Cybersecurity Supply Chain Risk Management (C-SCRM): Validating the Integrity of Server and Client Devices

NIST’s NCCoE is developing a demonstration project to identify the perceived issues and challenges in supply chain assurance. When a device’s supply chain is compromised, the security of that computer device can no longer be trusted, whether it is a laptop, desktop or server. A primary focus of the workshop and subsequent NCCoE demonstration project is to explore methods by which organizations can verify that their purchased computing devices’ internal components are genuine and have not been altered during the manufacturing and distribution process or after sale from a retailer. During the workshop, NIST will present its preliminary plans for this project and subject matter experts in the field will present on their views of the challenges in supply chain assurance and/or enabling technologies and best practices to address perceived challenges. The resulting project hopes to also verify that components have not been tampered with nor otherwise modified through the retirement of the computing device.

NIST explicitly solicits input from workshop participants on all aspects of the planned NCCoE demonstration project including the proposed scope, use cases and technologies to be considered, and sources of specifications and guidance. Once the project description is finalized, NIST will solicit organizations to directly collaborate in the technical project and the development of its outputs.

We would like to welcome you to subscribe to our community of interest mailing list where we will announce future updates and events on our project. To receive periodic updates about the process and opportunities to engage, subscribe to NIST’s NCCoE Supply Chain Assurance community of interest here.


Workshop Agenda (subject to change)

8:30 - 9:00 a.m. Check-In, NCCoE Lobby

9:00 - 9:15 a.m. Safety Brief / Intro to NCCoE

9:15 - 9:30 a.m. Cybersecurity Supply Chain Risk Management Overview

9:30 - 9:45 a.m. NCCoE Project Description Overview

9:45 - 9:55 a.m. Trusted Computing Architecture

9:55 - 10:10 a.m. Break

10:10 - 11:35 a.m.

Industry Session with invited speakers from:


Hewlett Packard, Inc.


Hewlett Packard Enterprise



Eclypsium, Inc.

11:35 a.m. - 12:05 p.m.Industry Panel Q&A

12:05 - 12:30 p.m.Wrap-up

Questions about the workshop should be sent to:


The following presentations from the industry day have been approved for public release.



Hewlett Packard, Inc.

Hewlett Packard Enterprise



Eclypsium, Inc.

Trusted Computing Group



Mark Boucher, Intel

Mark Boucher is the chief architect for Compute Lifecycle Assurance at Intel.  He has more than 15 years of Supply Chain software and process experience, and has been architected large scale enterprise solutions for the past decade.


Jim Mann, Hewlett Packard, Inc.

Jim Mann is an HP Distinguished Technologist and Security Strategist in the Office of the Chief Engineer.  He leads the company’s product security quality and governance, talent management and education, serves as a key technical resource for HP business units in bringing secure products to market, and is a co-lead for HP’s Supply Chain Risk Management Compliance Function.  Mann is active in numerous industry consortia activities and private-public forums related to security, and serves on the Board of Directors and as a co-chair of the Cyber Resilient Technology Workgroup for the Trusted Computing Group.  He was also a technical contributor to NIST SP 800-147/B (now ISO 19678) and SP 800-193, was a co-author on the Open Group Trusted Technology Provider Standard (now ISO 20243), and is participating in the DHS ICT Supply Chain Risk Management Task Force.


Jon Amis, Dell Technologies, Inc. Jon Amis is the Supply Chain Assurance Program Director for Dell Technologies, Inc. and has had the responsibility for the development of the Dell program for ten years.  He has served in various roles at Dell over the past 19 years within Manufacturing Engineering, Supply Chain and Logistics.  Jon currently represents Dell on several key public-private partnerships and industry forums that focus on the integrity, security, and assurance aspects supply chain risk management, to include the Department of Homeland Security (DHS) Information and Communications Technology (ICT) Supply Chain Risk Management (SCRM) Task Force, The Open Group Trusted Technology Forum, the Supply Chain Risk Leadership Council (SCRLC), and the Software and Supply Chain Assurance Forum (SSCA). Jon graduated from the United States Military Academy at West Point in 1990 with a Bachelor of Science degree in Systems Engineering and went on to serve as an Infantry Platoon Leader and Executive Officer with the 101st Airborne Division.  After leaving the Army, he earned a Master of Engineering degree with Highest Honors in Industrial Engineering at the University of Louisville.  Prior to joining Dell, he was an engineer for FedEx Ground.  Jon lives with his wife, Lori, and their two children just north of Nashville, Tennessee.  


