One of the last things Grant Schneider did before he left his role as the federal chief information security officer in August was meet the requirement to submit the strategic plan and charter for the Federal Acquisition Security Council to Congress.
It’s always an accomplishment to get agencies to agree on goals, milestones and plans no matter the topic. As I’m sure you’ve heard before, bring 10 people around the table and you’ll get 15 opinions.
The FASC, which Congress created as part of the Secure Technology Act, comes alive at a critical time in the supply chain risk management discussion. After several years of poking the snake with a stick, agencies finally are doing something about the serpent that lies in the weeds waiting to strike.
The fact that the FASC turned concepts and ideas to a real strategy is an important first step to finally getting control of the snake population that seemed be growing out of control and eating the native species.
The FASC strategic plan pointed out that before the Secure Technology Act there was “no centralized construct for unifying federal supply chain risk management (SCRM) activities,” and now the governmentwide organization will “mandates the development of uniform criteria for SCRM programs to increase capabilities to address supply chain risk across all agencies.”
The council’s strategy is based on three pillars:
Standards, guidelines and practices for federal SCRM programs,
Information sharing, and
Each pillar includes several statutory mandates and strategic activities to implement those requirements.
For instance, under the standards, guidelines and practices pillar, the FASC wants to raise the maturity level of SCRM practices across all agencies.
“The FASC will assist departments and agencies in strengthening their respective SCRM strategies and implementation plans by identifying common initiatives, standards, guidelines, processes and proven practices implementable by all organizations. NIST, as a member of the FASC, will develop standards and guidelines to address any identified gaps,” the strategic plans stated. “Central to an effective implementation plan is raising awareness among all executive agencies, especially among those senior leaders, acquisition officials, and program teams who are accountable to implement SCRM across their organizations. Achieving measurable improvements in the capacity of executive agencies to meet their legislatively mandated SCRM responsibilities will depend heavily upon establishing governmentwide tools and shared understanding to transform independent activities into a synchronized ecosystem. Common initiatives, standards, best practices and processes are key to a successful transformation and improved risk management by all stakeholders.”
Category management efforts underway
Under each strategic activity, the FASC will take on specific actions to address supply chain challenges.
The council in September completed its first major action by releasing a long-awaited interim rule. The acquisition regulation, which is open for comments through Nov. 2, implements the Federal Acquisition Supply Chain Security Act of 2018, which President Donald Trump signed into law in December 2018 and called for the governmentwide task force to determine how it will share supply chain risk information and how it will recommend removal and exclusion orders to address risks.
Another example of a short term goal is to use category management to address risks. The council will work with the governmentwide IT category manager within the General Services Administration to develop the governmentwide acquisition approach for addressing supply chain threats and risks both centrally and by individual agencies.
In some ways, GSA already is working toward that goal.
Kelley Artz, the supply chain risk management technical lead in the Office of Policy and Compliance at GSA’s Federal Acquisition Service, said her office plans to create a supply chain framework that will run across all agency-run contracting vehicles based on the National Institute of Standards and Technology Special Publication 800-161.
“We look at all those business offerings and then overlay what NIST 800-161 is. Then I also incorporated elements of Committee on National Security Systems (CNSS) 505, which was designed to be supply chain risk management guidance for national security systems. I had to think through that what did at the national security level and bring it to a civilian agency level just in concept. Of course, the NIST IR8179 was useful as well,” said Artz during the recent GSA IT Security day. “I synthesized that information and created the FAS organizational level SCRM plan. It’s really based on the template in 800-161, but I adapted it because we are an acquisition service organization.”
Artz said FAS also created a mission-level plan to detail its approach when the FASC recommends removal of specific products or services.
GSA also set up an agencywide supply chain risk management review board, which includes legal, policy, acquisition, technology and other experts.
“We not only have cross-disciplinary functions but it also represents all of GSA as an enterprise. We discuss supply chain risk management questions, particularly related to Section 889 in that group,” Artz said. “The focus is to support our acquisition workforce and provide transparency across the enterprise about how we are implementing [Section] 889.”
GSA is but one of several agencies setting up governance bodies and processes to share information. Shon Lyublanovits, the senior advisor for cybersecurity in GSA’s Office of IT Category, said one of the most important steps GSA has taken was to create SCRM champions across the department to create awareness.
“We are bringing together people you can educate, empower and help enforce supply chain risk management within your organization. This is not a space we can do in siloes or with one person. Being able to have champions to spread the word and see things that we may not have the ability to see from our advantage point is hugely important,” she said. “If we don’t have strong acquisition compliance, if we don’t have strong acquisition strategy, our ability to move the needle forward in supply chain risk management will be deeply hindered.”
State Department seeks discovery tools
Outside of acquisition, agencies are looking to use data to drive decisions.
The State Department recently issued a request for information looking for an industry tool to help with the discovery and awareness of supply chain risks and to provide information alerts.
State said in the RFI it needs to:
Maximize the likelihood that DOS can obtain, maintain, and retain total situational awareness of global supply chain related events before, during, and after they unfold.
Maximize our ability to quickly verify or validate the credibility of a source, author, and online information.
Minimize the time and effort required to discover relevant and impactful information (and filter-out irrelevant information) regarding global supply chains.
Maximize the accuracy of machine-translated content originally written in a foreign language and maximize the number of languages translated.
Minimize the time to recognize, summarize, and disseminate relevant information to targeted internal audience(s).
Maximize our confidence level that our supply chain is free of bad actors.
The Office of the Director of National Intelligence and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency have been at the forefront of this SCRM effort over the past few years, detailing best practices, highlighting threats and taking actions against companies such as Huawei, ZTE and Kaspersky Lab.
In 2019, CISA issued a 20-page briefing about current and future efforts to secure the federal civilian supply chain.
ODNI, meanwhile, earlier this year issued a six-page document highlighting three focus areas it will key on to reduce supply chain risks.
Other agencies as the Defense Logistics Agency, the National Nuclear Security Administration and many others have individual programs and processes to address SCRM within their own organization.
Legislative, regulatory, policy recommendations
This is why the FASC strategy can bring all of these efforts together around common set of goals.
“[T]he FASC will begin to implement the strategic activities for each pillar. In support of this implementation activity, the FASC has designated a FASC working group with representatives from each department and agency represented on the council, and will bring in support from other departments and agencies as appropriate,” the strategic plan stated. “The working group will assess each strategic activity and determine supporting activities and levels of effort required for implementation. The FASC will continue to collaborate across the government to ensure that each strategic activity is implemented across the federal enterprise.”
Additionally, the FASC will make legislative, regulatory, or policy recommendations to further improve the information and communications technology supply chain risk management.
Lisa Barr, FASC project lead, said at the GSA IT security event, over the next several months an interagency working will begin looking at shared services and common contracts.
“There is a subgroup looking at what are the business needs across the federal enterprise, in terms of what’s really needed for SCRM, where are there gaps, where are tools and capabilities needed?” she said. “Over the course of the next several months, there will be a good set of requirements, and I use that term loosely, the business needs of the federal enterprise and how can those gaps be closed? We will work with GSA to say is it a common contract solution we need to put in place, or working with OMB to figure out if we need a shared service to do risk assessments?”