A law known as the Federal Acquisition Supply Chain Security Act aims to reduce the potential for damage from cybersecurity threats. The White House interim final rules for agencies came out in September. Now industry has weighed in. And for one view, Federal Drive with Tom Temin turned to the Senior Vice President for Policy at the Information Technology Industry Council, Gordon Bitko.
Insight by GitLab: During this webinar executives from the State Department, U.S. Securities and Exchange Commission, U.S. Patent and Trademark Office and GitLab will discuss how institutionalizing a DevSecOps approach to software development is a journey that must bring together the technology and business sides to change an organization’s culture.
Tom Temin: Gordon, good to have you back.
Gordon Bitko: Always great to be here with you.
Tom Temin: Now, the whole field of supply chain security, supply chain assurance is kind of incoherent because of so many initiatives going on: the Chinese equipment initiative, the cybersecurity model maturity initiative. And then there is also the Federal Acquisition Supply Chain Security Act. So tell us where these rules fit into the whole picture. I guess these rules were first issued in September.
Gordon Bitko: These rules weren’t issued in September; the act itself goes back to the Federal Acquisition Supply Chain Security Act of 2018. And it took some time for the rule to come out Tom. As to where they fit into the whole picture, that’s actually the key question here. There are many, many different pieces of supply chain regulations, policies, legislation, and it’s a very confusing landscape. In fact, you can look Tom at the cyber solarium commission who just put out a supply chain specific addendum. And one of the explicit things that they called for is for all the different government agencies, and different folks who were involved in the process of doing supply chain work, to figure out some ways to streamline all this. Everybody recognizes that the need is real, that there are actual risks and threats that need to be addressed. But at the same time, the proliferation of all of these different regimes makes figuring out how to do it effectively a real challenge. All that being said, if the FASC is done correctly, it’s a very good approach. It’s a very broad approach. It looks at risk. It’s interagency, it calls for engagement between industry and the government, between public and private. So when you take those things together, it has the potential to be the core essential framework for how the government should be thinking about managing supply chain risk, but they have to think about how to integrate it and all these other pieces to it.
Tom Temin: And so you have the congressionally-chartered cyberspace solarium commission, also weighing in with lots of topics on supply chain. And I guess what ITIC is saying, what your group is saying, is let’s start with the Federal Acquisition Security Council. The FASC seems to be the place where maybe all of these different initiatives could be coordinated and made into a little bit more coherent structure that’s facing the industry, correct?
Gordon Bitko: Absolutely, Tom, what we would like to see is because the FASC does call for Task Force across government and for public private cooperation, and it adopts a risk based approach. So it has in its core, the things that we think are necessary to be successful. And it is something that it allows each agency to make decisions within the context of this broader framework, to make their own decisions, to do them under the umbrella of an overall more coherent structure. So industry doesn’t have to figure out separately what the process is and how to work with the Department of Defense differently from Homeland Security, or the Department of Justice, or pick an agency. There’s an overall framework that this offers, which allows for a much more efficient and effective approach. The other thing I think, that’s important about this approach versus some of the others is the nature of threats evolves and changes constantly. And for the government to address those and to keep up with those means they need an adaptive framework. Some of the other regulations, section 889 is a good example. They’re very rigid. They rely on naming a particular company or a set of companies who are perceived to be the bad actors. And nobody’s questioning that in that particular case. But what happens when that changes? What happens if there’s a new list of entities who were identified? And do we want an approach where every time something like that happens, we need new statutory authority to require replacing a particular entity? Or can we leverage a process like this, which has the potential if it’s done effectively, to be much more responsive, to be much more adaptive to those threats as they do evolve? And I think another really important point there, Tom, is it’ll allow government agencies and industry to be focused on the importance of competitiveness. If you’re focused entirely on ‘we’re not allowed to use this one company,’ the government procurement folks are going to spend a lot of time thinking about how do we get rid of that, that’s all they’re going to be worried about. If they’ve got a risk based approach, though, which is what the FASC allows for, then you can spend more time thinking about what are the tradeoffs? What are the pros and cons? How do I minimize the risk of using this particular company? Is it so severe that we have to pull them out? Or is it something that’s acceptable, and we can spend more on getting better capabilities to our end users, to the people on the mission side of our agencies who might need these products?
Tom Temin: Got it. We’re speaking with Gordon Bitko. He’s Vice President for policy at the Information Technology Industry Council. And I wanted to discuss the issue of data sharing, information sharing. And this has been something the government has sought to figure out since really since 9/11. And Homeland Security has a big apparatus now in place, since the inception of the department, to have vertical data sharing between industries, sectors, and the Homeland Security Department. And you’ve got some ideas for data sharing in your recommendations.