CJ Coppersmith, Hewlett Packard Enterprise

CJ Coppersmith is presently driving secure development lifecycle and maturity assessment methodology, as well as security architectural standards and compliance, and vulnerability analysis and response across HPE. Previously Coppersmith drove HPE development environment, SOA and Linux strategy for the corporation.

Coppersmith brings over 30 years in the IT industry, covering security, various aspects of development operations, and technology incubation. Coppersmith was CTO for Compaq’s Alpha Division, leading the J2EE and middleware strategy for the division. While working for Digital Equipment Corporation, he worked as the Technical Point of Contact between Digital and the National Computer Security Center, and was certified as a Vendor Security Analyst (VSA) by the Center. He led several NCSC Operating System Security Evaluations as well as leading several overall operating system releases.

Coppersmith holds Bachelor of Science degrees in Biology and Chemistry from Allegheny College and the University of Pittsburgh, respectively, and a Master of Science degree in Computer Systems Engineering from Northeastern University.


Chirag Shroff, Cisco Systems, Inc.

Chirag Shroff is a Principal Engineer with Cisco's Security and Trust Organization where Trustworthy Technologies are at the heart of his work. As principal engineer, Mr. Shroff is responsible for Trustworthy Systems architecture and technology innovation, including threat response, intelligence and engineering development that enhances the security of Cisco's product portfolio.

Mr. Shroff has held various leadership roles at Cisco as a senior technical leader and hardware manager, encompassing the fields of global government solutions engineering, hardware assurance and resilient systems architecture. During his 19 years at Cisco, he has made a tremendous impact on security engineering. Mr. Shroff is highly regarded as a trusted security partner and advisor to Cisco product teams, global government standards organizations, and worldwide key technology suppliers. His passion, talent, and dedication to innovation have resulted in several security and networking patents.

He holds a Master of Science degree in Electrical Engineering from California State University, Northridge and a Bachelor of Science degree in Computer Engineering from the Gujarat University, India.


Monty A. Forehand, Seagate Technology

Monty Forehand is Product Security Officer and Managing Technologist of the Product Security Office at Seagate, leading the security assurance of products, operations, and life-cycle across all Seagate business lines.  He has held a variety of leadership positions in Embedded System Architecture, Security and VLSI Architecture, Security Portfolio Delivery, Research, Technology, and Architecture over a 29 year career at Seagate,

Forehand is a frequent industry and government speaker and a pioneer in the secure storage industry leading the delivery of the world’s first fully integrated Self Encrypting Drive (SED), and other firsts including security and Cybersecurity in all Seagate Products, Worldwide Security Standards, Certified Security Products and Certified Life-Cycle. He continues leading the proliferation of Seagate Secure, Data Security, and a Trusted Digital Life Cycle worldwide, and into the Digital Transformation, IT 4.0, and the Edge.

Forehand holds master’s and bachelor’s degrees from Oklahoma State University in electrical and computer engineering, with emphasis on artificial intelligence.  He holds 26 patents in the areas of Machine Vision, Electronics Systems, Storage Virtualization, and Embedded Security and is a two-time recipient of the Seagate Technology Hall of Fame Award along with the top technology achievement award.


John Loucaides, Eclypsium Inc.

John has extensive history in hardware and firmware threats from experience at Intel and the United States government. At Intel he served in Advanced Threat Research, Platform Armoring and Resiliency, PSIRT, and was a CHIPSEC maintainer. Prior to this, he was Technical Team Lead for Specialized Platforms for the federal government. He has presented and given training on firmware security at multiple events including DEFCON, CanSecWest, Ruxcon, and other security conferences.


Lawrence Reinert, Department of Defense

Lawrence Reinert is a senior systems engineer with the Department of Defense actively involved with open source projects dealing with device integrity. Many of those projects have utilized the Trusted Computing Groups (TCG) defined supply chain artifacts. As a member of the Infrastructure Working Group Lawrence has been working with the TCG to provide standards based methods to help mitigate supply chain risk and to promote confidence in procurement.


Registration is closed.

Thank you for your interest in the event! Registration has reached capacity, and is now closed.



Tuesday, September 10, 2019 8:30 a.m. – 12:30 p.m.

The NCCoE 9700 Great Seneca Hwy Rockville, MD 20850