One of the key phrases from the 2019 Federal Acquisition Supply Chain Council strategy is the single acknowledgement that “Prior to the enactment of the SECURE Technology Act [in 2018], there was no centralized construct for unifying federal supply chain risk management (SCRM) activities.”
More than three years later, it seems the effort to unify supply chain risk management efforts is struggling.
Case in point, since November at least six agencies issued notices or requests for information/proposals to industry seeking feedback on how to do more to protect their supply chains.
From the General Services Administration to the Army Contracting Command to the Homeland Security Department, there seems to be a broad recognition that whatever agencies are doing today, it isn’t enough.
Each of the notices seek to address different aspects of this challenge, but the common theme is clear: more data, more help and more everything is needed to deal with this ever-growing challenge.
“The need for scrutiny of supply chain risk was highlighted during the 2020 cybersecurity breach where several federal government information technology (IT) systems were compromised by foreign adversaries. Initial reports believe that foreign adversaries exploited vulnerabilities in the supply chain of several widely used information and communications technology (ICT) products,” wrote the Centers for Medicare and Medicare Services in its Jan. 28 RFI. “Although supply chain management practices are well engrained in federal acquisition policy and procedures, certain products and services require enhanced scrutiny due to significant inherent risks associated with their supply chain. Recent legislation and executive actions have also increased the necessity for enhanced scrutiny in the acquisition of ICT and electric system components.”
The most recent effort comes the National Institute of Standards and Technology. It will release an RFI on Tuesday asking for feedback on how to update its Cybersecurity Framework both generally and more specifically around supply chain risk management.
NIST is asking four specific questions about C-SCRM and the National Initiative for Improving Cybersecurity in Supply Chains (NIICS), which it launched last August.
Among the questions NIST is seeking feedback on are around the greatest challenges to C-SCRM, possible approaches, tools, standards and guidelines and how best to integrate these cyber efforts together.
CMS seeks data to combat threats
The other initiatives are focused on solving agency specific problems.
CMS is looking for help internally specifically around identifying and using capabilities would let them mitigate potential malicious threats from code in hardware and software as well as counterfeit products.
“The government is interested in learning more about (1) supply chain risk due diligence information that will be provided; and (2) the tool, product or system solution used to deliver due diligence information,” the RFI stated.
GSA’s recent RFI is more focused across its contracts and connected directly back to the Federal Acquisition Security Council (FASC) efforts.
“GSA is seeking cyber supply chain information to define and incorporate cyber supply chain security control requirements in connection with proposed ICT product and/or service offerings on the GSA marketplace,” GSA stated in an RFI from last January. “The information sought in this RFI will provide guidance on establishing the level of cybersecurity supply chain risk management (C-SCRM) security control measures the GSA should require of vendors regarding the ICT products and services offerings on the GSA marketplace.”
GSA asked 11 questions in the RFI, ranging from best practices to categorize software and hardware products to what evidence should vendors provide to validate how they are meeting C-SCRM standards, guidelines or best practices.
GSA is asking for industry responses by Feb. 28.
Counterfeit products remain a concern
This RFI continues to build on FASC efforts, some of which GSA is leading. For example in October, GSA launched the cyber supply chain risk management acquisition community of practice.
“One of the first big initiatives that the C-SCRM ACoP will take on is GSA and the Cybersecurity and Infrastructure Security Agency (CISA) co-leading an effort to work with agencies to mature the integration of C-SCRM into the acquisition process. The outcome will be increased maturity on strategy, governance, and operations based on lessons learned. We look forward to connecting with everyone from across the Federal Government as we begin this collaborative journey through our campaigns to build stronger C-SCRM acquisition programs,” the October announcement stated.
Similar themes emerged from efforts from the Army Contracting Command and the Social Security Administration.
SSA’s solicitation sought to bring third party expertise to provide electronic supply chain counterfeit reporting and avoidance (ERAI) services on major agency procurements.
“This solution will provide the SSA with focused and predictive insights to help certify, monitor and analyze IT suppliers, which will ultimately mitigate risk to the agency,” the RFP stated.
ACC held a symposium with industry in early December as part of its effort to “learn about supply chain initiatives for the defense industrial base, to increase transparency, resiliency and identify potential risk mitigation strategies.”
While ACC didn’t focus only on cybersecurity, its event highlighted the need to “develop policy, regulatory, legislative and investment recommendations to strengthen U.S. manufacturing capacity and the defense industrial base.”
The Department of Homeland Security didn’t go as far as issuing an RFI, but did tell industry it would hold them more accountable for cyber hygiene efforts.
Eric Hysen, the DHS chief information officer, and Paul Courtney, the DHS chief procurement officer, wrote in Feb. 2 notice to contractors that it will provide a self-assessment to better understand how vendors are meeting key cybersecurity and cyber hygiene practices as a condition for contract award.
“By releasing this questionnaire to our vendors, we expect to establish a statistically viable assessment of overall cyber hygiene risk across DHS that will guide continued work towards an improved cyber posture and will aid in establishing the focus of future program development, including government-led assessments,” the notice stated. “This process is again a critical step in our progress towards maturing our cyber-supply chain risk management (C-SCRM) program and protecting the homeland.”
NDAA’s 8 supply chain provisions
These individual efforts come on top of new requirements by Congress in the Defense authorization act of 2022. The NDAA’s Subtitle E has eight provisions related to the Defense Department’s management of its supply chain.
Again, while many of these mandates are broader than cyber, Congress identified the need for DoD to take advantage of data and analytics tools to reduce risks in its supply chain.
To that end, the NDAA tells DoD to “develop a supply chain risk assessment framework,” which should provide a map of supply chains that supports analysis, monitoring and reporting with respect to high-risk subcontractors and risks to such supply chains.
The NDAA also calls on DoD to name an internal organization and develop milestones for the deployment of the risk assessment framework and support technologies.
“We note the potential for advanced and commercial data analytics systems and technologies to provide new capabilities to assess and analyze defense supply chains. For example, advances in decision science, commercial data analytics systems, and machine learning techniques may be applied to such an effort,” the NDAA stated. “We recommend that the Secretary of Defense consider the development of a database to integrate the current disparate data systems that contain defense supply chain information and to help provide for consistent availability, interoperability, and centralized reporting of data to support efficient mitigation and remediation of identified supply chain vulnerabilities. We note that the secretary should ensure that the systems are scalable so as to support multiple users, include robust cybersecurity capabilities, and are optimized for information-sharing and collaboration.”
It’s hard to argue against any of these efforts whether it’s CMS or SSA specific or cutting across any entire agency’s contracts like those at GSA and DoD.
The question remains whether FASC will bring some semblance of oversight and governance to these programs or will it take a thousand flowers blooming and tens of millions of dollars spent before some forcing function — as if SolarWinds wasn’t enough — to bring some order to C-SCRM.