Guest Column | June 21, 2021

Data Integrity In Supply Chain Risk Management During Zero Trust

By Kip Wolf, X-Vax Technology, @KipWolf

Our lives have changed so very much because of the global pandemic. Many have personally and professionally suffered, and many economies and businesses are forever changed. We also have been and continue to be impacted by supply chain constraints from both direct and indirect consequences of the global pandemic. Regardless of industry segment or stage of product life cycle, this phenomenon has required us to reconsider our approaches to supply chain risk management and to develop new and creative risk management strategies and tactics in response.

A Call To Action

Ironically, April 2021 marked the fourth annual National Supply Chain Integrity Month in the United States, where the Office of the Director of National Intelligence (ODNI), the Department of Defense (DoD), and other government and industry partners work to promote “a call to action for a unified effort by organizations across the country to strengthen global supply chains.”1

The U.S. National Counterintelligence and Security Center (NCSC), one of the centers coordinated under the Office of the Director of National Intelligence, “works with its partners to assess and mitigate the activities of foreign intelligence entities and other adversaries who attempt to compromise the supply chains of our government and industry.”2 The NCSC produced and published in 1Q2021 a summary document of Best Practices for Supply Chain Risk Management that includes a call to action, with recommended activities grouped into summary tasks as shown below:3

  • Obtain executive level commitment for a supply chain risk management (SCRM) program.
    • Build an integrated enterprise team.
    • Communicate across the organization.
    • Establish training and awareness programs.
  • Identify critical systems, networks, and information.
    • Exercise asset management.
    • Prioritize critical systems, networks, and information.
    • Employ migration tools.
  • Manage third party risk.
    • Conduct due diligence.
    • Incorporate SCRM requirements into contracts.
    • Monitor compliance.

The need for SCRM program sponsorship and support is now almost universally understood. And the identification and management of critical systems, networks, and information is commonplace. What we have learned from the recent pandemic is that the third-party risks require additional diligence, particularly about data integrity. The table below provides some context and a framework to help understand the shift in risk profile and data integrity focus learned from our experiences during the recent global pandemic. Two key lessons are summarized here by way of considering two pairs of ALCOA principles: Contemporaneous and Accurate and Attributable and Original.

Table 1: List of ALCOA principles and related data expectations.


Data Expectations


  • Clear identification of the system or individual that created or modified the data.


  • Permanence and readability of original data (for duration of the data life cycle).


  • Data recorded at the time of activity or event.


  • First instantiation of the data (electronically or otherwise) as supported by evidence.


  • Without error.


Lesson 1: Consider How The Principles Of “Contemporaneous” & “Accurate” Affect Scheduling

The first SCRM lesson we learned from the pandemic was that the information provided by suppliers was not accurate, if it was provided at all. Risks related to logistics and visibility of timing of shipments are greater when the accuracy of the data provided by suppliers is suspect. In the pre-pandemic times, supplier estimates were rather reliable. We were accustomed to having direct visibility of the detailed order status. We could track in near real time from order to fulfillment to shipment to receipt. However, as the pandemic developed, these data became less and less accurate as data entry also became less and less contemporaneous. Statuses along the supply chain began to languish and lack updates. Suppliers became overwhelmed with calls and emails requesting updates on orders, until, finally, they stopped responding. Shipment status went from “ordered” to an estimated time of arrival (ETA), to delayed ETA, to greatly protracted date estimates (e.g., “late 2022”), to “no ETA,” or even no response at all. We literally found ourselves at the mercy of the delivery service, waiting with anxiety to see what would show up each day.

In the end, the errors, inaccuracies, and delays in data reporting led to lagging indications of supply chain issues and failures from having to react to lost shipments. Global carriers were not immune from these types of catastrophic failures. We heard of shipments vanishing without a trace, from lost components and materials to larger volumes of drug substance just disappearing during transit without explanation. The material impact is quantifiable. The public health impact of delays in access to therapies may be immeasurable.

As a result, there is now greater focus on the accuracy and timeliness (i.e., contemporaneousness) of supply chain status data. Greater attention is paid to the supporting systems such as utilities and internet service to ensure uptime to prevent delay or loss of supply chain data capture and reporting. Greater effort is made in qualification or requalification of suppliers to ensure not only conformance to regulatory requirements but to ensure that capabilities exist to support more stringently defined supply requirements. To simply demand increased visibility and transparency is ineffective. Instead, a clear definition of data requirements and information sharing tactics is necessary for transformational change. Changes in supply chain management of risk will occur over time, but only if we are diligent about transforming the processes and remain vigilant about data integrity along the way.

Lesson 2: Consider How The Principles Of “Attributable” & “Original” May Help Prevent Counterfeit & Fraud

The second SCRM lesson we learned from the pandemic made us somewhat pessimistic. There was a great shift in economies, markets, and business opportunities. We watched as some industries suffered and may never return to pre-pandemic conditions (e.g., restaurants), while other markets expanded, not all of them legitimately.

A great rise in hoarding of materials and black-market economies placed additional strain on an already suffering global supply chain. Counterfeit materials, intermediates, and products have had economic and public health or safety implications. Blatant fraud has delayed medical services or even cost lives. We have seen large organizations and enterprises pay six or even seven figures for gloves and other personal protective equipment (PPE) that when delivered turned out to be non-sterile or not as advertised. Worse, some buyers found that the warehouses and trucks for which they paid dearly for PPE were in fact empty! Yes, this blatant fraud continues to occur, with no opportunities for recourse or restitution.

Again, data integrity principles may be part of the ultimate solution. We must demand verification of data to confirm attribution and originality. Change the ordering and acceptance criteria to include confirmation of metadata and evidence to check and double-check the authenticity of the data on which key supply chain decisions are made. And expand the scope and scale of verification beyond the immediate supplier to secondary and tertiary suppliers (e.g., to intermediates, components, or raw materials). Demand data provenance for key supply chain information both in electronic system-generated data and in human-created paper records.

A Time For Data Transformation

We must change the way we operate as individuals, organizations, corporations, and nations in this period of limited or zero trust. This is a realistic vision, not a pessimistic view. We must change the way we manage supply chain risk both quantitatively and qualitatively. We must increase quantitatively our reassessment of the risk profile(s) to perform them as often as necessary, even daily, when threats are present. We must improve qualitatively the methods employed for both supplier qualification and supply chain management, ensuring that we are probing both deep and wide into the data and metadata associated with the supply relationships and related transactions.

Transformational change is upon us. Like the tamper-resistant packaging that we are all so accustomed to because of the Tylenol murders and industry response in 1982, our supply chain risk management strategies will forever be altered by the COVID-19 pandemic to demand robust data in near real time that is fully verified through confirmation of data integrity.  


1. “Supply Chain Integrity Month | CISA.” Accessed May 24, 2021.

2. “Supply Chain Threats.” Accessed May 24, 2021.

3. National Counterintelligence and Security Center (NCSC). “Supply Chain Risk Management: Best Practices in One Page – 2021,” 1Q2021.

About The Author:

KipKip Wolf is head of technical operations and portfolio management at X-Vax Technology, Inc. His technical experience includes the fields of quality assurance and regulatory affairs, GMP and IT compliance, technical operations, and product supply. His areas of leadership expertise include business transformation, new business development, organizational change leadership, and program/project management. He has led business process management groups at Wyeth Manufacturing and at Merck Research & Development. Prior to joining X-VAX, he supported the company as a principal consultant at Tunnell Life Sciences Consulting, where he also led the data integrity practice. Wolf can be reached at