Gordon Bitko: We do Tom. That’s right. The core of it is absolutely some of the work that DHS has done where there is an existing supply chain taskforce. And that is an interagency and public private cooperative organization that has helped think through what a lot of the risk models are, and how those can be applied effectively, and how information can flow back and forth. As I was noting earlier, threats change quickly, the risks change. And so that information flow, and having it streamlined and efficient between government agencies, within government, and to private industry is really important. What we would really like to see is to build on the supply chain task force that’s existed, and to instantiate something like that as a more permanent solution. The law actually calls for public private cooperation as one of its requirements, it says that there is a requirement to engage between government and the private sector and other non-governmental stakeholders in performing the requirements of understanding the risks, and making sure that that information is propagated across all the stakeholders. So it’s a requirement in the underlying acts, that is the basis for the rules that we’re discussing now.
Tom Temin: And statutes also come with the sanctions if a statute is violated in some way. And I think a lot of companies have been worried, what happens if they miss something that should not be in their supply chain? That’s proscribed by law? And then it’s discovered? Are they False Claims Act violators then? Or are they simply violating the spirit of the statute? And so a couple of your recommendations have to do with due process and possible sanctions for companies that may inadvertently run afoul of some of these regulations. What are your thoughts there?
Gordon Bitko: I think that’s a really important point to elaborate on a little bit, Tom. So I’m glad you brought it up. What we’re really asking for here is just clarity on how those things are going to be done. What is the timeline if a particular company or product is excluded for a particular reason? How long do companies have to respond? How long is the review period going to be? Is there the opportunity for an appeal, all those things, I think just in the natural course of as rules like this are developed, this is so complex, those things they take time and people are going to have to work through them. So what we’re asking for is just to not lose visibility of the importance of those issues. And to make sure, like you said, a lot of the time, it’s not an intentional violation, it’s not a False Claims Act, it’s something changed, there was a new update, a new risk was identified, a new product was identified, that’s to be excluded. And there needs to be the opportunity to respond to some of these things. Sometimes it’s going to be easy, sometimes. So it’s going to be a product or service that’s really instrumental to the way the company does business or the way they provide business to the government. And that’s going to take a lot more time to respond to. So all we’re really just asking for here is, as you described it, due process about how those things are done, and clarity about what the processes are going to be.
Tom Temin: And the related issue, of course, is risk management on the part of both sides, including the government. And you’ve asked to clarify that; I think the example that comes up is, well, if you have Chinese equipment, where in your structure of your corporation is it? If it’s a piece of equipment controlling the parking lot gate, that’s something different than a piece of equipment controlling communications in systems that contain government related data.
Gordon Bitko: Right. That’s one of the things that we like about this framework, it allows for a risk based approach, as opposed to like I mentioned, section 889, which is very rigid if you use Huawei equipment. And there’s still some lack of clarity there about what use means. But it doesn’t really allow for this more adaptive, risk based approach. And the example you gave Tom, it’s great. You can imagine a camera or sensor or a network device that in the wrong place, it’s incredibly sensitive, and potentially the consequences could be very high. But if like you said, all it’s doing is controlling some basic function that’s not connected to the internet, it doesn’t share data, you could still envision some scenario where there’s risk there. But it’s so much smaller that it’s a reasonable question to ask about what the appropriate step is to mitigate that risk compared to the cost of ripping it out and replacing it with something else.
Tom Temin: And finally, we have these rules that came out as interim final, which means that they came out, and they were therefore in effect, but being interim, they can still be modified. What’s the prospects there for changing them or getting listened to so that they get subsequent set of interim rules?
Gordon Bitko: I don’t know that I can tell you exactly what the prospects are for them to be modified. But the fact of the matter that they were posted as interim rules means that the government understands that there needs to be a feedback mechanism and process from the private sector, from industry, from affected parties. It is a little bit of a source of frustration that many of these key rules like this one or the section 889 rules, rather than coming out as proposed rules, where there could be feedback and discussion between all the affected parties before they go into effect, they’re coming out as interim rules scheduled to go into effect already. And then they have to be modified because of course, there’s going to be cost to implementing the interim rules. And if there are changes, somebody’s going to have to pay for that as well. So it’s a suboptimal way to do it. It’s better that they do them as interim rules and allow for feedback and not allow for feedback at all, of course, but in the ideal world, they would come out as proposed rules. And there would be more of that dialogue back and forth between industry and government even before we get to the actual rule.
Tom Temin: Gordon Bitko is vice president for policy at the Information Technology Industry Council. Thanks so much for joining me.
Gordon Bitko: Pleasure to be with you, as always.