| Additional metadata |
Name/Id: ACF1608 / Microsoft Managed Control 1608
Category: System and Services Acquisition
Title: Supply Chain Protection
Ownership: Customer, Microsoft
Description: The organization protects against supply chain threats to the information system, system component, or information system service by employing standardized purchase orders, routine business reviews, performance metrics, QA checks, and other practices as described below. In addition, Microsoft processes, procedures, and technologies are IAW the intent of DoDI 5200.44, Protection of Mission Critical Functions to Achieve Trusted Systems and Networks (TSN). as part of a comprehensive, defense-in-breadth information security strategy.
Requirements: "One Microsoft" Supply Chain assurance efforts consist of numerous capabilities executing a corporate strategy that contributes to protecting Azure.
Procurement
During the initial supply chain phase, the Procurement team protects against supply chain threats by facilitating the creation of the purchase order to our suppliers ensuring consistency in approach.
Customer Operations
Customer Operations performs routine business reviews with our suppliers representing the needs and concerns of all Azure business groups. This team also works to support Azure business groups on standards definition and service capability. A key function of this team is to protect against any threats posed by suppliers during manufacturing by ensuring adherence to standard supply chain methodologies and process adherence.
Deployment Quality
System integration or upon delivery of systems to our Azure datacenters for deployment; Deployment Quality works to ensure final delivery of the system to the Azure business group is done on-time and free of defects. Working in conjunction with the Supply Chain Automation, these capabilities monitor performance metrics, capture business group feedback, and lead cross-functional Supply Chain.
Supplier Relationship Management (SRM)
As systems move into the operations and maintenance phase of the life cycle, SRM protects Azure by managing and facilitating the supplier complaint process to drive root cause and corrective action within the suppliers’ supply chain. Supplier scorecards allow Azure to compare and visibly monitor the performance of our supply base utilizing a balanced scorecard approach.
Spares
Spares Management protects against supply chain threats by managing the determination and execution of obtaining spare components to support deployed devices within our Azure datacenters. Parts are spared to significantly reduce downtime of production equipment during a trouble-shooting scenario, helping to ensure site up for our business.
To ensure security of the supply chain and protection against threats, Azure uses well-established suppliers with a proven track record to secure supply chain management. In addition, these suppliers have established Service Level Agreements with critical providers to ensure that additional spare parts and maintenance activities are performed in a timely manner.
Business Continuity
Microsoft manages a comprehensive Continuity of Supply program with redundancies across Systems Integrators and components suppliers wherever possible. There is a team which drives continuous analysis of multi-source vs single source and end of life transitions for components across the Bill of Materials. Strategic purchases and inventories are held in an ongoing program to ensure supply of critical components and last time purchases. Supplier financial health is assessed routinely with risk assessments and deeper engagements on areas of concern.
Asset Classification & Risk
Assessments are determined by a "One Microsoft" team at initial infrastructure design and build to meet market/customer compliance boundary requirements. In addition, there are existing process for each service to provide its offering in each boundary. In addition, processes are in place for designated high integrity devices and services.
Logistics
Microsoft continues to increase assurance in the complex cloud global supply chain with next generation visibility by implementing a new global control tower capability, the next generation of supply chain visibility. The new capability delivers proactive intelligence on potential disruptions including weather, traffic, and global events, that allows Microsoft to notify our customer as the disruptions occur to adjust and deliver successfully. In addition, Microsoft is placing sensors on high value shipments with GPS capability supported by light and temperature detections at fifteen (15) minute tracking intervals.
Validation
Microsoft employs a capability to discover, configure, and validate in-rack hardware. The validation is executed at the original equipment manufacturer (OEM) prior to shipment and again at the Microsoft datacenter.
Firmware
Microsoft employs firmware source code guidance, reviews, and penetration tests to identify security vulnerabilities at the firmware level.
Global Security Ecosystem Support
Capabilities including Threat Intelligence, Digital Crime Unit, Cyber Defense Operations Center, and Service Security Teams, the Azure Red Team coordinated overt and covert activities to validate and strengthen the Global Azure and Specific Sovereign Infrastructures. In addition, the Third Party Assessment Organization (3PAO) penetration tests are part of the overall certifications.
Industry Leadership
The Microsoft Supply Chain Security program maintains industry-leading low loss levels across the various supply chains for the past five (5) years. Microsoft is Tier 3 certified with Customs Trade Partnership Against Terrorism (CTPAT), a Homeland Security / Customs and Border Protection program, and Authorized Economic Operator (AEO) certified in India, pending Australia.
Global Leadership & Partnerships
Microsoft members maintain leadership roles in the Transported Asset Protection Association (TAPA) and the Alliance for Gray Market and Counterfeit Abatement (AGMA). In addition, Microsoft maintains active representation in the European Union, North Atlantic Treaty Organization, and World Trade Organization.
|