The supply chain challenges associated with the pandemic and the SolarWinds attack illustrate the national and economic security risk to the federal government’s supply chain and the need for the administration to embrace the Federal Acquisition Security Council (FASC) to meet this challenge. This challenge is especially acute for the federal government as one of the largest buying entities in the world, contracting for $681 billion of goods and services across multiple agencies and tens of thousands of contracting professionals in fiscal 2020.
There are multiple lines of effort within the government touching on supply chain security in the federal marketplace. And the administration’s recent cyber executive order (EO) on Improving the Nation’s Cybersecurity acknowledges the critical need to secure the federal marketplace by mandating updated federal acquisition rules and software bills of materials. However, these multiple lines of effort and the EO fail to acknowledge a key tool Congress provided to coordinate this effort through the FASC.
These multiple levels of effort signal a recognition of the risk, but without coordination and a unified government approach these activities will fall short. The FASC, which was established by the SECURE Technology Act of 2018 , presents an opportunity to coordinate and share information to address supply chain security risk in the federal acquisition marketplace. The FASC has authority to recommend orders to remove from existing contracts or exclude from further consideration during proposal evaluations certain goods and services of concern. The law also recognizes the FASC as an interagency forum to coordinate and share supply chain security information with the private sector and other federal stakeholders.
In 2019, the FASC agencies began implementing the law with regular meetings of agency officials. The FASC, led by Office of Management and Budget, convened agency partners to establish processes and obtain resource commitments to support the FASC’s work. It became clear early on multiple lines of effort to address supply chain issues have stretched limited resources because agencies often had trouble identifying experts to support the FASC. It was also apparent the agencies setting standards, developing threat information and doing acquisitions needed to convene to ensure coordination. The early work of the FASC also involved running table-top exercises, which highlighted information sharing challenges and gaps in how to operationalize threat information. There were instances where significant questions arose about the process and authority necessary to share classified details on companies of concern with stakeholders who could operationalize the information.
The FASC presents an opportunity for a unified federal government approach in partnership with vendors to address supply chain risk in federal acquisitions. The recent cybersecurity EO does take significant actions to address supply chain security in the federal marketplace, but it fails to acknowledge the critical role the FASC could play and existing FASC authorities.
There are a number of actions with OMB leadership that could help realize the full potential of the FASC, including more fulsome execution of authorities and tasks in the SECURE Technology Act. OMB should regularly convene the FASC, ensure agencies devote appropriate cleared resources to staff the FASC and establish timelines for considering and acting on threat information.
The FASC should vigorously use its authority to request information from agencies and share such information to carry out its functions to ensure full consideration of the threat and effective mitigation measures. This information sharing is critical to ensure parts of the government that collect threat information can share information in an actionable form for acquisition professionals. If information sharing authority is lacking OMB should prepare amendments to the SECURE Technology Act to facilitate the FASC’s work.
There should be better synergy amongst intelligence, law enforcement and acquisition focused agencies on the FASC. Agencies with threat information and developing standards should learn more from their acquisition colleagues about the federal acquisition process and the marketplace to understand what type of information and in what form such information would be most helpful to acquisition professionals to secure the supply chain. Further, the FASC should direct DHS/CISA and the General Services Administration to provide shared services to support supply chain risk assessments and common contract solutions such as machine learning analysis to support supply chain risk decision-making. We are long past static lists of prohibited entities or products that are occasionally updated.
Finally, the FASC should exercise its authority to consult and convene with other interagency councils such as the Chief Information Officers Council, the Federal Acquisition Regulatory Council and the Committee on Foreign Investment in the United States.
The FASC and agencies on it must devote resources and move forward with a bias for action and information sharing so acquisition professionals and the vendors on the front lines of the supply chain risk battle can act. Time is short for the FASC to fulfill its potential as this authority sunsets in December 2023.
Julie A. Dunne was formerly commissioner of the Federal Acquisition Service at GSA and a member of the Federal Acquisition Security Council.