The Homeland Security Department’s initiatives over the past year to address supply chain risks aren’t even close to hitting a crescendo. But the pace and volume of the drumbeat is distinctly mounting.
If the efforts to ban Kaspersky Lab, ZTE and Huawei products were just the prelude to the symphony, then the National Risk Management Center’s initial sprint topics, the business due diligence request for information and the latest effort to use the power of federal procurement are the opening sonata.
“There is a growing awareness and understanding to this issue. Our biggest challenge today is not having a national strategy around it while other countries do,” said Jennifer Bisceglie, president and CEO of Interos Solutions, which provides risk assessment services. “Until we have a national strategy, you will have pop up policies or programs or studies, like the one from MITRE. The time is beyond here to have a national strategy.”
The White House’s National Cyber Strategy gave a brief mention to supply chain risk management, saying the government should “improve awareness of supply chain threats and reduce duplicative supply chain activities within the United States government, including by creating a supply chain risk assessment shared service.” But it offered no specific details or initiatives.
Only now are those starting to emerge through a series of DHS-led efforts.
Chris Krebs, the DHS undersecretary of NPPD, offered further insights at several events over the last few weeks, setting up bigger expectations for 2019.
The National Risk Management Center seems to be one major hub of activity for many of the supply chain initiatives.
Among the first sprints the NRMC is undertaking is around information and communications technology (ICT) with a new task force. Krebs said the kick-off meeting is this week where it will convene under the critical infrastructure partnership advisory council. He said it will be the nexus for the government for addressing supply chain risks.
A fact sheet on the task force provided by DHS details some of its initial goals and plans.
DHS said the group will “examine and develop consensus recommendations for action to address key strategic challenges to identifying and managing risk associated with the global ICT supply chain and related third-party risk.” It also will “focus on potential near- and long-term solutions to manage strategic risks through policy initiatives and opportunities for innovative public-private partnership.”
DHS formally announced plans for the task force in July. Without a doubt one major focus area in 2019 will be around reducing risk in federal acquisition.
“On the one hand, we have to make sure in the procurement cycle we are enabling the contracting officers to write the contracts the right way with cybersecurity in mind. But also as the decision process comes through it can be intelligence and threat informed so that we can knock off the bad options if and when they are presented,” Krebs said at the CyberNext conference. The event was sponsored by the Coalition for Cybersecurity Policy & Law, the Cyber Threat Alliance, and the National Security Institute at George Mason University’s Antonin Scalia School of Law in Washington on Oct. 4. “We also are looking at when are in the deployment phase and something is out there, how do we operationalize what we know so if we have information about a compromise or some other sort of actions, how can we take the appropriate risk management steps to protect federal networks.”
Krebs said DHS wants to get out of reactive mode when it comes to addressing these real and potential risks. The entire situation to ban Kaspersky Lab products, which several cyber experts have said DHS and the intelligence community knew were a problem for years, required nearly a year-long effort to get the software off of federal networks, and left the government embroiled in a lawsuit.
“I don’t ever want to be in a position to have to issue a [bill of distribution] like that ever again. We want to stop those deployments from happening in the first place so how do we operationalize intelligence, how do we get it into the procurement cycle as earlier as possible to write smart contracts and inform the decisions makers,” Krebs said. “We must have good options on the table when [we] take bad ones off the table. One of things the ICT task force will consider is what are those incentives to drive more trustworthy options? The federal government has a great incentive package through the procurement cycle and the power of the purse.”
The idea of writing smarter procurements is behind the request for information DHS released Aug. 17, and recently made public questions and answers from the Sept. 27 industry day.
In the RFI, DHS wants to see what capabilities exist to provide ICT information through “due diligence” research based on publicly and commercially available unclassified data.
“DHS seeks information about capabilities that address risk as a function of threat, vulnerability, likelihood, and consequences, and aggregate multiple data sets into structured archives suitable for analysis and visualization of the relationships of businesses, individuals, addresses, supply chains, and related information,” the RFI states. “The information generated through the due diligence capability will be shared between organizations and may be used in combination with other information to broadly address supply chain risks to federal, state, local, tribal and territorial governments, and critical infrastructure owners and operators.”
The General Services Administration ran a similar effort several years ago, but it didn’t get a lot of traction.
“They had several civilian agencies used it and those that did, they made defendable acquisition or market decisions based on the GSA pilot. The challenge was we couldn’t get executive leadership support or get the program resourced correctly,” she said. “There is a clear need and clear void for a due diligence program. I think DHS will see how the market has matured in four years, and then put out larger multi-year contract for these services. It will be interesting to have multi-year program that is shared between DHS, GSA, NASA SEWP, the National Institutes of Health’s acquisition organization and others. That would get a lot of the large IT acquisition buying under one program where you could collect once and share often.”
DHS said in the questions and answers that it has not yet determined if there will be a solicitation in 2019.
“The Commerce, Justice, and Science Appropriations Act has a requirement that certain agencies (e.g. Commerce, Justice, NASA and National Science Foundation) conduct supply chain risk assessments for all of their FIPS high and moderate IT purchases. DHS is engaged with these stakeholders and reached out to them for help when drafting the RFI,” DHS states in its answers. “There is no way to ingest all data feeds but the desired outcome is to improve awareness. DHS wants to be able to calibrate the risk assessment to the risk tolerance of the end user/company.”
DHS said one less rigorous example of this type of effort already in place is with the continuous diagnostics and mitigation (CDM) program. In August 2017, DHS and GSA updated the CDM cyber supply chain risk management plan, requiring vendors to answer some basic questions related to manufacturing and tracking of the product before being added to the approved products list.
DHS states that it is working with agencies this year to discover “actionable information” that would be shared across government.
“For each risk indicator, we need to figure out what the appropriate shelf life is. Continuous data monitoring will also have an impact. Veracity: we want data from an authoritative source,” DHS states.
Krebs said while it’s still too early to determine the exact direction of this effort, he said there are several questions and facets to this effort.
“This is a longer term cycle that we have to look at whether GSA has the appropriate authorities? Do we have the appropriate authorities under FISMA? Do we need other federal acquisition authorities to ensure the supply chain is secure. We have a suite of tools capabilities at NPPD, things like cyber hygiene scanning, things like Automated Indicator Sharing (AIS) so what sort of umbrella can we extend across the contractor base particularly those who touch high value assets,” Krebs said. “Alternatively what are the security outcomes we really want to achieve through contracting and we expect of our contractors, not just in the first tier but second, third and fourth tier and how do they attest to that. There is a lot more to come here. This is a significant opportunity space.”
It’s been over a year since agencies, and DHS more specifically, started to apply a much finer and public focus on supply chain risks. The signs are clear from the White House, from DHS and from Congress that contractors and agencies can no longer be passive participants in this effort.