The Federal Acquisition Security Council put the fourth leg of the supply chain risk management stool in place last week.
The long-awaited interim rule with a request for comments adds another layer of security and requirements on agencies to address ever-increasing concerns about the technology they install into their networks or use in the cloud. The interim rule is open for comments through Nov. 2.
The FASC interim rule implements the Federal Acquisition Supply Chain Security Act of 2018, which President Donald Trump signed into law in December 2018 and called for the governmentwide task force to determine how it will share supply chain risk information and how it will recommend removal and exclusion orders to address risks.
Along with this interim rule, the Trump administration has initiated three other major efforts to address supply chain risks. The Cybersecurity Maturity Model Certification (CMMC) effort is just getting started with pilots in early fiscal 2021.
“Industry needs to understand that the government is taking this issue seriously and they need to comply,” said Brennan Grignon, a senior consultant at LMI and a former director of policy and outreach in the Office of Industrial Policy at the Defense Department. “A few years ago, when NIST released 800-171 and then the Defense Federal Acquisition Regulations rule, there was a bit of reluctance from industry and now with the CMMC standards, there is more structure and more conversation about what implementation would look like.”
The FASC interim rule provides more structure to oversight of the supply chain risk management process.
“The Federal Acquisition Supply Chain Security Act is a great first step on what is a global and complex issue and seems to support all four of these recommendations,” said Jennifer Bisceglie, the CEO of Interos Inc., which provides business intelligence about supply chain risks to companies and agencies. “The FASCSA comes under what we refer to as operational risk, i.e. what connections to other countries, governments or influences are a threat to our operational capabilities. This said, building a national security platform like the F-35 has much broader risks, such as smaller sub-tier suppliers having financial issues due to COVID-19 or challenges with getting the right product to the right place at the right time due to geopolitical unrest or inclement weather.”
First is information sharing of supply chain risks.
“The Homeland Security Department, acting primarily through the Cybersecurity and Infrastructure Security Agency, will serve as the information sharing agency (ISA). The ISA will standardize processes and procedures for submission and dissemination of supply chain information, and will facilitate the operations of a Supply Chain Risk Management (SCRM) Task Force under the FASC,” the interim rule states. “This FASC Task Force will be comprised of designated technical experts that will assist the FASC in implementing its information sharing, risk analysis, and risk assessment functions.”
Bisceglie said the information sharing section is one of the best parts of the interim rule, particularly that the FASC named the Cybersecurity and Infrastructure Security Agency at DHS as the lead organization.
“CISA will run the task force that will establish processes for information sharing, risk analysis and risk assessment functions,” she said. “It provides for the ability to share information with the private sector or non-federal entities.”
Grignon also praised the information sharing section, saying agencies and industry must understand who is responsible for sharing various types of information—unclassified, classified and compartmental information.
“There is a recognition that a lot of the risks that we are dealing with are not just dealt with by the intelligence community, but the entire federal community,” she said. “I think the rule communicates risk in such a way that is understandable by the entire government.”
Exclusion, removal processes
The second part is how removal and exclusion orders will work.
“The FASC will evaluate sources and covered articles pursuant to a common set of non-exclusive factors that are listed in this [interim rule]. Allowing for the evaluation of additional information provides the FASC with the needed flexibility to evaluate additional considerations and information on a case-by-case basis,” the interim rule states. “As part of the analysis of sources and/or covered articles, the FASC will conduct appropriate due diligence regarding the information that it is considering. This due diligence may include reviewing any information made available to the FASC; ensuring, to the extent possible, that the information is credible or that the level of confidence in the information is appropriately taken into consideration; and examining other relevant publicly-available information as necessary and appropriate. In addition, the FASC will consult with the National Institute of Standards and Technology (NIST), before recommending issuance of an exclusion or removal order, to ensure that recommended orders do not conflict with existing federal standards and guidelines.”
While experts said the process to ban or exclude a company or product is detailed well in the interim, rule, there still are some concerns.
Bisceglie said the one thing the FASC needs to continually keep in mind is how interconnected the global economy is so banning or excluding a company or product could have huge downstream impacts.
“Truly understanding the pros/cons of supply chain risk mitigation actions, and keeping them commensurate with the true risk, is the trick. The use — and sharing — of all information (publicly available, classified, supplier-provided and other customer-provided) to produce the full picture is the only way to win,” she said. “I think it’s labeled a bit broader than it really is; i.e., it’s focused on ‘threats to and vulnerabilities in information and communications technology supply chains’ and foreign influence. The threats to the supply chain are broader. This is a good start. Due diligence in coordination with industry would be desirable, since the private sector is the supply base.”
Grignon said one of her concerns about the exclusion or banning section is how long agencies or industry would have to remove the technology from their network.
“Once an organization is alerted that have been recommended for removal or exclusion, that source has 30 days to respond. That’s not a lot of time given how complicated technology can be. The interim rule doesn’t say what that response should consist of either,” she said. “The interim rule also doesn’t provide a further timeline once the initial response is received or what is the timeline for the mitigation process to start? Is it a year or 18 months, or on a case-by-case basis? Do companies using the technology need to have a plan or just say we heard and will come up with a plan?”
An allowable cost?
The FASC also didn’t address the cost to mitigating these risks.
Grignon said it’s unclear whether the government will absorb these costs, similarly to what DoD did with CMMC, saying it’s an allowable cost.
“I think that they included an annual review process for the FASC to look at the excluded or removed list allows this approach to keep pace with technology,” she said. “That was always a concern because of how technology is changing constantly.”
John Miller, the senior vice president for policy and senior counsel for the IT Industry Council, said the association applauds the FASC for ensuring the interim the rule closely follows statutory procedures for sharing information and removing problematic technology from government networks.
“While ITI strongly supports the establishment of a governmentwide, risk-based process for mitigating supply chain threats, the rule needs to establish a better process for coordination between the government and industry when defining the FASC’s standard operating procedures and making exclusion recommendations,” he said. “Doing so will enable the U.S. government to draw upon industry’s intimate understanding of supply chain risks.”