The National Counterintelligence and Security Center is taking advantage of a moment when agencies and policymakers are more attuned to cyber supply chain security concerns, as intelligence officials work through avenues like the Federal Acquisition Security Council to identify potential technology risks.
The 2020 National Defense Authorization Act established a Supply Chain and Counterintelligence Risk Management Task Force to share sensitive information with the federal acquisition community. The task force is chaired by the director of the NCSC.
Jeanette McMillian, assistant director of supply chain and cyber at the NCSC, says the task force has been crucial to helping inform agencies’ “risk calculus” for what they’re buying.
“We’re not making the decisions,” she said. “We’re just making sure that whatever decision is made, is indeed informed with the most information that we have at our fingertips at the time.”
McMillian said the task force’s primary avenue for sharing information has been the Federal Acquisition Security Council, which is led by the White House Office of Management and Budget, and is charged with coordinating interagency policy on cyber supply chain threats.
“If we can go to one council, we’re kind of hitting all the right angles with regards to making sure that that information is provided in a timely manner,” she said. “And we’ve also been able to participate in a lot of other initiatives by the Department of Commerce, the Department of Energy, as they’re filling out their supply chain roles. And [the Department of Homeland Security], especially with regards to some of the cybersecurity risk information that they’ve been able to produce for some of their outreach to cyber defenders.”
The Secure Technology Act, which created the FASC, also required agencies to set up supply chain risk management programs. McMillian says the counterintelligence directorate is there to help provide those agencies with supply chain risk information that the intelligence community has on hand.
“There’s that balance of risk there where we believe that we can provide that information, especially when departments and agencies have been eating their vegetables, if you will, and have done the hard work of doing supply chain risk management and understanding where their risk appetite happens to be,” she said.
Agencies and lawmakers have taken action to exclude certain vendors from federal supply chains. First, DHS banned Kaspersky products from agency information systems in 2017 due to the cybersecurity company’s alleged connections with Russian security services.
And then, Section 889 of the 2019 NDAA famously banned five Chinese telecommunications and technology suppliers, including Huawei and ZTE, from federal agency and contractor networks.
The FASC has also been granted the authority to issue removal and exclusion recommendations for agencies to eliminate companies or products deemed too risky from the federal supply chain. But so far, the council has yet to wield those powers.
McMillian says the council has been focused on understanding the risk tolerance across the federal enterprise, and how agencies may be mitigating concerns depending on their individual requirements.
“Those are the folks that understand those systems,” she said. “They understand their mission and they understand what things they need to bring into their environment and at what time. But having that information, and making sure that it’s passed on to those federal agencies making those decisions every day is what’s critical to us within the National Counterintelligence and Security Center.”
Meanwhile, in June, President Joe Biden signed legislation that would require the General Services Administration to create a standard supply chain security training program for federal employees in charge of procurement decisions.
McMillian says pushing more supply chain security training to acquisition and other types of officials is a big focus area for her directorate as well.
“We just want to make sure that people understand that supply chains are global, they are going to remain global,” she said. “So they need to make sure that they have a focus on what is in their supply chain and where it’s coming from. They also need to understand that they may not know exactly where their third party producers and suppliers and developers are bringing in that information. And those third parties can introduce some risks that they need to fully understand before they sign up.”