When it comes to supply chain risks, agencies need to know when to hold ‘em, know when to fold ‘em

When it comes to supply chain risk management, the Federal Acquisition Security Council (FASC) is channeling country music superstar Kenny Rogers and his hit song The Gambler:

“You’ve got to know when to hold ’em
Know when to fold ’em
Know when to walk away
And know when to run…”

This advice for card playing applies today just as well to federal technology and managing their supply chain risks. The more agencies learn about the products and services they are buying, the more they will know when to hold ’em and when to fold ’em.

“The last year and a half educated the world that every company and every country needs to care about their extended supply chain. So when we think about physical and digital IT, an effort to make a router is a physical supply chain, and at the same time, it’s digital because there is information that passes through it,” said Jennifer Bisceglie, founder and CEO of Interos, an artificial intelligence-based third-party risk management company. “If you look at the executive order coming out of the White House, I’m looking at my relationship with China, so larger trade concerns. You have concentration risk based on the lack of raw materials. And then you also have the software supply chain bill of materials that they want to get ahead of which is more of a digital supply chain.”

The Office of Management and Budget and the FASC are putting on their cowboy hats and boots to help agencies know when to walk away and to know when to run about both their physical and digital IT supply chains. Chris DeRusha, the federal chief information security officer, told Senate lawmakers in late September that OMB and the FASC will release new guidance in the coming months to help agencies make better decisions about the risk of technology products and services.

“[The FASC] primarily is focused on supply chain risks that have a nexus to national security, foreign threats and others. There is an acute focus by the FASC to make recommendations of exclusion and removal orders for the federal government,” DeRusha said at the Sept. 28 Senate Homeland Security and Governmental Affairs Committee hearing.

Bisceglie said the FASC and other efforts, including a new cyber supply chain risk management (C-SCRM) strategic plan from the General Services Administration are part of how the government is building its supply chain risk management muscles.

An official with GSA’s Office of Governmentwide Policy said in an email to Federal News Network that the strategy focuses on addressing the agency’s cyber risks within its most important information systems and programs, and on improving the capabilities of their workforce.

“While the primary audience of the plan is directed to GSA’s internal operations, GSA has cast a wider net to socialize the plan. We have begun to communicate to both internal and external stakeholders’ efforts outlined by the GSA C-SCRM plan,” the official said. “While GSA is not formally seeking feedback at this time, we recognize this is a highly evolving area, and will revise the plan as needed.”

2012 report from the Senate

For some in government, this muscle building exercise traces back nearly a decade.

In 2012, the Senate Armed Services released a report that showed over a two-year investigation more than 1,800 instances of parts that were likely counterfeit in the Defense Department’s supply chain. Agencies have been well-aware of real problems with the security of their supply chains, but have been slow to take real action. There now are more than 30 different supply chain risk management efforts ongoing from FASC to the National Institute of Standards and Technology to the Defense Department’s Cybersecurity Maturity Model Certification (CMMC) program.

DeRusha said the FASC has efforts to engage industry and other committees across Congress to address the ever-growing risks to the supply chain.

Bisceglie said supply chain risk management is well past the “hype cycle.”

“We are to the point where things need to be implemented and you are seeing that not just based on the executive orders, but the money being pushed to the Cybersecurity and Infrastructure Security Agency (CISA) and the Commerce Department to actually do something about it,” she said. “It has raised itself in priority, and the pandemic, the multiple examples of ransomware like the [Colonial Pipeline] and SolarWinds, and the problems in the Suez Canal, made this something that is being invested in and that people are responsible for.”

GSA’s strategy shows just how implementation could work at one agency. Under the Federal Acquisition Supply Chain Security Act of 2018, agencies are to establish a formal SCRM program and to conduct supply chain risk assessments. Additionally, the law requires GSA to take actions to provide better assurance that the products, services and solutions it offers and provides to its customer agencies appropriately address supply chain risks.

GSA’s efforts are focused across three strategic objectives:

  • Address GSA’s highest enterprise-level supply chain risks
  • Further mature GSA’s acquisition workforce’s awareness of and capabilities to manage supply chain risks
  • Standardize GSA’s key operational (Tier 2) C-SCRM plans

“This plan focuses on the integration of C-SCRM at GSA’s organizational (enterprise) level, discussing the core functions, roles and responsibilities, and the approach GSA will take to implement C-SCRM controls, processes, governance and compliance across the agency,” GSA stated in its strategy. “To date, GSA has taken some actions at both the enterprise and business line levels, including the creation of some Tier 2 plans. Tier 2 plans are focused on subcomponent organizations or programs within GSA (e.g., Federal Acquisition Service and the Public Building Service’s SCRM plans) and Tier 3 plans will address system-level C-SCRM controls. Both Tier 2 and Tier 3 plans will include metrics, as appropriate.”

Through this strategy, GSA says it is updating policies and running pilots to test out C-SCRM capabilities.

For instance, GSA said in March it was revising its CIO-IT Security-06-30, Managing Enterprise Cybersecurity Risk, and CIO-IT Security-09-48, Security and Privacy Requirements for IT Acquisition Efforts and the C-SCRM incident response for GSA IT systems policies. The GSA official said the agency updated the CIO-IT Security-06-30 in May and the CIO-IT Security-09-48 in April.

An interim acquisition policy is making its way through the formal rulemaking process and a proposed rule is currently under OMB review and is found in GSA’s regulatory agenda under GSAR Case 2016-G511 Contractor Requirements for GSA Information Systems.

Vendor risk assessment pilot underway

GSA detailed several pilots it plans or is undertaking including one to create a “risk-based, on-demand device testing to detect potential counterfeit or compromised products,” a “vendor risk assessment tool to illuminate ICT supply chains for select critical programs” and the “software security testing technique for select software products.”

The GSA official said it has not yet awarded the device testing pilot to a vendor but is planning to move forward with establishing this capability.

“The vendor risk assessment tool pilot is nearing the one-year mark, and GSA plans to continue testing these tools to augment our third-party risk management related to internal GSA infrastructure,” the official said. “The software security testing pilot demonstrated that developers tend to focus more on security best practices when required to submit a software bill of materials.”

A lot of its initial effort is focused on GSA’s four high-impact systems, and add new requirements as necessary.

Another focus area will be on the workforce where OGP and the Federal Acquisition Service’s Technology Transformation Service will create a C-SCRM journey map for contracting officers and other acquisition professionals.

“The journey map will also be an ongoing resource for GSA’s acquisition workforce as it will breakdown C-SCRM considerations during various milestones throughout the acquisition life cycle. Using a human-centered design process, the journey map will be based on insights gathered from a diverse set of GSA acquisition workforce members across service and staff offices,” the strategy stated. “GSA will leverage information identified in the journey map process and develop or identify workforce training to further invest in long-term GSA acquisition workforce SCRM skills, resulting in an acquisition workforce that is better equipped to address supply chain risks with additional training, certifications, and learning programs across function areas and program offices related to SCRM, including C-SCRM.”

Interos’ Bisceglie said it’s a positive sign that GSA has moved beyond working groups and task forces to actually take steps to secure the supply chain.

“When we move past the strategy and actually put in metrics for what success looks like, then industry will know where to invest and how best to align their efforts,” she said.

Related Stories

    Amelia Brust/Federal News Network

    Agencies, vendors ramping up to fight supply chain cyber threats

    Read more
    Amelia Brust/Federal News NetworkGSA, Federal Acquisition Service, FSA

    How the Federal Acquisition Security Council will tackle supply chain risk management

    Read more

Comments