Stop Running a Toll Booth and Call It Security

Published on December 9, 2025 by Benjamin Knauss in General

What the DoD Can Teach Us About Supply Chain Risk

We need to stop pretending that securing the perimeter is enough. If your cybersecurity program in 2025 doesn’t have a dedicated, rigorous Supply Chain Risk Management (SCRM) component, you aren’t just missing a feature—you are failing at the fundamentals of defense.

To understand why, look at how the military builds a front gate.

The “UFC” Standard

The Department of Defense uses a standard called UFC 4-022-01 (Entry Control Facilities) to design base perimeters. They don’t just put up a gate and check IDs. They divide the entry point into two distinct zones:

  1. The Access Control Zone: This verifies the identity of the driver.
  2. The Inspection Area: This verifies the safety of the payload.

Most modern cybersecurity programs are obsessed with the driver and blind to the truck.

We spend millions on Identity and Access Management (IAM) to ensure the vendor is who they say they are. But once that vendor authenticates? We wave the truck right into our data center without opening the back doors.

A military sentry wouldn’t let a truck through just because the driver is a “nice guy” with a valid badge. They inspect the vehicle because trusting the identity doesn’t mitigate the risk of the explosives in the cargo.

Search as a “Condition of Entry”

In physical security (codified in regulations like AR 190-13), consenting to a vehicle search is a “Condition of Entry.” If you don’t consent to the search, you turn around. Period.

In cybersecurity, we have lost this spine.

  • The Failure: We accept “proprietary information” excuses when we ask for a Software Bill of Materials (SBOM). We accept a vague SOC2 report instead of demanding a code audit.
  • The Fix: If a vendor wants their code to run in your environment, transparency is the Condition of Entry. No SBOM? No entry. No right to audit? Turn the truck around.

Where is Your “Overwatch”?

Finally, physical gates rely on “Overwatch” positions—armed personnel with a high vantage point observing the entire transaction, ready to engage if the situation changes after the initial check.

Most security programs lack digital Overwatch for their supply chain. We vet a vendor once during procurement and then ignore them for three years. That isn’t security; that’s negligence. Real Overwatch means continuous runtime monitoring. Just because the vendor was safe when they entered doesn’t mean they haven’t been compromised since.

The Bottom Line

If you are running a program that checks IDs but ignores the cargo, you aren’t running a fortress; you’re running a toll booth. It is time to adopt a true Condition of Entry and establish Overwatch on your supply chain.

Leave a Reply

Your email address will not be published. Required fields are marked *