Agencies are finding out quickly that there is a lot more that goes into trusting the vendors that they work with than what’s on the outside.
New tools are giving agency acquisition and cybersecurity workers something equivalent to a MRI scan of the companies.
The General Services Administration began using artificial intelligence to do pre-award assessments of a vendor earlier this year. Previously, GSA would focus its efforts mostly after award, which meant they were potentially putting the government at a greater risk.
Nnake Nweke, GSA’s director of cybersecurity supply chain risk management in the Office of the IT category in the Federal Acquisition Service, said at the ATARC Mobile Summit event on Aug. 29 that GSA is using several illumination tools to gain better insight, especially around the use of Chinese telecommunications products that are prohibited under section 889.
“The counterfeit issues and their affiliates and subsidiaries that we want to get insight, to understand exactly where they’re coming from,” he said. “There are also issues of foreign ownership and influence. So these are some of the insights that those AI-enabled illumination tools we provide.”
Protecting agencies, industry alike
Nweke said AI tools gives acquisition workers mapping reports and visibility into products. The acquisition workers rely on several tools to provide the best data and information.
The goal of these pre-award reviews is to protect both agencies and industry before they get on the schedule.
“It’s a lot easier to fix problems before a company has a contract than after they get on the schedule,” he said. “We want to create a secure marketplace and ensure vendors are complying with Section 889 initially.”
Nweke added that GSA eventually will expand the pre-award audits to other requirements such as software bill of materials or supply chain risk management plans.
Over the past year, GSA’s supply chain risk management effort has resulted in about 20 findings that helped ensure companies were complying with the prohibition against Chinese made telecom products from Huawei and ZTE.
The initial use of these pre-award analyses was successful so GSA plans to expand their use to other contracts and areas beyond 889.
GSA has been looking at post-award supply chain risks for several years. The agency said in April that it identified 200,000 products “of concern” in the federal supply chain across high-risk categories, like industrial control systems, HVAC systems and security cameras.
But because there is so much data, the key to these tools is more automation.
Brian Paap, the cyber supply chain risk management lead at the Cybersecurity and Infrastructure Security Agency in the Homeland Security Department, said there is just too much data and not enough people to fully understand the information and drive decisions.
“There really is a very shallow pool of subject matter experts out there in this area,” he said at the recent FedRAMP summit sponsored by FCW. “Because that pool is so shallow, we have to turn to automation to help us to identify risks, to reduce risk, to be able to work with vendors on what we’re finding out about in their products or their companies and be able to mitigate problems quicker, faster and communicate with other elements within our own organization. So they’re made aware of these issues with these threats faster.”
CISA is trying to address both that shallow pool of experts and the automation piece through two learning agenda efforts.
Paap said the learning efforts focused on software validation and verification and software illumination from a standards or requirements perspective.
“We want to determine when enough is enough when you have 651 capabilities,” he said at the ATARC event. “It’s crazy to think that we can have a vendor capability that will be able to meet all of those. So what makes sense? What is the nice-to-have and can we push that off? And what does the future need to look like? So how do we build a scale and build for five-to-seven years from now. That’s the approach I’d like to take moving into marketplace, leaving that extra room for growth.”
A supply chain security baseline
Paap said these learning agenda efforts will help agencies have a better picture of what supply chain risk management compliance looks like, what gaps exist in the current standards from the National Institute of Standards and Technology or other bodies, and where can AI and machine learning or other technology help out.
CISA also launched another pilot effort with six CFO Act agencies. Paap said this initiative is trying to determine what it will take to develop a cyber supply chain risk management plan for headquarters and for operations, and how to make it flow down successfully.
“We developed that guide and we are rewriting it as we get new information. We provide templates, artifacts, strategic plans, roadmaps, resource guides and funding charts to help them get started on something,” Paap said. “If they can get that governance piece down and they have their strategic plan, and then they start acting on those milestones within their organization and map them down to their strategy, then they can start figuring out what type of capability they need in their mission space that is best for them to use, not just because someone came by and it looked really cool. It’s a struggle right now.”
CISA, GSA and others recognize the amount of data agencies have access to now can be overwhelming. There are companies that provide data, analysis and other services, but there are so many factors that come into play when an agency decides to work with a vendor and those factors are ever changing.
One big area of concern is purchase cards that agencies use because there is little oversight or accountability when it comes to managing supply chain risks. Agencies spend about $30 billion annually, through 100 million transactions on more than 3 million cards.
Experts say it’s easy to see how agencies could be buying counterfeit products or products infected with malware.
Demetrius Davis, a principal systems engineer for the Defense Department’s 5G cross functional team at MITRE Corp. said there is a tension agencies need to balance. They need to buy things quickly to, say, support the warfighter, and ensure what they are buying is secure and doesn’t introduce vulnerabilities into the systems or networks.
“We’d need to have a plan laid out. We need to have certain standards that we put down. But there’s got to be a point where we identify what’s critical, and say, ‘Okay, I really need to have high intelligence. I need to have rigor placed in this area.’ But in other areas, I’m going to have to accept some discomfort. I might have to work with a vendor that I may not know and have a long history with, and that that person may have relationships with people I don’t really have a close relationship with,” Davis said. “We’re going to have to take baby steps and small iterative cycles to be able to get there but we can’t be stagnant and wait until everything is in place, everything has been blessed and on the approved products list before we take the first step. That’s a new type of culture that we’re going to have to create and I’m not sure how we’re going to get there. Some people are going to be uncomfortable.”