The Federal Acquisition Security Council is “on the cusp” of holding its first meeting with agencies, and will work closely with the Department of Homeland Security’s National Risk Management Center, according to its director.
NRMC Director Bob Kolasky, speaking Wednesday at an ACT-IAC panel in Washington, said the council consists of senior agency leadership at the director or undersecretary level from more than half a dozen agencies.
“It requires each agency to elevate the importance they take in managing their own supply chain while working together,” Kolasky said.
The council will put together a strategic plan, which will be comprised of a list of government initiatives to reduce federal supply chain risk, as well as a “combined information-sharing environment” that acquisition officials can reference during the procurement process.
“It will be hopefully something that’s available across the government in a way that enables consistent decision-making,” Kolasky said.
The Office of Management and Budget will chair the security council, and will include representatives from:
The General Services Administration,
DHS, including the Cybersecurity and Infrastructure Security Agency,
The Office of the Director of National Intelligence, including the National Counterintelligence and Security Center,
The Justice Department, including the FBI,
The Department of Defense, including the National Security Agency, and
The Department of Commerce, including the National Institute of Standards and Technology.
The council looks to develop policies and processes for agencies to use when purchasing IT products from commercial vendors.
“It gives a nice synergy to as we go take steps, arrange our governance and planning to elevate our level of supply chain risk management … working alongside the industry for the purposes of information sharing,” Kolasky said.
The executive committee of the ICT supply chain task force held its first meeting in November. The full 60-member committee includes 20 members from government, the IT sector and the communications sector.
Daniel Kroese, the associate director of the NRMC, said the full task force held a meeting on Monday.
“I think we all appreciate the fact that every meeting we have more momentum comes out of it,” Kroese said.
John Miller, the task force’s co-lead and vice president for policy and law at the Information Technology Industry Council, said the task force has attracted plenty of interest from private-sector partners.
“A lot of people really see this as an opportunity to make real progress on what I think everyone agrees is not only [an] important issue, but a really complex issue,” Miller said. “We actually had too many volunteers for the task force, so we were in the position of having to basically turn people away.”
When NRMC launched last summer, it began by strengthening cybersecurity information sharing partnerships in three sectors: Finance, telecommunications and energy.
However, the center aims to take a closer look at the 16 critical infrastructure sectors DHS has identified.
“For critical infrastructure organizations to learn and understand, to take guidance, to share informationaround how to manage risk better in this evolving threat environment is extraordinarily important,” said Robert Mayer, another co-lead on the supply chain task force Management Task Force, and senior vice president for cybersecurity, at the U.S. Telecom Association.