It’s always interesting to see how trends emerge in the federal market. Sometimes they come from a policy issued by the Office of Management and Budget— think Cloud first policy — and other times, they’re driven by a single office or person in the government who believes so strongly in the issue that they almost create the enthusiasm — think the General Services Administration’s excitement over blockchain or robotics.
Let me digress for a second, one vendor told me at last week’s KNOW Identity conference in Washington, D.C., that blockchain has been around for two years or more, so I fully realize GSA, or any federal agency for that matter, was really just catching up to some parts of industry.
But back to the point of the story, agencies and vendors alike should recognize when an issue comes up at nearly every conference, whether its technology or acquisition or financial management, you should pay close attention to it. Supply chain risk management is that topic for now.
Take what happened at a panel on cyber risk management at the KNOW conference, which One World Identity sponsored. Two congressional staff member emphasized the need for vendors to take real responsibility and ensure the safety of their entire supply chain. The message was clear to an audience of traditional and non-traditional federal contractors as well as agency officials, congressional interest in supply chain risk management is only increasing.
“What we are expecting from vendors, at least from our committee’s perspective, is transparency,” said Jessica Wilkerson, a professional staff member for the House Energy and Commerce Committee. “If you look back at some of the things we have been doing recently, one of the biggest ones is software bill of materials, where we are asking the Department of Health and Human Services to convene the health care sector to come up with a way to deploy software bill of materials. This is around the WannaCry incident. This is saying, essentially, if you hand me a black box, you kneecap my ability to protect myself.”
Wilkerson said HHS and the health care sector need to come up with a way to understand the technology code, the source of the code and how to patch, upgrade, secure that piece of hardware to ensure patients and healthcare providers are protected.
Nick Leiserson, the legislative director at the Office of Rep. James Langevin (D-R.I.), said lawmakers can’t sit back and trust vendors to manage their supply chains any longer against threats.
“You can see that is gradually happening in the Defense acquisition rules, the DFARS, in terms of pushing down requirements that are from the government to say, ‘We need to know about risks in your supply chain too.’ You can’t just look at something say, ‘This didn’t directly affect the network that is connected to it now, so you are fine and you don’t need to know about this,'” he said. “That, I think, there is increasing awareness in the federal government and in Congress, that this third party risk is an enormous problem.”
The Federal Communications Commission, last week, also took up the issue of supply chain.
FCC Chairman Ajit Pai issued a proposal asking telecommunications vendors to work with their suppliers to better protect their supply chains.
“Specifically, the draft Notice of Proposed Rulemaking, if adopted, would propose to bar the use of money from the FCC’s Universal Service Fund to purchase equipment or services from companies that pose a national security threat to United States communications networks or the communications supply chain,” the FCC states in its release.
The FCC will vote on this proposed rule at its April 17 meeting.
Pai said in the release that he is proposing to prohibit telecommunications providers from using money they received from the FCC’s $8.5 billion Universal Service Fund to purchase equipment or services from any company that poses a national security threat to the integrity of communications networks or their supply chains.
“The money in the Universal Service Fund comes from fees paid by the American people, and I believe that the FCC has the responsibility to ensure that this money is not spent on equipment or services that pose a threat to national security,” he said.
The concept of supply chain risk management isn’t new by any means. The National Institute of Standards and Technology issued a report in 2012. The Senate Armed Services Committee’s 2011 report on the Defense Department supply chain exposed serious problems.
But only in the last six months or so, particularly with the concerns about Kaspersky Lab and now Chinese companies, Huawei Technologies or ZTE Corp., supply chain risk management is a hot topic.
The Homeland Security Department recently announced a new initiative aimed at identifying some of the cyber defense gaps between the federal government and its contractors.
All signs point to an increased pressure on agencies and vendors to understand, be transparent and protect their supply chains.
Wilkerson said the Energy and Science Committee wrote to HHS in November asking for steps it is taking to protect medical equipment.
She said HHS has responded to the committee, which will continue to work with the department.
Leiserson said Langevin, who is the ranking member of the Armed Services Committee’s Emerging Threats and Capabilities subcommittee, said his boss is closely watching DoD’s implementation of the DFARs provisions.
“Congress has been saying, ‘We need to have a better understanding of the problem,’” Leiserson said. “Some of the IT modernization reports about shared services is really a great example of how we can look at this and not silo cyber by telling each agency to look at their piece of cyber by itself. It’s also tied to the critical infrastructure piece because there are interdependencies that we don’t understand. We can’t have something that is happening in pipelines hit the power grid and we didn’t know about it.”
Both said while nothing is specifically scheduled, vendors and agencies should expect continued oversight of supply chain.
Josh Moses, the chief of OMB’s cyber and national security unit, may have summed up the focus on supply chain risk management from a whole of government approach.
“There is a much greater responsibility on the part of the agency to have that fundamental understanding before you acquire a particular service from a vendor,” he said. “We are really pressing on that and that has been much of the public disclosure of late, and I would say from our end, expect to see more of that for the next couple of months and years.”