The General Services Administration has identified about 200,000 products “of concern” over the past year through a supply chain risk assessment aimed at unearthing threats in the millions of products GSA offers to agencies through its marketplace.
GSA analyzed the top 20% of companies who supply 80% of the products the agency offers across the federal government, according to Sonny Hashmi, commissioner of GSA’s Federal Acquisition Service. The agency then segmented the products into high-risk categories, like industrial control systems, HVAC systems, and security cameras, Hashmi said during an April 7 event hosted by Bloomberg Government.
“GSA alone offers over 75 million products in our marketplace for the federal government,” he said. “You can’t possibly take a screwdriver to all 75 million products and disassemble them and understand the code and look at risks in their firmware and software. And so this has to be a technique or a strategy that involves machine learning, large data analysis, and consistent data collection.”
The agency worked with the identified companies to get information about their supply chains, but also used data from federal “threat intelligence,” as well as open-source information. The factors GSA considers when evaluating supply chain threats include foreign ownership, foreign sources of material and cybersecurity risks, according to Hashmi.
“This approach has already identified over 200,000 products that we have identified as of concern in our marketplace over the last year,” he said. “And by identifying those products, we can start to have the right conversations with those suppliers, manufacturers and resellers to be able to say, ‘Let’s share more information on this. We need to learn more about this.’”
After identifying the products, GSA “can take actions, like suppressing some of those products, or even taking them off our marketplace,” Hashmi said.
The GSA leader’s comments offer a rare window into some data and the details behind federal supply chain risk assessments.
Agencies, often at the prodding of Congress, have increasingly sought to conduct deeper examinations of risks in their supply chains, even before the COVID-19 pandemic made foreign dependencies a national conversation. Congress created the Federal Acquisition Security Council to oversee agency efforts, and the council just finalized its rules and processes last year.
GSA’s supply chain risk mitigation initiatives take into account the Department of Homeland Security’s 2017 ban on any products and services offered or developed by Kaspersky Labs, a Russia-based cybersecurity firm.
More recently, Congress passed a law banning the federal government and contractors from using products and services offered by several Chinese telecommunications firms, including Huawei and ZTE. The law also banned the use of security cameras and other equipment made by several Chinese companies.
Beyond national security concerns, GSA’s assessments also probe for products that incorrectly labeled as U.S.-made, identical products offered at different price points, and unauthorized sellers.
A GSA spokeswoman said the supply chain assessment Hashmi referred to is called a “Robomod,” as it uses “data analytics and automated acquisition processes to remove products from multiple contracts at the same time.” GSA has been running Robomods for several years. In January, the agency announced it would pilot a new Robomod process to kick unauthorized sellers off GSA’s Multiple Award Schedules.
Hashmi said supply chain risk management will be a problem “for the next decade.”
“It’s not just a government problem,” he said. “When we talk about critical infrastructure providers, when we talk about telecom, we talk about cloud service providers, each one of them will need to develop this intelligence and understanding of their own supply chains.”
GSA is working with the Cybersecurity and Infrastructure Security Agency and the Defense Department, he said, to collaborate on supply chain security and share best practices. And he said agencies will go beyond just identifying concerning products by taking a risk-based approach to how they address those issues.
“If you’re going to buy a generator to support a flood victim or a FEMA relief effort, the risk inherent in the supplier of that generator and the firmware in that generator is different than if you’re going to buy a security camera that’s going to be installed in a [Sensitive Compartmented Information Facility] for monitoring,” Hashmi said. “Those are two different scenarios. And so we have to apply the lens appropriately to where the greatest risk is, and then we can apply the best effort towards that risk.”