The White House and House Homeland Security Committee members are developing new legislation to add more rigor to how agencies oversee the technology they buy and use.
The Trump administration sent a legislative proposal to the Hill on Tuesday, which recommends giving every civilian agency the same authorities Congress gave the Defense Department in 2011 to better manage its supply chain.
The proposal, called Federal Information Technology Supply Chain Risk Management Improvement Act of 2018, would do several things, including establishing a Federal IT Acquisition Security Council and a Critical IT Supply Chain Risk Evaluation Board, and provide agencies with authorities to mitigate supply chain risks when buying technology products and services.
At the same time, committee lawmakers are working on similar legislation to bring all agencies up to the same level as DoD and the intelligence community.
Insight by Carahsoft: Learn how the FedRAMP PMO and its partners believe the end result of many of ongoing initiatives is a better, faster and cheaper cloud security program by downloading this exclusive ebook.
“The proposal seeks to strengthen SCRM efforts across the government, enhance information sharing, and harden the federal procurement process to identify and mitigate threats,” said Rep. Peter King (R-N.Y.), chairman of the Counterterrorism and Intelligence Subcommittee, during today’s hearing. “As a national security agency, it is vital that the Homeland Security Department also have robust supply chain risk management practices and tools to identify, mitigate and remove potential threats to its systems and contracts. In addition to reviewing the OMB proposal, both subcommittees are working on specific legislation to provide DHS with similar SCRM authorities to DoD. At the end of the day, the ability of any agency to address supply chain risk survives on a robust intelligence framework.”
Congress passed Section 806 in the 2011 Defense Authorization bill requiring the Secretary of Defense to reduce supply risk by establishing qualification requirements for vendors and/or products, provide for the consideration of supply chain risk as a significant evaluation factor in certain solicitations and exclude a particular source from consideration where necessary to avoid an unacceptable supply chain risk.
King said after the hearing the committee started looking at expanding these authorities to all of government and the White House came to them with their support and the possibility of writing a legislative proposal.
“I know the White House is going to issue regulations which could cover a lot of what we are doing with our version of 806,” King said. “We will try to move it as quickly as possible.”
King added the committee is coordinating with the White House to ensure everyone is one the same page.
Jeanette Manfra, the assistant secretary in the Office of Cybersecurity and Communications in the National Protection and Programs Directorate at DHS, said the administration is moving forward with several initiatives.
She said OMB is establishing a strategic statutory framework to protect the federal supply chain by conducting supply chain risk assessments, creating mechanisms for sharing supply chain information, and establishing exclusion authorities—both within agencies and in a centralized manner—to be utilized when justified.
All of these efforts are coming about a year after the Committee on National Security Systems released a new supply chain risk management policy to establish “an integrated, organizationwide cybersecurity risk management program to achieve and maintain an acceptable level of cybersecurity risk for organizations that own, operate or maintain national security systems.”
And they build on the recent report from the U.S. China Commission detailing the threat from China and other countries is not only real, but agencies already are in trouble.
Both Congress and the administration have been ramping up the focus on threats to agency and the private sector critical infrastructure providers.
The White House proposal, obtained by Federal News Radio, broadens the effort. The draft bill outlines the functions and members of the IT acquisition security council. It would include the Office of Management and Budget, DHS, the General Services Administration, the National Institute of Standards and Technology and the Defense Department.
The council would identify and recommend NIST develop supply chain risk management standards, guidelines and practices for agencies to use when “assessing and developing mitigation strategies to address supply chain risks, particularly in the acquisition and use of” technology and communications products and services.
The group also would identify or develop criteria for sharing information supply chain risks with public and private sector partners.
Additionally, the council would determine if a governmentwide shared service for supporting the making of risk assessments, for validating products and/or for mitigation activities would make sense. It also would decide if there are common contract solutions to support supply chain risk management activities, such as subscription services or machine-learning-enhanced analysis applications.
The proposal also would give additional responsibilities to agency leaders to assess supply chain risks and avoid, mitigate, accept or transfer that risk as appropriate.
“Supply chain risk assessments shall be prioritized based on the criticality of the mission, system, component, service or asset,” the legislation states.
Meanwhile, the White House wants the Critical IT Supply Chain Risk Evaluation Board to take a broader perspective around the removal or exclusion of vendors who the board determined are a risk to agencies.
DHS officials testifying before the subcommittees supported the goal of extending the DoD’s authorities across the government.
Dr. John Zangardi, the DHS chief information officer, said the need for this type of capability is important.
“Having the ability to react swiftly, to make the right decisions with removal of network or IT systems that are threatening is very important for us in carrying out our mission,” he said. “My team will do the technical assessment and talk very closely with the chief procurement officer to make sure the lines of communication and what we are doing is very clear and understandable.”
Soraya Correa, the DHS chief procurement officer, said having reviewed the latest legislative proposal, she would determine how to train contracting officers and other acquisition staff and issue immediate guidelines and instructions to DHS and private sector partners.
Manfra said DHS also has been working with DoD, the intelligence community and other agencies on a cyber supply chain risk management (CSCRM) initiative to centralize efforts to address risks to agencies, critical infrastructure owners and operators, and state, local, tribal and territorial governments.
“The mission of the C-SCRM initiative is to identify, assess, prevent and mitigate risks associated with information and communications technologies product and service supply chains throughout the lifecycle,” she said. “Initially this initiative will focus on identifying and addressing supply chain risks related to the federal government’s high-value assets (HVAs), or those assets, federal information systems, information and data for which unauthorized access, use, disclosure, disruption, modification or destruction could cause a significant impact to U.S. national security interests, foreign relations, the economy, or to the public confidence, civil liberties, or public health and safety of the American people.”
Manfra said the program currently only has two full-time people, but with new funding she expects to increase the staff and capabilities of the office over the next two years.
DHS and GSA also are attempting to “bridge the gap between the procurement and ICT professional by providing acquisition professionals with awareness, training and educational content to be available through the Federal Acquisition Institute.”