IT Supply Chain Risk

Step by Step to Managing Risk in the Federal IT Supply Chain

It’s a perilous world in information systems today. Threats can arise from cradle to grave in the IT life cycle. Critical systems can be compromised internally – within firmware and software – or during the logistical processes of IT configuration, deployment, and maintenance. Threats can be maliciously intentional, as with attacks from malware – or more in the nature of neglectful, as with the lack of transparency and control.

Yet as serious as these risks are, federal users can significantly mitigate them through smart use of a Supply Chain Risk Management (SCRM) model in the IT supply chain.


Effective SCRM is precisely what Q-wrxSM – Dynamic Computer Corporation’s unique QaaS (Quality as a Service) offering – is designed to help federal contracting officers and procurement officers achieve. Q-wrx is built upon Dynamic’s ISO-certified quality management system. For each Q-wrx customer, we provide a package of proprietary IT configuration and asset management processes, customized to the organization’s security regulations and quality standards.


SCRM with Q-wrx is basically an eight-stage program. Click the Q-wrx “wheel of IT compliance” above to enlarge it and read it in detail. Described below, in the form of questions to ask yourself, are the standards of performance we hold ourselves to, within each SCRM procedural stage, for our customers in U.S. federal and defense agencies. This should help you assess your own SCRM effectiveness – and whether you may need the help of a custom set of specialized SCRM processes, like you get with a Q-wrx package.

1. Order Conformance

Has the supplier matched all order requirements against approved customer standards? Has the supplier confirmed receipt and expected deliver date? Is the order life cycle transparent so that technology hand-offs to our technology team is seamless?

2. Procurement Quality Assurance

Has the supplier confirmed and approved authorized channels for procurement of the product? Has the supplier confirmed that we are receiving current, agreed-upon pricing? Has the supplier verified that no additional cost savings are available from the OEM? Has the supplier confirmed that the OEM will meet the expected delivery date?

3. Technical Quality Control

Does the supplier inspect incoming shipments to confirm specifications? When a program requires software imaging and hardware integration, has the supplier documented all requirements and verified through a checklist process that each and every step was taken? Has the supplier ensured that the system is 100% compliant with our requirements, and that hand-off to our technology team will be seamless?

4. Asset Intelligence

Has supplier documented and stored, in secured files, all system specifications, asset tag information, and software licensing information?

5. Document Control

Does the supplier have all appropriate SOPs, Certificates of Conformance (CoCs), and certified procedures securely documented and retained for future reference?

6. On-time, On-spec Logistics

Has the supplier inspected the product upon receipt and again upon delivery? Has the supplier complied with all of our packaging, labeling, and shipping requirements? Has the supplier provided our required traceability on all equipment to ensure seamless receipt into our locations?

7. Compliant e-Waste

Has the supplier provided secure destruction for decommissioned products? Has the supplier used responsible methods for disposal? Can the supplier verify compliance with current Department of Defense requirements for disposal?

8. Life Cycle Management

Throughout the program, has the supplier worked with us and the OEMs to smooth the transition to the next generation of technology? Has the supplier communicated technology roadmaps to us? Can the supplier provide inventory support during transition? Does the supplier have a first article validation process?

Strict adherence to these practices helps ensure that our customers in U.S. government (and other regulated environments; see this Q-wrx case study) receive precisely the IT products expected, operating in precisely the ways intended.