene, Col. David, "Causes of Vulnerabilities and Key Threats to Defense Supply Chains," NDU course paper, 2025, 17 pgs.
Massey, John B., "Protecting the Supply Chain of US Military Technology," AWC Strategic Studies Paper, 2020, 38 pgs.